Subject: NetBSD raw disk block encrypted FFS filesystem needed!
To: None <port-i386@netbsd.org>
From: Alicia da Conceicao <alicia@bankengine.com>
List: port-i386
Date: 12/19/2000 07:14:10
For those of us who carry around NetBSD laptops with valuable information,
such as company source code and banking information, we desperately need
a decent encrypted filesystem solution with minimum overhead. Most
solutions appear to be somewhat pseudo NFS based, the better ones I've
seen are:
TCFS as a Cryptographic Filesystem Layer for NetBSD:
http://tcfs.dia.unisa.it/BSD/
POrtable Dodgy Filesystems in Userland (hacK) version 2:
http://atrey.karlin.mff.cuni.cz/~machek/podfuk/podfuk.html
The first is only alpha and is not stable. The latter is Linux based and
uses coda software in userland. No kernel modifications are needed except
enabling coda. So it should be easy to port from Linux to NetBSD, maybe
it can even run under Linux emulation.
But the performance overhead from the both of these, and all other
solutions I've come across is not acceptable!
Since laptops typically only have one operator, there is no need to use
different keys for different users, one is enough.
The best solution would be to encrypt at the raw disk block level, using
a single symmetric cipher like RC5, blowfish, 3DES, AES, etc. That way
we can still use our FFS filesystem.
It would be easy enough to write functions to encrypt/decrypt an entire
diskblock. However I would have no idea on how to get a kernel to mount
it as a block device, and use the encrypt/decrypt functions when writing/
reading the raw disk partition. (Any takers on joining me on a NetBSD
opensource project for this?)
Is it possible to mount a file containing a disk image, maybe using the
vcd device or MFS (NetBSD ramdisk) mounted memory map of the image? If
so, I suppose that one can encrypt/decrypt that file and get a somewhat
encrypted filesystem in userland.
Are they any other kernel hooks that can be exploited for this?
Any ideas, solutions, etc. would be most appreciated, especially when I
am traveling in strange countries with my laptop.
Thanks in advance.
Alicia.
PS. The solution must work using only a partition or file on a drive,
not the entire disk, since laptops typically carry a single
harddrive, and it is not necessary to encrypt an entire drive,
only a small part of it with sensitive source code and data.