Committing PEFS to CURRENT
Gleb Kurtsou
gleb at freebsd.org
Mon Oct 7 16:30:34 UTC 2013
Hello,
I would like to ask everybody's opinion regarding committing PEFS to
CURRENT.
PEFS is a stacked cryptographic file system for FreeBSD. Development
started as Google Summer of Code project in 2009. It has been in ports
since Sept 2011. I maintain the project.
Conceptually PEFS is similar to nullfs adding encryption layer on top of
it. But it differs technically by not using vop_bypass. Another popular
stacked cryptographic file systems include eCryptfs (linux) and encfs
(fuse). There is also pam_pefs pam module to allow user authentication
with their PEFS-encrypted home directory password.
For those interested in high level introduction I would highly recommend
article by Kris Moore in the BSD Magazine Issue 09/2013(50) -
http://bsdmag.org/magazine/1848-day-to-day-bsd-administration
We are very close to branching 10-STABLE now, but patch is
non-intrusive, it only adds new functionality, enabling PEFS for i386
and amd64 (platforms it's known to work on). Patch passes make universe.
Patch is available here:
https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch
Pros/cons:
- Having PEFS in base would be a huge maintenance help for PCBSD/TrueOS
who are already committed to use PEFS in next product releases, e.g.
PCBSD provides encrypted home directories.
- There is steady interest in the project from users (emails, etc).
Many of them note that file system is not well known yet. Moving PEFS
to base would greatly increase its exposure.
- Committing PEFS to base would also simplify maintenance by keeping it
in sync with other subsystems, e.g. it will be updated on large scale
changes like VM locking.
- There are no bugs known at the moment. I've been using it to encrypt
home directory since day one. pho@ ran stress test suite on it a
while back, number of bugs was fixed.
- PEFS is known to work on amd64 and i386 only. Big endian system and
systems with page size larger than 4k are not tested.
- NOTE! There has been no cryptography review. I'd like to suggest to
add warning about file system and crypto used is experimental and hasn't
undergone professional review. Similar to one we had in tmpfs.
BSD Magazine article:
http://bsdmag.org/magazine/1848-day-to-day-bsd-administration
Port:
http://www.freshports.org/sysutils/pefs-kmod/
Source code repository:
https://github.com/glk/pefs
FreeBSD DevSummit'2011 - pefs presentation slides:
https://pefs.googlecode.com/files/pefs-devsummit.pdf
FreeBSD wiki page:
https://wiki.freebsd.org/PEFS
I would really appreciate any comments or suggestions.
Thank you,
Gleb.
More information about the freebsd-current
mailing list