[225] in The Cryptographic File System users list
CFS and FBK/LOFI
daemon@ATHENA.MIT.EDU (Robert Stampfli)
Sat Apr 14 23:22:06 2001
From owner-cfs-users@crypto.com Sun Apr 15 03:22:05 2001
Return-Path: <owner-cfs-users@crypto.com>
Delivered-To: cfs-mtg@CHARON.mit.edu
Received: (qmail 13594 invoked from network); 15 Apr 2001 03:22:05 -0000
Received: from mx.crypto.com (207.140.168.138)
by charon.mit.edu with SMTP; 15 Apr 2001 03:22:05 -0000
Received: (from majordomo@localhost)
by MultiHostMXServer (8.9.3/8.9.x4) id XAA22306
for cfs-users-list; Sat, 14 Apr 2001 23:10:03 -0400 (EDT)
Received: from nsa.research.att.com (H-135-207-24-155.research.att.com [135.207.24.155])
by MultiHostMXServer (8.9.3/8.9.x4) with ESMTP id XAA31115
for <cfs-users@crypto.com>; Sat, 14 Apr 2001 23:10:01 -0400 (EDT)
Received: from mail-green.research.att.com (mail-green.research.att.com [135.207.30.103]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id XAA09333 for <cfs-users@nsa.research.att.com>; Sat, 14 Apr 2001 23:10:00 -0400 (EDT)
Received: by mail-green.research.att.com (Postfix)
id DD9941E062; Sat, 14 Apr 2001 23:10:00 -0400 (EDT)
Delivered-To: cfs-users@research.att.com
Received: from elektro.cmhnet.org (elektro.com [192.188.133.3])
by mail-green.research.att.com (Postfix) with ESMTP id 55ACD1E03F
for <cfs-users@research.att.com>; Sat, 14 Apr 2001 23:10:00 -0400 (EDT)
Received: (from nuucp@localhost)
by elektro.cmhnet.org (8.9.3+Sun/8.9.3/cs) id XAA16497
for cfs-users@research.att.com; Sat, 14 Apr 2001 23:09:58 -0400 (EDT)
X-Authentication-Warning: elektro.cmhnet.org: nuucp set sender to cfs@colnet.cmhnet.org using -f
>Received: (from cfs@localhost)
by colnet.cmhnet.org (8.9.3+Sun/8.9.3/res) id WAA08394
for cfs-users@research.att.com; Sat, 14 Apr 2001 22:25:09 -0400 (EDT)
Date: Sat, 14 Apr 2001 22:25:09 -0400 (EDT)
From: Robert Stampfli <cfs@colnet.cmhnet.org>
Reply-To: res@colnet.cmhnet.org
Message-Id: <200104150225.WAA08394@colnet.cmhnet.org>
To: cfs-users@research.att.com
Subject: CFS and FBK/LOFI
Content-Type: text
Sender: owner-cfs-users@crypto.com
Precedence: bulk
[ Second attempt. Probably, the first is queued somewhere because I
didn't mail it from my cfs mail account. Apologies in advance if
you get two copies. ]
FBK is a kernel driver written by Joerg Schilling which permits the
mounting of plain files that contain images of filesystems (on Solaris
Sparc systems). It is useful for checking images that you are about to
burn on a CD using his excellent cdrecord program. LOFI is a similar
facility packaged in Solaris 8. I presume everyone knows what CFS is.
Recently, I got to wondering what FBK and LOFI would do with a "plain"
CFS file, i.e. one residing in /crypt. Well, in short, I tried it and
it works. Indeed, it seems to work quite well, for the cursory bit
of playing around I just did with it.
The beauty of combining CFS with FBK/LOFI is that one can now create
and manage a completely encrypted filesystem. Not only are the files
and file names encrypted (like vanilla CFS), but everything about the
filesystem is hidden, including timestamps, directory hierarchy, fill
factor, and even the FS type.
The downside is that setting it up is a bit kludgy, it isn't the most
efficient way to do this (you end up double dipping into the kernel
for every reference -- once to get to /crypt and then a second time
to get to the underlying encrypted file), and of course, you need to
set up the FS (and size it) prior to using it, which may take some
time and thought.
If you want to play with it, here is what I did. (This presumes a
Solaris system with fbk installed, or a Solaris 8 with LOFI. You'll
need to alter it according to what local tools you have for other
environments.)
FBK:
$ # insert a floppy in floppy drive
$ fdformat
$ newfs /dev/rdiskette0
$ su root
# cmkdir testdir
# cattach testdir t
# cp /dev/rdiskette0 /crypt/t/fs
# mount -F fbk /dev/fbk0:/crypt/t/fs /mnt
# chown $LOGNAME /mnt
# <cntl-D>
$ cd /mnt
etc...
LOFI:
$ su root
# cmkdir testdir
# cattach testdir t
# mkfile 10m /crypt/t/fs
# lofiadm -a /crypt/t/fs
# newfs /dev/rlofi/... # char device associated with what lofiadm returns
# mount `lofiadm /crypt/t/fs` /mnt
# chown $LOGNAME /mnt
# <cntl-D>
$ cd /mnt
etc...
I think FBK may be obtained from ftp://ftp.fokus.gmd.de/pub/unix/.
Personally, I'd use LOFI if you are on Solaris 8.
It would also be interesting to understand the implications of using
a very large file on CFS security, as one phase of CFS encryption
relies on a repeating vector of nominally 128k bytes, something that
would repeat many times over the extent of a large FS.
Rob Stampfli
