CFS v TCFS v SFS v ?

jimd at mars.starshine.org jimd at mars.starshine.org
Sat Feb 22 17:56:18 PST 2003 

On Mon, Feb 17, 2003 at 08:37:21AM -0800, David Wolfskill wrote:
>>Date: Mon, 17 Feb 2003 07:51:46 -0800
>>From: richard childers / kg6hac <fscked at pacbell.net>
 
>>I'm evaluating filesystems which provide encryption under
>>FreeBSD.
 
>>The following acronyms means the following things:
 
>>CFS: Cryptographic File System
>>TCFS: Translucent CFS
>>SFS: Secure File System
 
>>...
 
> >Have I missed any other encrypting filesystems?
 
> GBDE -- available only in FreeBSD-5.x (which recently acquired
> "-RELEASE" status for the first time, but you don't want to use 5.0 for
> GBDE, as I recall).
 
> The acronym stands for "GEOM-based disk encryption".
 
> It is not, strictly speaking, an "encrypting filesystem," as this is
> below the level of "filesystem":  you can put any sort of file system on
> it that you could on a "raw" disk.  Thus, the idea is that you can set
> up a (piece of a) disk en encrypted via GDBE, then create a filesystem
> of your choice on it; absent the key(s) to unlock the disk in question,
> even the type of filesystem that is on it should be non-trivial to
> determine.

 This sounds very similar to the ppdd (privacy protected disk device) 
 patches that have been available for Linux for a few years.  I've never
 used it, but I've never heard complaints from its users either.

 As with gbde ppdd is a block layer device under Linux --- similar to
 the md (multi-device) drivers, it acts as a shim between the logical 
 device layer (used by the VFS subsystem) and the physical device.  Thus
 you can make any sort of filesystem on your ppdd devices; in fact you
 can even mkswap on it, so that your virtual memory pages are encrypted
 as they go to the disk.

 Another Linux specific option is the encrypted loop package; which has
 been part of the "international crypto patches" to the kernel for a
 number of years.  In that case you'd use a command like the mount and 
 losetup commands to mount and "unlock" the filesystem.

 I haven't used this one either.  Even if I had, I'm not qualified to 
 comment on the quality of the encryption and key management in either
 of them.
 
--
Jim Dennis

More information about the Baylisa mailing list