This Document describes cfs for NetBSD.
cfs is the so called cryptographic filesystem which implements encryption at
system level through a standard file system interface to encrypted files.
Files in these directories (as well as their pathname components)
are transparently encrypted and decrypted with
the specified key without further user intervention; cleartext is never
stored on a disk or sent to a remote file server. It is implemented entirely at user level, as a local NFS server
running on the client machine's loopback interface.
mount -o intr,-2,-w=4096,-r=4096 127.0.0.1:/null /crypt
finally mountd and cfsd should be started via /etc/rc.conf resp.
/etc/rc.local, also you can add the mount command to the latter.
Now it is time to create the encrypted directory, the -b option specifies "Blowfish" algorithm.
Please refer to man-page for other algorithms, such as 3DES or MacGuffin.
cfs_mkdir -b /encrypted
cfs_mkdir now asks for an at least 16 character long passphrase which should be of course very
strong, e.g. use numbers, capitalization and special characters.
cfs is now configured and ready for use. To mount your encrypted directory supply
cfs_attach /encrypted usable_cfsdir
and enter your pasphrase. It is now attached as /encrypted/usable_cfs and can be used like a regular directory,
e.g. you can copy files into it.
For example, if you copy /etc/motd to /encrypted/usable_cfs with
cp /etc/motd /encrypted/usable_cfs/
you can access /encrypted/usable_cfs/motd as usual, because this is the decrypted interface to the "real" encrypted
file, now residing in /crypt/
To detach the encrypted directory use
Now you cannot access /encrypted/usable_cfs/ anymore
It is possible to use a removable media with cfs, so for example
you can burn your private fotos onto a CDROM in an encypted way
and simply mount and cfs_attach it to access the files.
I'll shortly describe how to burn a cfs-directory to a CD:
One problem regarding backups is that cfs also encrypts file- and directorynames, so it is hard to identify several
One possible solution is to backup the files unencrypted in an attached cfs-directory.
But then you should also encrypt your backups, for example with mcrypt or GnuPG, which are both included in
pkgsrc. In case you have to restore your files, this must also be done into the attached encrypted directory.
But it is also possible to backup and restore the still encrypted files, residing in /crypt.
This can be done by backing up the whole directory or via incremental backups using dump(8) and its dumplevels or
find(1) and its date options and other backup software, such as pax(1) or cpio(1).