port-i386: Re: NetBSD raw disk block encrypted FFS filesystem needed!

Subject: Re: NetBSD raw disk block encrypted FFS filesystem needed!
To: None <sommerfeld@orchard.arlington.ma.us>
From: Steven M. Bellovin <smb@research.att.com>
List: port-i386
Date: 12/19/2000 22:24:52

In message <200012200306.eBK36I807802@syn.hamachi.org>, Bill Sommerfeld writes:
>> For all ciphers that we currently use in the NetBSD kernel, the output
>> size is the same as the input size.  Obviously the input size has to be
>> rounded to the cipher's block size, if you're using a block cipher, but
>> for disk blocks, that should pretty much always be the case.
>
>Whether or not encryption requires additional storage also depends on
>what you're doing for initialization vectors and the like.
>
>It would also be extremely worthwhile for an encrypting filesystem to
>be able to do an "end-to-end" MAC/MDC of some sort to detect
>corruption/tampering, but that also requires additional storage..
>
>					- Bill
>
>
Let me point folks at http://www.crypto.com/papers/cfs.ps, which 
discusses many of the tradeoffs.  (I believe that cfs runs on NetBSD, 
though I haven't tried it yet.)

		--Steve Bellovin