You have a directory whose entire contents are encrypted, although the files are still plain files with encrypted content. You perform a specific cattach command, and this creates a directory under a special NFS mount point. This directory is the unencrypted version of your encrypted directory: a read goes through NFS to the local cfs daemon, which fetches the block you want and decrypts it. Writes happen in a similar but reverse fashion. So your files are never ever seen as an actual cleartext sitting on an unencrypted filesystem. There's a further variant where the NFS sees the encrypted file and not the unencrypted one, and which therefore allows you to run encrypted shares across a network (whereas CFS would leak like a sieve).
The minor problem is that there's a bug on the x86_64 platform. I can create an entire new encrypted directory and the password is correct, but the cattach command just says cattach: incorrect passphrase. I don't know exactly where it's caused; I haven't scrutinised the code. (Again the tyrrany of Open Source... :-). I don't know if this also affects the PPC architecture as well. But for the rest of us running on i386, it's a very useful way to keep those little bits of your filesystem that you don't want to share with others nice and secure.
Last updated: | path: tech | permanent link to this entry
All posts licensed under the CC-BY-NC license. Author Paul Wayper.
Main index
/ tbfw/
- © 2004-2023
Paul Wayper
Valid HTML5