RFC: kernel level cryptographic filesystem (summer of code project)

Gleb Kurtsou gleb.kurtsou at gmail.com
Thu Oct 1 21:44:08 UTC 2009


During Google Summer of Code this year I was working on kernel level
cryptographic filesystem pefs. It looks like the project is mature
enough to ask for a public review and comments.

I'm using it to encrypt my mailbox for some time already without any
issues.  For testing I use mostly dbench and fsx tools.

Some of pefs features (comparing to other stacked filesystems):
* Kernel level implementation (no fuse and similar stuff)
* Random per file tweak value used for encryption
* Saves metadata only in encrypted file name (doesn't change file
* Doesn't change encrypted file size
* Arbitrary number of keys
* Mixing files encrypted with different keys in single directory
* Transparent mode of operation (no encryption, read-only, allows
  accessing filesystem snapshots easily)
* Key chaining (though user level utility)
* Modern encryption algorithms (AES and Camellia in CTR mode, Salsa20)

I've tested it on top of ZFS, UFS and tmpfs (it fails on msdosfs).
I use amd64 9-CURRENT but it should work on 8- and 7-STABLE (+ i386).

For more information, there are several post on my blog regarding pefs:
Step-by-step tutorial: http://blogs.freebsdish.org/gleb/2009/10/01/pefs-encrypting-directory/
Description of cryptographic primitives used: http://blogs.freebsdish.org/gleb/2009/09/23/pefs-crypto-primitives/
And a small benchmark: http://blogs.freebsdish.org/gleb/2009/09/16/pefs-benchmark/

I'd appreciate any feedback and testing.

Short instructions on how to start with it:

1. Download tarball: http://www.2shared.com/file/8154727/3dc45b66/pefs-2009-10-01tar.html

2. Unpack into /usr/src

3. Compile and install:
# make -C /usr/src/sys/modules/salsa20 obj all install clean
# make -C /usr/src/sys/modules/pefs obj all install clean
# make -C /usr/src/sbin/pefs obj all install clean
It installs 2 modules (pefs, salsa20) and user level configuration
utility /sbin/pefs (and /sbin/mount_pefs which is link to /sbin/pefs)

4. Mount pefs filesystem:
% pefs mount ~/Private ~/Private

5. Set your passphrase:
% pefs addkey ~/Private

6. Test it


More information about the freebsd-current mailing list