Encrypting private directory with pefs

October 1, 2009 by · 5 Comments 

pefs is a kernel level cryptographic filesystem. It works transparently on top of other filesystems and doesn’t require root privileges. There is no need to allocate another partition and take additional care of backups, resizing partition when it fills up, etc.

To install pefs grab sources tarball here (mirror 1, mirror 2). Unpack it into /usr/src, compile and install:

# make -C /usr/src/sys/modules/salsa20 obj all install clean
# make -C /usr/src/sys/modules/pefs obj all install clean
# make -C /usr/src/sbin/pefs obj all install clean

Note: It’s being developed on amd64 9-CURRENT, and was tested on i386 8-CURRENT some time ago (before branching). It should also work on 7-STABLE, but I’m not able to test it. Would appreciate any feedback and will try to fix all incompatibilities.

Create a new directory to encrypt. Let it be ~/Private:

% mkdir ~/Private

And mount pefs on top of it (root privileges are necessary to mount filesystem unless you have vfs.usermount sysctl set to non-zero):

% pefs mount ~/Private ~/Private

At this point ~/Private behaves like read-only filesystem because no keys are set up yet. To make it useful add a new key:

% pefs addkey ~/Private

After entering a passphrase, you can check active keys:

% pefs showkeys ~/Private
Keys:
0 b0bed3f7f33e461b aes256-ctr

As you can see AES algorithm is used by default (in CTR mode with 256 bit key). It can be changed with pefs addkey -a option.

You should take into account that pefs doesn’t save any metadata. That means that there is no way for filesystem to “verify” the key. To work around it key chaining can be used (pefs showchain, setchain, delchain). I’m going show how it works in next posts.

Let’s give it a try:

% echo "Hello WORLD" > ~/Private/test

% ls -Al ~/Private
total 1
-rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test

% cat ~/Private/test
Hello WORLD

Here is what it looks like at lower filesystem level:

% pefs unmount ~/Private

% ls -Al ~/Private
total 1
-rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq

% hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq
00000000 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |......\8..-_|
0000000c

Your result is going to be different because pefs uses random tweak value to encrypt files. This tweak is saved in encrypted file name. Using the tweak also means that the same files have different encrypted content.

About gleb

Comments

5 Responses to “Encrypting private directory with pefs”
  1. Andriy Radyk says:

    FreeBSD ng.portaone.com 8.0-RC1 FreeBSD 8.0-RC1 #0: Sun Oct 4 22:36:53 EEST 2009 [email protected]:/usr/obj/usr/src/sys/ANGST2 i386

    [root@ng /usr/src]# make -C /usr/src/sys/modules/pefs obj all install clean
    cc -O -pipe -march=i686 -mtune=k8 -Werror -D_KERNEL -DKLD_MODULE -nostdinc -I. -I@ -I@/contrib/altq -finline-limit=8000 –param inline-unit-growth=100 –param large-function-growth=1000 -fno-common -g -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -fstack-protector -std=iso9899:1999 -fstack-protector -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -c /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c
    cc1: warnings being treated as errors
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c: In function ‘poly_step_func’:
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:262: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:264: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:265: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:266: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:267: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:270: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:271: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:272: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:273: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:276: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:277: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:278: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:279: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:280: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:285: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:286: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:287: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:288: warning: cast discards qualifiers from pointer target type
    /usr/src/sys/modules/pefs/../../fs/pefs/vmac.c:289: warning: cast discards qualifiers from pointer target type
    *** Error code 1

    Stop in /usr/src/sys/modules/pefs.

  2. gleb says:

    Andriy, would you try a newer version, I’ve fixed compilation on i386 (I hope so):
    http://blogs.freebsdish.org/gleb/2009/10/16/pefs-dircache-benchmark/

    But that version has minor issues running on top of UFS. To fix it disable dircace after loading module:
    # sysctl vfs.pefs.dircache_enable=0

Trackbacks

Check out what others are saying about this post...
  1. [...] This post was mentioned on Twitter by FreeBSD Project, Chimbida. Chimbida said: RT @freebsd: BLOG: Encrypting private directory with pefs: pefs is a #kernel level cryptographic filesystem. It works tr http://bit.ly/YPnlz [...]

  2. [...] Après être retourné à l’école dans la classe du démon rouge, il nous propose donc un nouveau scénario. [...]

  3. [...] Après être retourné à l’école dans la classe du démon rouge, il nous propose donc un nouveau scénario. [...]