On Thu, 2002-09-26 at 08:52, James Gritton wrote: > After playing with a few encrypted filesystems, and giving up on them (after > a kernel crash or two), I went looking for something else to encrypt. The > logical choice is the device.
Have you seen ports/security/vncrypt? I use ports/security/cfs which uses a loopback NFS server to decrypt a backing directory for you. It is nice because it expands on the fly but it isn't a speed demon. > Well, the virtual device. Like a cryptfs that's based on a loopback mount, > I'm encrypting a virtual device based on the "vn" driver. This was only a > few hours' work, though it's admittedly incomplete. This is based on the > Blowfish code in the kernel used by ipsec and such, which an extra ioctl > added to set the key. Only three source files require modification: > > sys/sys/vnioctl.h: > Define the VNIOCSETKEY ioctl > > usr.sbin/vnconfig/vnconfig.c: > Add a "-k" option to specify that an encryption key should be entered via > getpass(), and passed in with the above ioctl. > > sys/dev/vn/vn.c > Add a blowfish key entry to the softc structure. This is set via the > above ioctl, which converts a passed-in string into the key data. > Encryption is done around the vn's VOP_READ and VOP_WRITE calls, in > 512-byte CBC chunks. > > That's it - 90 lines of new code. This is for my purposes complete and > working, which is to say neither is quite true. For production-quality > code, some work remains: Impressive :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 9A8C 569F 685A D928 5140 AE4B 319B 41F4 5D17 FDD5 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
