Subject: Encrypted compressed vnds
To: None <>
From: Stephen Borrill <>
List: tech-kern
Date: 08/07/2006 10:29:49
You may remember a discussion about encryption of compressed vnds that I 
No simple effective solution was proposed (compressing a cgd-on-vnd isn't 
going to give good compression), so I've decided to go with my original 
plan and implement DES encryption in the compression part of the vnd 

I've had to extend struct vnd_ioctl to allow the key to be passed. This 
means that you must use a new vnconfig with a new kernel (you can't mix 
old and new). A new kernel option is added (VND_ENCRYPTION) which also 
requires VND_COMPRESSION to have any effect. I've added a new -e option to 
vndcompress and vnconfig which takes either an 8-character text key or an 
8-byte hexadecimal key.

I'm using des_ncbc_encrypt() as it seems to be the best compromise of 
speed, ease of use and non-trivial encryption. In userland we've got des.h 
and openssl/des.h (the latter having function names and types beginning 
with DES_ whereas the former has des_ and matches sys/cryto/des). It seems 
a bit dirty to me to use one in userland and the other in the kernel (only 
the DES_ functions are available to userland apparently). Is this is a 
problem or should I just not worry about it?

Would there be any interest in committing this work to the tree? If so, 
I'll polish it up, edit man pages, etc.