cryptographic filesystem

Encrypted filesystem with cfs

Using cfs

* What is cfs? (Index)

This Document describes cfs for NetBSD.
cfs is the so called cryptographic filesystem which implements encryption at system level through a standard file system interface to encrypted files. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. It is implemented entirely at user level, as a local NFS server running on the client machine's loopback interface.

* Installing and configuring cfs (Index)

cfs is available via pkgsrc, so it's installation is very easily done with:
make && make install && make clean
After installation finished you have to create, configure and export a working directory:
mkdir /null
chmod 0 /null 
echo /null localhost >> /etc/exports
Now [re]start mountd and cfsd
/etc/rc.d/mountd [re]start && /usr/pkg/sbin/cfsd
configure a cfs mount point and mount it:
mkdir /crypt
mount -o intr,-2,-w=4096,-r=4096 /crypt

finally mountd and cfsd should be started via /etc/rc.conf resp. /etc/rc.local, also you can add the mount command to the latter.
Now it is time to create the encrypted directory, the -b option specifies "Blowfish" algorithm.
Please refer to man-page for other algorithms, such as 3DES or MacGuffin.
cfs_mkdir -b /encrypted
cfs_mkdir now asks for an at least 16 character long passphrase which should be of course very strong, e.g. use numbers, capitalization and special characters.

cfs is now configured and ready for use. To mount your encrypted directory supply
cfs_attach /encrypted usable_cfsdir
and enter your pasphrase. It is now attached as /encrypted/usable_cfs and can be used like a regular directory, e.g. you can copy files into it.
For example, if you copy /etc/motd to /encrypted/usable_cfs with
cp /etc/motd /encrypted/usable_cfs/
you can access /encrypted/usable_cfs/motd as usual, because this is the decrypted interface to the "real" encrypted file, now residing in /crypt/

To detach the encrypted directory use
cfs_detach usable_cfsdir
Now you cannot access /encrypted/usable_cfs/ anymore

* Using cfs on removable media (Index)

It is possible to use a removable media with cfs, so for example
you can burn your private fotos onto a CDROM in an encypted way
and simply mount and cfs_attach it to access the files.
I'll shortly describe how to burn a cfs-directory to a CD:
Using that CD is very simple, mount it to e.g. /mnt
and "cfs_attach /mnt/fotos-dec03 fotos" to acces the images.

* Backups and cfs (Index)

One problem regarding backups is that cfs also encrypts file- and directorynames, so it is hard to identify several files.
One possible solution is to backup the files unencrypted in an attached cfs-directory. But then you should also encrypt your backups, for example with mcrypt or GnuPG, which are both included in pkgsrc. In case you have to restore your files, this must also be done into the attached encrypted directory.
But it is also possible to backup and restore the still encrypted files, residing in /crypt. This can be done by backing up the whole directory or via incremental backups using dump(8) and its dumplevels or find(1) and its date options and other backup software, such as pax(1) or cpio(1)., Index
\$Id: cfs.html,v 1.32 2014/08/21 09:24:03 stefan Exp $

$Log: cfs.html,v $ Revision 1.32 2014/08/21 09:24:03 stefan Umlaute und Makefile clean up

Autor: Stefan Schumacher für, PGP-Key 0xB3FBAE33

Bitte beachten Sie, das die Seite inhaltlich seit Ende 2007 nicht mehr gepflegt wird!
Aktuellere Informationen erhalten Sie auf