[9fans] Encrypting file systems

[9fans] Encrypting file systems

[smiley at zenzebra.mv.com]

Hello,

Back in 2009, someone on this list posted about encrypting /usr on a
Plan 9 laptop they had.  Does anyone know how to encrypt a file system
on Plan 9?  (I'm talking about encrypting the storage on disk, not just
the network connection to it.)

My intuition would be to look for a "crypt" command in the fs(3) driver.
But there doesn't seem to be any.  (And the man pages suggest that keyfs
only stores files 40 bytes in size?)  Yes, I know I could export a
device from another OS (like Linux), but I'm looking for a native Plan 9
solution.

How might one go about encrypting a Plan 9 file system, either at the
block level or file level?

Thanks!

-- 
+---------------------------------------------------------------+
|E-Mail: smiley at zenzebra.mv.com             PGP key ID: BC549F8B|
|Fingerprint: 9329 DB4A 30F5 6EDA D2BA  3489 DAB7 555A BC54 9F8B|
+---------------------------------------------------------------+

[9fans] Encrypting file systems

[Jacob Todd]

There's two implementations that i know of: one is in russ' contrib, and
there another one called cbfs (i think), which is also on contrib, although
i don't remember where. The latter version could be russ' implementation
with changes, it's been a while since I tried either. Russ' didn't compile
at first, there were two variables with the same name iirc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.9fans.net/private/9fans/attachments/20110329/ff2d3ce4/attachment.html>

[9fans] Encrypting file systems

[smiley at zenzebra.mv.com]

Jacob Todd <jaketodd422 at gmail.com> writes:

> There's two implementations that i know of: one is in russ' contrib, and
> there another one called cbfs (i think), which is also on contrib, although
> i don't remember where. The latter version could be russ' implementation
> with changes, it's been a while since I tried either. Russ' didn't compile
> at first, there were two variables with the same name iirc.

I was able to find the former, but not the latter.  Russ' "cryptfs"
appears to be a modification of kfs.  But isn't kfs one of the file
systems that's now considered deprecated?

How come crypto wasn't put right in fs(3)?  It seems like doing that
would give all disk-based file systems immediate cryptography support.

Also, if you have any idea where I can find that "cbfs", please let me
know...

Thanks!

[9fans] Encrypting file systems

[erik quanstrom]

> I was able to find the former, but not the latter.  Russ' "cryptfs"
> appears to be a modification of kfs.  But isn't kfs one of the file
> systems that's now considered deprecated?

why would it be considered depricated?  because it's
easy to use, easy to understand, and just works?

no history, though.  but i don't see how that's a
downside for folks considering using fossil-venti.

- erik

[9fans] Encrypting file systems

[smiley at zenzebra.mv.com]

erik quanstrom <quanstro at labs.coraid.com> writes:

>> I was able to find the former, but not the latter.  Russ' "cryptfs"
>> appears to be a modification of kfs.  But isn't kfs one of the file
>> systems that's now considered deprecated?
>
> why would it be considered depricated?  because it's
> easy to use, easy to understand, and just works?

I thought I read somewhere that kfs was deprecated.  In one of the man
pages?  On the wiki?  I don't recall.  It was about the old kfs file
system being replaced by fossil...or something like that.

-- 
+---------------------------------------------------------------+
|E-Mail: smiley at zenzebra.mv.com             PGP key ID: BC549F8B|
|Fingerprint: 9329 DB4A 30F5 6EDA D2BA  3489 DAB7 555A BC54 9F8B|
+---------------------------------------------------------------+

[9fans] Encrypting file systems

[Steve Simon]

kfs is not used for standalone machines these days, so I suspose you
could say it is depricated for use as a primary file server.

the only reason for this is there are more feature-full solutions
out there now, however it is not broken or fundamentally a bad file
server to use.

-Steve

[9fans] Encrypting file systems

[erik quanstrom]

On Thu Mar 31 07:03:23 EDT 2011, steve at quintile.net wrote:
> kfs is not used for standalone machines these days, so I suspose you
> could say it is depricated for use as a primary file server.

there are more kfs (not ken's fs which the op was talking about)
running today than any other plan 9 disk-based file server.

- erik

[9fans] kfs: i'm not dead yet!

[Lyndon Nerenberg (VE6BBM/VE7TFX)]

> kfs is not used for standalone machines these days, so I suspose you
> could say it is depricated for use as a primary file server.

I suspect kfs (not kenfs) is used on a whole lot of laptops these
days.  I have four laptops in the house that have standalone kfs Plan
9s running under Parallels and Fusion.  All of which also net-boot
diskless configs from the local fileserver when in range.

--lyndon

Re: [9fans] kfs: i'm not dead yet!

[Akshat Kumar]

I use kfs (not kenfs) on old edge nodes that
serve as relays, nameservers, and provide other
basic services, but are otherwise too limited to
be able to handle the abuse of fossil. I also use
it on my headless Acer Aspire One that runs as
an auth server at home.


Best,
ak

On Thu, Mar 31, 2011 at 1:35 PM, Lyndon Nerenberg (VE6BBM/VE7TFX)
<lyndon@orthanc.ca> wrote:
>> kfs is not used for standalone machines these days, so I suspose you
>> could say it is depricated for use as a primary file server.
>
> I suspect kfs (not kenfs) is used on a whole lot of laptops these
> days.  I have four laptops in the house that have standalone kfs Plan
> 9s running under Parallels and Fusion.  All of which also net-boot
> diskless configs from the local fileserver when in range.
>
> --lyndon
>
>
>

[9fans] Problem installing

[Chris]

I have been attempting to in stall Plan 9 on a virtual machine(VirtualBox) 
and cannot find the distribution on the ISO file.  I tried all the 
alternatives that are suggested and the folder "dist" but nothing seems to 
be working.  Could anyone help?

Regards
Chris Saunders 

[9fans] Problem installing

[Lyndon Nerenberg (VE6BBM/VE7TFX)]

> I have been attempting to in stall Plan 9 on a virtual machine(VirtualBox) 
> and cannot find the distribution on the ISO file.

Boot the ISO image in VirtualBox.  That will present you with a
menu that gives you an option to run the installer.

[9fans] Problem installing

[Jacob Todd]

After you mount /dev/sdD0/data to 'find' the distribution, when you get to
the prompt to look around the fs, just type exit in /. Installation will
proceed from there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.9fans.net/private/9fans/attachments/20110330/3fad1a1e/attachment.html>

[9fans] Problem installing

[Chris]

Thanks Jacob.  Although I had a little trouble I was finally successful at 
getting it installed with your help.  To Lyndon, I was already doing what 
you advised but thanks to you as well.  I will probably have lots more dumb 
question in the future.

Regards
Chris Saunders

From: Jacob Todd
Sent: Wednesday, March 30, 2011 4:25 PM
To: Fans of the OS Plan 9 from Bell Labs
Subject: Re: [9fans] Problem installing


After you mount /dev/sdD0/data to 'find' the distribution, when you get to 
the prompt to look around the fs, just type exit in /. Installation will 
proceed from there.

[9fans] Problem installing

[Lyndon Nerenberg]

>To Lyndon, I was already doing what you 
> advised

i was confused.  i thought you had mounted the CD under windows and were 
looking for the 'installer' program :-P

[9fans] Encrypting file systems

[Jacob Todd]

What i called cdfs was actually something for inferno, written in limbo.
It's on contrib, but I've already forgot where and what it's actual name
was. Cryptfs is either fs(3) or kfs(4) with block level encryption, i have
no idea which. It probably wasn't added because it wasn't 'critical' for
using the system.
On Mar 30, 2011 1:21 PM, <smiley at zenzebra.mv.com> wrote:
> Jacob Todd <jaketodd422 at gmail.com> writes:
>
>> There's two implementations that i know of: one is in russ' contrib, and
>> there another one called cbfs (i think), which is also on contrib,
although
>> i don't remember where. The latter version could be russ' implementation
>> with changes, it's been a while since I tried either. Russ' didn't
compile
>> at first, there were two variables with the same name iirc.
>
> I was able to find the former, but not the latter. Russ' "cryptfs"
> appears to be a modification of kfs. But isn't kfs one of the file
> systems that's now considered deprecated?
>
> How come crypto wasn't put right in fs(3)? It seems like doing that
> would give all disk-based file systems immediate cryptography support.
>
> Also, if you have any idea where I can find that "cbfs", please let me
> know...
>
> Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.9fans.net/private/9fans/attachments/20110330/c536ad2e/attachment.html>

[9fans] Encrypting file systems

[ron minnich]

I've got a rejected-by-usenix paper somewhere about writing a 9p
encryption fs which you could stack on anything that served 9p:
exportfs, fossil, tarfs, whatever. It essentially attached to a 9p
server, you set the key, it encrypted/decrypted the data as it wrote
to its server.

The neat thing about such an encrypting server is you can stack it
anywhere you have  9p server, which is quite fun; you can even stack
it over another instance of itself. You don't need to be root to use
it. You can pick an arbitrary key and don't have to share it with
anyone. And so on.

I have no idea where it is at this point.

maybe you can take cfs and make encrypting?

ron

[9fans] Encrypting file systems

[Mechiel Lukkien]

On Tue, Mar 29, 2011 at 02:42:06PM +0000, smiley at zenzebra.mv.com wrote:
> Hello,
> 
> Back in 2009, someone on this list posted about encrypting /usr on a
> Plan 9 laptop they had.  Does anyone know how to encrypt a file system
> on Plan 9?  (I'm talking about encrypting the storage on disk, not just
> the network connection to it.)

i wrote cryptfile, for inferno:

	http://www.ueber.net/code/r/cryptfile

it provides random block access to an encrypted file.
haven't used it in a while though.

mjl

[9fans] encrypting file systems

[erik quanstrom]

> I've got a rejected-by-usenix paper somewhere about writing a 9p
> encryption fs which you could stack on anything that served 9p:

do you have a copy of this paper?  did you just rewrite a block-at-a-time?

- erik

[9fans] Encrypting file systems

[erik quanstrom]

> I thought I read somewhere that kfs was deprecated.  In one of the man
> pages?  On the wiki?  I don't recall.  It was about the old kfs file
> system being replaced by fossil...or something like that.

ken's file server (aka the plan 9 file server) is not kfs.  kfs is a stripped
down, stand-alone version with no history.  see /sys/doc/fs/fs.ps for
a somewhat terse overview of ken's file server.

i run several instances.  the big one at coraid handles a moderately-sized
company on relatively modest hardware.  it can push 100s of mb/s.
yet it lacks mp and 64-bit support.

in theory venti+fossil replaces ken's fs.  but in practice, there seem to
be lingering questions about fossil.

my personal opinion is that ken's fs does it's job very well, and competing
by reducing the amount of storage used (such as fossl+venti do in this
role) is hard to do today, especially if the result is more complicated.

clearly, to gain traction, you'll need a compelling story.  say, a properly
distrbuted file server.

- erik