Subject: Re: Cryptographic file storage
To: Greywolf <greywolf@starwolf.com>
From: Mark White <mark.white@st-edmund-hall.oxford.ac.uk>
List: current-users
Date: 02/20/2001 09:10:14
Greywolf writes:
> On Tue, 20 Feb 2001, Mark White wrote:
> 
> # I'm looking for something like cfs (which I've used under
> # linux before) -- when not 'mounted', the files aren't stored
> # anywhere unencrypted.  I've investigated a few solutions
> # without much success (like tcfs, which I notice had a new
> # release in January, but still only ports to NetBSD 1.4.2).
> # A slow and hackish solution involving GnuPG and the risk of
> 
> Pardon me, but what's the problem with GPG?  Slowness or unreliability?

GnuPG isn't a method for keeping a filesystem encrypted.
Given an encrypted file, you can make a decrypted copy of it
and save it to disk (and vice versa).  This is good for
emails, when it needs to be encrypted in transit, but not at
destination.  But not good for holding encrypted source code
on your disk; decompressing multiple files (or a multi-file
package) is inconvenient, and it's difficult to get rid of
the unencrypted copies from the disk when you want to make
is secure again.

The solution I was thinking of was to create a disk image and
encrypt it with GnuPG.  Then, to read it:
  - mount_mfs some space slightly larger than the disk
  - make an unencrypted copy of the file on the mfs
  - vnconfig the image
  - mount the vn device somewhere in your filesystem
with approximately the reverse procedure for unmounting.
But, this has two serious problems (speed aside):
  - the encrypted copy on the disk is only resynchronised at
    unmount time, so you risk data loss
  - the mfs could get written to a swap device, so you might
    end up with part of the unencrypted image on disk

Mark <><