Setting up an encrypted file system
This article was written by Niklas Saers
I had long been hearing from my Linux using friends about their different encrypted
filesystems and wanted one for FreeBSD. The reasons for this are many: I have copies
of all my emails and mails from the golden BBS days until now with the exception of a few
harddrive crashes, and I wouldn’t want whoever to read this. I also find encryption
interesting and I would see how this worked performancewise. Although there are no
encrypted file systems in the kernel, I found one in ports/security.
This file system is really a RPC server for the NFS protocol. It uses 3DES by
default but has other forms of encryption available as well. However, for this
introduction we’ll stick with the standard.
First of all, use su to become root
and install the port security/cfs. A simple:
cd /usr/ports/security/cfs && make install clean
should do the trick. If you for some reason don’t use ports, you can fetch the
package from freebsd.org
The next step is setting up the daemon. cfs requires an entry in /etc/exports
for emulating NFS, and the cfsd attaches encrypted directories to this mounted
NFS. Since it only needs some directory and you’re only going to allow your own
computer to access this, insert the following line to /etc/exports (create /etc/exports
with this line only if you don’t have one already) :
/var/tmp localhost
All right. If you do not have NFS up and running already, we’re going to have to start
the portmap and the mountd d
After reading the article i decided to set up cfs and am very pleased with the results.
I would like to say that after having RTFM (or this howto) i was able to set up a totally (locally safe) server without having any fears of my ISP taking my servers (for any reasons) and using data on it.
I was wondering what to do if I have a 160 GB disk that is 140 GB full and i wanted to make it encryted w/o losing data.
Cheers,
John
Hey!
Great article.
Quick and easy and right to the point.
Here’s a little script I wrote to connect to my private cfs.
Call it what you want and place it in your $HOME/bin.
—————————————————
#!/bin/sh
case "$1" in
-m)
/usr/local/bin/cattach -t 15 $HOME/.private .private
;;
-u)
/usr/local/bin/cdetach .private
;;
*)
echo "Usage: `basename $0` [-m|-u]" >&2
;;
esac
exit 0
—————————————————
As for the test result:
Crypted fs:
Fri Feb 8 20:06:32 CET 2002
100000+0 records in
100000+0 records out
51200000 bytes transferred in 61.063670 secs (838469 bytes/sec)
Fri Feb 8 20:07:33 CET 2002
!crypted fs:
Fri Feb 8 20:07:39 CET 2002
100000+0 records in
100000+0 records out
51200000 bytes transferred in 4.019759 secs (12737082 bytes/sec)
Fri Feb 8 20:07:43 CET 2002
Don’t know why the speed is so slow on the cfs..
Binary
Note that this article was written using FreeBSD 4. With FreeBSD 5, rcpbind replaces portmap. With FreeBSD 5, you should also check out gbde 🙂
gbde = GEOM Based Disk Encryption
For more, see the FreeBSD Handbook – 16.15, Encrypting Disk Partitions:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html