Idea for GEOM and policy based file encryption

Harald Schmalzbauer h.schmalzbauer at omnilan.de
Wed Mar 21 09:52:40 UTC 2012


 Hello,

I personally don't have the need to encrypt whole filesystems and if I
need to transfer sensitive data I use gpg to encrypt the tarball or
whatever.
But, I'd like to see some single files encrypted on my systems, eg.
wpasupplicant.conf, ipsec.conf aso.
Since I recently secured LDAP queries via IPSec, I found this to be the
absolute perfect solution. Encryption takes place only where really
needed with about no overhead (compared to SSL-LDAP)
So would it be imaginable, that there's something like the SPD for
network sockets also for files?
The idea is that in this fileSPD, there's the entry that /etc/ipsec.conf
must be aes encrypted. In a fileSA, there's the info that
/etc/ipsec.conf can be read by uid xyz (or only one specific kernel,
identified by something new to implement) and with a special key ID. The
keys are loadad as modules, optionally symmetric encrypted by passphrase.

Was such a policy based file encryption control doable with GEOM?
Maybe it's easier to make use of existing tools like gpg with GEOM
interaction?
I don't want to reinvent any file encryption, I just need some automatic
encryption (without _mandatory_ interaction) with lowest possible bypass
possibilities.

Thanks,

-Harry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20120321/3ff6083c/signature.pgp


More information about the freebsd-current mailing list