Thanks to Peter Holm and Thomas Vogt for finding several bugs:
* Compilation with DIAGNOSTIC option
* Vnode reference and lock leak in pefs_rename()

I've uploaded new version to test:

Github repository is also updated.

Also note, that if you have extra debugging options like DEBUG_LOCKS in
your kernel config pefs module has to be build with same options.
I set KERNBUILDDIR to my kernel build directory to make it work:
# uname -v
FreeBSD 9.0-CURRENT #25 r212049+d758796: Tue Aug 31 22:09:45 EEST 2010     
# export KERNBUILDDIR=/usr/obj/freebsd-src/local/sys/TOPS
# cd pefs/sys/modules/pefs
# make clean
# make && make install


On (06/09/2010 21:38), Gleb Kurtsou wrote:
> Hello,
> I would like to ask for feedback on a kernel level stacked cryptographic
> filesystem. It has started as Summer Of Code'2009 project and matured a
> lot since then. I've recently added support for sparse files and
> switched to XTS encryption mode.
> I've been using it to encrypt my home directory for almost a year
> already, and use fsx, dbench and blogbench for testing. So it should be
> fairly stable.
> Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
> and 8-STABLE supported.
> Please email me separately if you're willing to help testing on big
> endian machine, XTS code doesn't look endian correct.
> At this point all of the project goals complete and I'd like it to get
> wider coverage in terms of tests and reviews and hope to see it commited
> to HEAD soon.
> Installation instructions:
> 1a. Clone git repository:
> # git clone git:// pefs
> # cd pefs
> 1b. Or download latest snapshot from github:
> 2. Build and install:
> # make obj all
> # make install
> 3. Mount pefs filesystem:
> # pefs mount ~/Private ~/Private
> 4. Enter passphrase:
> # pefs addkey ~/Private
> 5. Test it and report back. There is also a man page available.
> 6. Example how to save your key in keychain database.
> pefs has to be mounted and key specified to make fs writable, create
> keychain with single entry (keychain -Z option):
> # pefs addchain -Z ~/Private
> Don't encrypt .pefs.db:
> # mv ~/Private/.pefs.db /tmp
> # umount ~/Private
> # mv /tmp/.pefs.db ~/Private
> # pefs mount ~/Private ~/Private
> Use -c option to verify key is in database
> # pefs addkey -c ~/Private
> 7. You can setup pam_pefs (not compiled by default) to add key to home
> directory and authenticate against keychain database on login, e.g. by
> adding the following line to /etc/pam.d/system before
> auth  sufficient     try_first_pass
> The following is a list of its most important features:
> *   Kernel level file system, no user level daemons needed.
>     Transparently runs on top of existing file systems.
> *   Random per file tweak value used for encryption, which guaranties
>     different cipher texts for the same encrypted files.
> *   Saves metadata only in encrypted file name, but not in file itself.
> *   Supports arbitrary number of keys per file system, default directory
>     key, mixing files encrypted with different keys in same directory.
> *   Allows defining key chains, can be used to add/delete several keys
>     by specifying only master key.
> *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
>     PKCS#5v2 and HKDF for key generation.
> Github repository:
> More details on my blog:
> Thanks,
> Gleb.
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to