Encrypted filesystem with cfs

• * What is cfs?
• * Installing and configuring cfs
• * Using cfs on removable media
• * Backups and cfs

* What is cfs? (Index)

This Document describes cfs for NetBSD.
cfs is the so called cryptographic filesystem which implements encryption at system level through a standard file system interface to encrypted files. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. It is implemented entirely at user level, as a local NFS server running on the client machine's loopback interface.

* Installing and configuring cfs (Index)

cfs is available via pkgsrc, so it's installation is very easily done with:

/usr/pkgsrc/security/cfs/
make && make install && make clean

After installation finished you have to create, configure and export a working directory:

mkdir /null
chmod 0 /null 
echo /null localhost >> /etc/exports

Now [re]start mountd and cfsd

/etc/rc.d/mountd [re]start && /usr/pkg/sbin/cfsd

configure a cfs mount point and mount it:

mkdir /crypt
mount -o intr,-2,-w=4096,-r=4096 127.0.0.1:/null /crypt

finally mountd and cfsd should be started via /etc/rc.conf resp. /etc/rc.local, also you can add the mount command to the latter.
Now it is time to create the encrypted directory, the -b option specifies "Blowfish" algorithm.
Please refer to man-page for other algorithms, such as 3DES or MacGuffin.

cfs_mkdir -b /encrypted

cfs_mkdir now asks for an at least 16 character long passphrase which should be of course very strong, e.g. use numbers, capitalization and special characters.

cfs is now configured and ready for use. To mount your encrypted directory supply

cfs_attach /encrypted usable_cfsdir

and enter your pasphrase. It is now attached as /encrypted/usable_cfs and can be used like a regular directory, e.g. you can copy files into it.
For example, if you copy /etc/motd to /encrypted/usable_cfs with

cp /etc/motd /encrypted/usable_cfs/

you can access /encrypted/usable_cfs/motd as usual, because this is the decrypted interface to the "real" encrypted file, now residing in /crypt/

To detach the encrypted directory use

cfs_detach usable_cfsdir

Now you cannot access /encrypted/usable_cfs/ anymore

* Using cfs on removable media (Index)

It is possible to use a removable media with cfs, so for example
you can burn your private fotos onto a CDROM in an encypted way
and simply mount and cfs_attach it to access the files.
I'll shortly describe how to burn a cfs-directory to a CD:

• create a new cfs-directory for the pictures
• cfs_mkdir -b /fotos-dec03
• attach it and copy the images into it
• cfs_attach /fotos-dec03 fotos
• detach it and create an ISO Image using cdrecord
• cfs_detach fotos && mkisofs -o fotos.iso -rTJ /fotos-dec03
• burn that image to cd

Using that CD is very simple, mount it to e.g. /mnt
and "cfs_attach /mnt/fotos-dec03 fotos" to acces the images.

* Backups and cfs (Index)

One problem regarding backups is that cfs also encrypts file- and directorynames, so it is hard to identify several files.
One possible solution is to backup the files unencrypted in an attached cfs-directory. But then you should also encrypt your backups, for example with mcrypt or GnuPG, which are both included in pkgsrc. In case you have to restore your files, this must also be done into the attached encrypted directory.
But it is also possible to backup and restore the still encrypted files, residing in /crypt. This can be done by backing up the whole directory or via incremental backups using dump(8) and its dumplevels or find(1) and its date options and other backup software, such as pax(1) or cpio(1).

\$Id: cfs.html,v 1.32 2014/08/21 09:24:03 stefan Exp $



$Log: cfs.html,v $
Revision 1.32  2014/08/21 09:24:03  stefan
Umlaute und Makefile clean up