Committing PEFS to CURRENT
Nikolai Lifanov
lifanov at mail.lifanov.com
Mon Oct 7 16:53:18 UTC 2013
On 10/07/13 12:31, Gleb Kurtsou wrote:
> Hello,
>
> I would like to ask everybody's opinion regarding committing PEFS to
> CURRENT.
>
> PEFS is a stacked cryptographic file system for FreeBSD. Development
> started as Google Summer of Code project in 2009. It has been in ports
> since Sept 2011. I maintain the project.
>
> Conceptually PEFS is similar to nullfs adding encryption layer on top of
> it. But it differs technically by not using vop_bypass. Another popular
> stacked cryptographic file systems include eCryptfs (linux) and encfs
> (fuse). There is also pam_pefs pam module to allow user authentication
> with their PEFS-encrypted home directory password.
>
> For those interested in high level introduction I would highly recommend
> article by Kris Moore in the BSD Magazine Issue 09/2013(50) -
> http://bsdmag.org/magazine/1848-day-to-day-bsd-administration
>
> We are very close to branching 10-STABLE now, but patch is
> non-intrusive, it only adds new functionality, enabling PEFS for i386
> and amd64 (platforms it's known to work on). Patch passes make universe.
>
> Patch is available here:
> https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch
>
> Pros/cons:
>
> - Having PEFS in base would be a huge maintenance help for PCBSD/TrueOS
> who are already committed to use PEFS in next product releases, e.g.
> PCBSD provides encrypted home directories.
>
> - There is steady interest in the project from users (emails, etc).
> Many of them note that file system is not well known yet. Moving PEFS
> to base would greatly increase its exposure.
>
> - Committing PEFS to base would also simplify maintenance by keeping it
> in sync with other subsystems, e.g. it will be updated on large scale
> changes like VM locking.
>
> - There are no bugs known at the moment. I've been using it to encrypt
> home directory since day one. pho@ ran stress test suite on it a
> while back, number of bugs was fixed.
>
> - PEFS is known to work on amd64 and i386 only. Big endian system and
> systems with page size larger than 4k are not tested.
>
> - NOTE! There has been no cryptography review. I'd like to suggest to
> add warning about file system and crypto used is experimental and hasn't
> undergone professional review. Similar to one we had in tmpfs.
>
>
> BSD Magazine article:
> http://bsdmag.org/magazine/1848-day-to-day-bsd-administration
>
> Port:
> http://www.freshports.org/sysutils/pefs-kmod/
>
> Source code repository:
> https://github.com/glk/pefs
>
> FreeBSD DevSummit'2011 - pefs presentation slides:
> https://pefs.googlecode.com/files/pefs-devsummit.pdf
>
> FreeBSD wiki page:
> https://wiki.freebsd.org/PEFS
>
>
> I would really appreciate any comments or suggestions.
>
>
> Thank you,
> Gleb.
Just a personal note: I hoped that you would commit pefs to base
someday. It works well, and is the type of a core functionality that
would be nice to have as early as the install ISO, before skel is copied
over for the first user. I would be happy if this happened.
- Nikolai Lifanov
More information about the freebsd-current
mailing list