[NBLUG/talk] Crypt Filesystems

Jacob Appelbaum jake at nblug.org
Tue Jul 25 14:02:05 PDT 2006


David Rosenstrauch wrote:
> Jacob Appelbaum wrote:
>> Jippen wrote:
>>> Here is a guide that is pretty close to what you are asking for.
>>> http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS
>>>
>>> I havn't done it yet, but if you want, I am reformating my test system
>>> today, and can do that as well.
>>>
>>
>> Don't use CFS. It's an old broken pile of bits. It's everything wrong
>> with NFS, everything wrong with crypto file systems and it's old
>> abandoned code.
>>
>> Don't get me wrong, Matt Blaze is a smart guy but this code is really
>> dated. Don't use it anymore.
>>
>> Regards,
>> Jacob
> 
> Not to mention that encfs, which uses fuse, has pretty much superseded
> it at this point.
>

Encfs is also pretty much a no-go in my opinion. If you have a disk and
you're root, just use something that encrypts the entire volume and
allows for key abstraction.

Fuse based file systems are pretty cool but the downsides to encfs is
pretty huge (taken from http://arg0.net/wiki/encfs):

Meta-data remains visible to anyone with access to your encrypted files.
This means that Encfs does not encrypt or otherwise hide the following
information:

"The number of files you have encrypted

The permissions on the files (readable, writable, executable)

The size of each file

The approximate size of each filename (exact when using stream cipher
mode for name encryption, and to within the cipher block size when using
block encryption).

In some file based encryption systems, one can also tell if two files
have the same name, or if two files contained the same data. EncFS
prevents this as of version 1.1."

Also, you need to encrypt your swap or you'd probably leak your keys
everywhere.

Regards,
Jacob



More information about the talk mailing list