Subject: Encrypted compressed vnds
To: None <firstname.lastname@example.org>
From: Stephen Borrill <email@example.com>
Date: 08/07/2006 10:29:49
You may remember a discussion about encryption of compressed vnds that I
No simple effective solution was proposed (compressing a cgd-on-vnd isn't
going to give good compression), so I've decided to go with my original
plan and implement DES encryption in the compression part of the vnd
I've had to extend struct vnd_ioctl to allow the key to be passed. This
means that you must use a new vnconfig with a new kernel (you can't mix
old and new). A new kernel option is added (VND_ENCRYPTION) which also
requires VND_COMPRESSION to have any effect. I've added a new -e option to
vndcompress and vnconfig which takes either an 8-character text key or an
8-byte hexadecimal key.
I'm using des_ncbc_encrypt() as it seems to be the best compromise of
speed, ease of use and non-trivial encryption. In userland we've got des.h
and openssl/des.h (the latter having function names and types beginning
with DES_ whereas the former has des_ and matches sys/cryto/des). It seems
a bit dirty to me to use one in userland and the other in the kernel (only
the DES_ functions are available to userland apparently). Is this is a
problem or should I just not worry about it?
Would there be any interest in committing this work to the tree? If so,
I'll polish it up, edit man pages, etc.