Jan 062001

Setting up an encrypted file system

This article was written by Niklas Saers I had long been hearing from my Linux using friends about their different encrypted filesystems and wanted one for FreeBSD.  The reasons for this are many: I have copies of all my emails and mails from the golden BBS days until now with the exception of a few harddrive crashes, and I wouldn’t want whoever to read this.  I also find encryption interesting and I would see how this worked performancewise.  Although there are no encrypted file systems in the kernel, I found one in ports/security.   This file system is really a RPC server for the NFS protocol.  It uses 3DES by default but has other forms of encryption available as well.  However, for this introduction we’ll stick with the standard.

First of all, use su to become root and install the port security/cfs. A simple:

cd /usr/ports/security/cfs && make install clean

should do the trick.  If you for some reason don’t use ports, you can fetch the package from freebsd.org

The next step is setting up the daemon.  cfs requires an entry in /etc/exports for emulating NFS, and the cfsd attaches encrypted directories to this mounted NFS.  Since it only needs some directory and you’re only going to allow your own computer to access this, insert the following line to /etc/exports (create /etc/exports with this line only if you don’t have one already) :

/var/tmp localhost

All right. If you do not have NFS up and running already, we’re going to have to start the portmap and the mountd d

  6 Responses to “Setting up an encrypted file system”

  1. After reading the article i decided to set up cfs and am very pleased with the results.

  2. I would like to say that after having RTFM (or this howto) i was able to set up a totally (locally safe) server without having any fears of my ISP taking my servers (for any reasons) and using data on it.

  3. Hey!
    Great article.
    Quick and easy and right to the point.

    Here’s a little script I wrote to connect to my private cfs.
    Call it what you want and place it in your $HOME/bin.

    case "$1" in
    /usr/local/bin/cattach -t 15 $HOME/.private .private
    /usr/local/bin/cdetach .private
    echo "Usage: `basename $0` [-m|-u]" >&2

    exit 0

    As for the test result:

    Crypted fs:
    Fri Feb 8 20:06:32 CET 2002
    100000+0 records in
    100000+0 records out
    51200000 bytes transferred in 61.063670 secs (838469 bytes/sec)
    Fri Feb 8 20:07:33 CET 2002

    !crypted fs:
    Fri Feb 8 20:07:39 CET 2002
    100000+0 records in
    100000+0 records out
    51200000 bytes transferred in 4.019759 secs (12737082 bytes/sec)
    Fri Feb 8 20:07:43 CET 2002

    Don’t know why the speed is so slow on the cfs..


  4. Note that this article was written using FreeBSD 4. With FreeBSD 5, rcpbind replaces portmap. With FreeBSD 5, you should also check out gbde 🙂