CFS v TCFS v SFS v ?
jimd at mars.starshine.org
jimd at mars.starshine.org
Sat Feb 22 17:56:18 PST 2003
On Mon, Feb 17, 2003 at 08:37:21AM -0800, David Wolfskill wrote:
>>Date: Mon, 17 Feb 2003 07:51:46 -0800
>>From: richard childers / kg6hac <fscked at pacbell.net>
>>I'm evaluating filesystems which provide encryption under
>>FreeBSD.
>>The following acronyms means the following things:
>>CFS: Cryptographic File System
>>TCFS: Translucent CFS
>>SFS: Secure File System
>>...
> >Have I missed any other encrypting filesystems?
> GBDE -- available only in FreeBSD-5.x (which recently acquired
> "-RELEASE" status for the first time, but you don't want to use 5.0 for
> GBDE, as I recall).
> The acronym stands for "GEOM-based disk encryption".
> It is not, strictly speaking, an "encrypting filesystem," as this is
> below the level of "filesystem": you can put any sort of file system on
> it that you could on a "raw" disk. Thus, the idea is that you can set
> up a (piece of a) disk en encrypted via GDBE, then create a filesystem
> of your choice on it; absent the key(s) to unlock the disk in question,
> even the type of filesystem that is on it should be non-trivial to
> determine.
This sounds very similar to the ppdd (privacy protected disk device)
patches that have been available for Linux for a few years. I've never
used it, but I've never heard complaints from its users either.
As with gbde ppdd is a block layer device under Linux --- similar to
the md (multi-device) drivers, it acts as a shim between the logical
device layer (used by the VFS subsystem) and the physical device. Thus
you can make any sort of filesystem on your ppdd devices; in fact you
can even mkswap on it, so that your virtual memory pages are encrypted
as they go to the disk.
Another Linux specific option is the encrypted loop package; which has
been part of the "international crypto patches" to the kernel for a
number of years. In that case you'd use a command like the mount and
losetup commands to mount and "unlock" the filesystem.
I haven't used this one either. Even if I had, I'm not qualified to
comment on the quality of the encryption and key management in either
of them.
--
Jim Dennis
More information about the Baylisa
mailing list