Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Oct 2013 13:26:23 -0700
From:      Gleb Kurtsou <gleb.kurtsou@gmail.com>
To:        "Julian H. Stacey" <jhs@berklix.com>
Cc:        "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "delphij@freebsd.org" <delphij@freebsd.org>, Kris Moore <kris@pcbsd.org>
Subject:   Re: Committing PEFS to CURRENT
Message-ID:  <CADDB7yE5fY4Tm-Ck2vncbMC2oVX7H0ntoB-zcA3HayTmHnvVbQ@mail.gmail.com>
In-Reply-To: <201310071958.r97Jw56I096162@fire.js.berklix.net>
References:  <20131007163111.GB1590@reks.swifttest.com> <201310071958.r97Jw56I096162@fire.js.berklix.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey <jhs@berklix.com> wrote:
> Hi Gleb & All
> Gleb Kurtsou wrote:
>> Hello,
>>
>> I would like to ask everybody's opinion regarding committing PEFS to
>> CURRENT.
>>
>> PEFS is a stacked cryptographic file system for FreeBSD. Development
>> started as Google Summer of Code project in 2009. It has been in ports
>> since Sept 2011. I maintain the project.
>>
>> Conceptually PEFS is similar to nullfs adding encryption layer on top of
>> it. But it differs technically by not using vop_bypass. Another popular
>> stacked cryptographic file systems include eCryptfs (linux) and encfs
>> (fuse). There is also pam_pefs pam module to allow user authentication
>> with their PEFS-encrypted home directory password.
>
> 2 others are also already in FreeBSD src/ (not just ports) gbde & geli.

geli and gbde are different concept, they provide encrypted block level devices.
PEFS transparently encrypts data on existing file system.

Here is what you can do with PEFS:
% mkdir ~/Private
% pefs mount ~/Private ~/Private
% pefs addkey ~/Private
% echo "Hello WORLD" > ~/Private/test
% ls -Al ~/Private
total 1
-rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test
% cat ~/Private/test
Hello WORLD
% pefs unmount ~/Private
% ls -Al ~/Private
total 1
-rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq
% hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq
00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_|
0000000c

Take a look a great article in the BSD Magazine or
http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html



> Whether moved from ports to src or not, either way,
> I sggest add to man section SEE ALSO gbde(8) & geli(8)

Good point, thanks.


> Also, SEE ALSO of gbde & geli should probably ref ports/sysutils/pefs-kmod
> ft: Command not found.
>
> No pefs yet i SEE ALSO of
> http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html
> http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=8&manpath=FreeBSD+9.2-RELEASE&arch=default&format=html
>
> I suggest add an href inside:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
> Even if just a 1 liner to start, to expand to a section later.
> (None there for 'pefs', I just searched)
>
> Personaly I've been using gbde based on top of a file inside a UFS
> for a long time, I can't remember why I chose gbde rather than geli,
> I guess because it was there first ?
>
> A dummy's guide short notes along the lines of "Which of these 3 should I use?"
> might also later be nice at the top of that web page :-)
>

There is no answer for the question, each system does it's own thing
and does it differently:
* With PEFS backups are much easier:
 - Use regular backup software for backing up encrypted data (lower
level file system), that would allow delta backup only.
 - Create file system snapshots, e.g. zfs, then zfs send/receive,
regardless whether file system is encrypted or not.
* Setting up multiple encrypted file system is much easier -- no need
to preallocate storage and create file system.
* With PEFS it's possible to add key to encrypted home directory
during login (pam_pefs).
* PEFS let's you use multiple key in same file system.

Thanks,
Gleb.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADDB7yE5fY4Tm-Ck2vncbMC2oVX7H0ntoB-zcA3HayTmHnvVbQ>