Subject: Re: seeking advice on encrypting file systems
To: VaX#n8 <vax@carolina.rr.com>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 02/05/2004 09:25:32
In message <20040205031307.EE7CDB5DA@linkdead.gangsta.local>, VaX#n8 writes:
>Hi, here's a quick review of the state of the art in encrypted file systems:
>
>1) CFS - a decade old, won't work with new rpcgen. Can be coaxed into
>compilation, but requires several make commands with different args.
>It's all user-level. The code is functional but definitely not elegant.
>Supports 3DES, but no modern ciphers. Probably easier to re-write than
>to turn into a nice system.
It's older than that -- according to Matt Blaze, the author, the RPC/
NFS core of CFS goes back to 1987 or thereabouts. And he agrees with
your bottom line -- it should be rewritten from scratch.
That said, before designing anything new it's worth rereading Matt's
original paper to understand his design goals. A rewrite might be more
functional -- for some purposes and some goals -- than the alternatives.
What are you trying to do, and what are the threats you want to protect
against?
Btw, if you do want to use CFS, it's in pkgsrc, with all the RPC
hackery done for you.
--Steve Bellovin, http://www.research.att.com/~smb