Too Busy For Words - the PaulWay Blog

Fri 7th Apr, 2006

Keeping your coding directory secure...

I've used the Cryptographic File System for a while now. It's a bit of a misnomer, though, as it's not really a separate partition with its own filesystem encrypted somehow (of which enough exist anyway).

You have a directory whose entire contents are encrypted, although the files are still plain files with encrypted content. You perform a specific cattach command, and this creates a directory under a special NFS mount point. This directory is the unencrypted version of your encrypted directory: a read goes through NFS to the local cfs daemon, which fetches the block you want and decrypts it. Writes happen in a similar but reverse fashion. So your files are never ever seen as an actual cleartext sitting on an unencrypted filesystem. There's a further variant where the NFS sees the encrypted file and not the unencrypted one, and which therefore allows you to run encrypted shares across a network (whereas CFS would leak like a sieve).

The minor problem is that there's a bug on the x86_64 platform. I can create an entire new encrypted directory and the password is correct, but the cattach command just says cattach: incorrect passphrase. I don't know exactly where it's caused; I haven't scrutinised the code. (Again the tyrrany of Open Source... :-). I don't know if this also affects the PPC architecture as well. But for the rest of us running on i386, it's a very useful way to keep those little bits of your filesystem that you don't want to share with others nice and secure.

Last updated: | path: tech | permanent link to this entry


All posts licensed under the CC-BY-NC license. Author Paul Wayper.


Main index / tbfw/ - © 2004-2023 Paul Wayper
Valid HTML5 Valid CSS!