On Tue, 13 May 2003, Kamal R Prasad wrote:

> On 1052687897 seconds since the Beginning of the UNIX epoch
> Bill Studenmund wrote:
> >
> >A file system would be more for a case where physical security isn't a
> >strong issue but protecting one user from another is. cgd is best for a
> >case where protecting one user from another isn't a big deal, but
> phsyical
> >security is.
>
> >It warrants pointing out that an encrypting file system does not
> >really protect users from each other on a single host much more
> >than chmod 600 does, though.  If you can circumvent the kernel then
> >you can read the other user's key.  The best you get in this case
> >from an encrypting file system is temporal protection, i.e. you
> >have to compromise the box when the target user is logged in rather
> >than at any point in time.
>
> The co. where I used to work -had something different on mind (besides
> protecting users from each other's data). They were supplying PCs
> *without* custom hardware and lots of code in the user-space. They did not
> want someone else to pirate the binaries -but wanted the data on the box
> available for general use. so cgd would not have served the purpose, but a
> crypto filesystem would have. but IMHO - layering of filesystems is a
> costly implementation in terms of performance degradation.
> regards

1% or 2% is costly? See either my USENIX DMFS papaer or any of the UCLA
work. While some ops were as bad as 4%, in general, it was hard to notice
the layered file system. In my tests, I found (for reads & writes)  that
on-disk layout was a more dominant performance term than layering. Plus,
we're talking about an encrypting file system. The encryption/decryption
will be the big performance bottleneck.

Also, how _else_ would you do this? By using something like nullfs but
with encryption, we very conveniently provide both an encrypted an
dunencrypted view of the file. The backup tools backup the encrypted one,
and users use the unencrypted one.

Take care,

Bill