Committing PEFS to CURRENT

Nikolai Lifanov lifanov at mail.lifanov.com
Mon Oct 7 16:53:18 UTC 2013


On 10/07/13 12:31, Gleb Kurtsou wrote:
> Hello,
> 
> I would like to ask everybody's opinion regarding committing PEFS to
> CURRENT.
> 
> PEFS is a stacked cryptographic file system for FreeBSD. Development
> started as Google Summer of Code project in 2009. It has been in ports
> since Sept 2011. I maintain the project.
> 
> Conceptually PEFS is similar to nullfs adding encryption layer on top of
> it. But it differs technically by not using vop_bypass. Another popular
> stacked cryptographic file systems include eCryptfs (linux) and encfs
> (fuse). There is also pam_pefs pam module to allow user authentication
> with their PEFS-encrypted home directory password.
> 
> For those interested in high level introduction I would highly recommend
> article by Kris Moore in the BSD Magazine Issue 09/2013(50) -
> http://bsdmag.org/magazine/1848-day-to-day-bsd-administration
> 
> We are very close to branching 10-STABLE now, but patch is
> non-intrusive, it only adds new functionality, enabling PEFS for i386
> and amd64 (platforms it's known to work on). Patch passes make universe.
> 
> Patch is available here:
> https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch
> 
> Pros/cons:
> 
> - Having PEFS in base would be a huge maintenance help for PCBSD/TrueOS
>   who are already committed to use PEFS in next product releases, e.g.
>   PCBSD provides encrypted home directories.
> 
> - There is steady interest in the project from users (emails, etc).
>   Many of them note that file system is not well known yet.  Moving PEFS
>   to base would greatly increase its exposure.
> 
> - Committing PEFS to base would also simplify maintenance by keeping it
>   in sync with other subsystems, e.g. it will be updated on large scale
>   changes like VM locking.
> 
> - There are no bugs known at the moment. I've been using it to encrypt
>   home directory since day one. pho@ ran stress test suite on it a
>   while back, number of bugs was fixed.
> 
> - PEFS is known to work on amd64 and i386 only. Big endian system and
>   systems with page size larger than 4k are not tested.
> 
> - NOTE! There has been no cryptography review.  I'd like to suggest to
>   add warning about file system and crypto used is experimental and hasn't
>   undergone professional review. Similar to one we had in tmpfs.
> 
> 
> BSD Magazine article:
> http://bsdmag.org/magazine/1848-day-to-day-bsd-administration
> 
> Port:
> http://www.freshports.org/sysutils/pefs-kmod/
> 
> Source code repository:
> https://github.com/glk/pefs
> 
> FreeBSD DevSummit'2011 - pefs presentation slides:
> https://pefs.googlecode.com/files/pefs-devsummit.pdf
> 
> FreeBSD wiki page:
> https://wiki.freebsd.org/PEFS
> 
> 
> I would really appreciate any comments or suggestions.
> 
> 
> Thank you,
> Gleb.

Just a personal note: I hoped that you would commit pefs to base
someday. It works well, and is the type of a core functionality that
would be nice to have as early as the install ISO, before skel is copied
over for the first user. I would be happy if this happened.

- Nikolai Lifanov



More information about the freebsd-current mailing list