[9fans] encrypting file systems

[9fans] encrypting file systems

[erik quanstrom]

> I've got a rejected-by-usenix paper somewhere about writing a 9p
> encryption fs which you could stack on anything that served 9p:

do you have a copy of this paper?  did you just rewrite a block-at-a-time?

- erik

[9fans] Encrypting file systems

[erik quanstrom]

> I thought I read somewhere that kfs was deprecated.  In one of the man
> pages?  On the wiki?  I don't recall.  It was about the old kfs file
> system being replaced by fossil...or something like that.

ken's file server (aka the plan 9 file server) is not kfs.  kfs is a stripped
down, stand-alone version with no history.  see /sys/doc/fs/fs.ps for
a somewhat terse overview of ken's file server.

i run several instances.  the big one at coraid handles a moderately-sized
company on relatively modest hardware.  it can push 100s of mb/s.
yet it lacks mp and 64-bit support.

in theory venti+fossil replaces ken's fs.  but in practice, there seem to
be lingering questions about fossil.

my personal opinion is that ken's fs does it's job very well, and competing
by reducing the amount of storage used (such as fossl+venti do in this
role) is hard to do today, especially if the result is more complicated.

clearly, to gain traction, you'll need a compelling story.  say, a properly
distrbuted file server.

- erik

[9fans] Encrypting file systems

[erik quanstrom]

On Thu Mar 31 07:03:23 EDT 2011, steve at quintile.net wrote:
> kfs is not used for standalone machines these days, so I suspose you
> could say it is depricated for use as a primary file server.

there are more kfs (not ken's fs which the op was talking about)
running today than any other plan 9 disk-based file server.

- erik

[9fans] Encrypting file systems

[Steve Simon]

kfs is not used for standalone machines these days, so I suspose you
could say it is depricated for use as a primary file server.

the only reason for this is there are more feature-full solutions
out there now, however it is not broken or fundamentally a bad file
server to use.

-Steve

[9fans] Encrypting file systems

[smiley at zenzebra.mv.com]

erik quanstrom <quanstro at labs.coraid.com> writes:

>> I was able to find the former, but not the latter.  Russ' "cryptfs"
>> appears to be a modification of kfs.  But isn't kfs one of the file
>> systems that's now considered deprecated?
>
> why would it be considered depricated?  because it's
> easy to use, easy to understand, and just works?

I thought I read somewhere that kfs was deprecated.  In one of the man
pages?  On the wiki?  I don't recall.  It was about the old kfs file
system being replaced by fossil...or something like that.

-- 
+---------------------------------------------------------------+
|E-Mail: smiley at zenzebra.mv.com             PGP key ID: BC549F8B|
|Fingerprint: 9329 DB4A 30F5 6EDA D2BA  3489 DAB7 555A BC54 9F8B|
+---------------------------------------------------------------+

[9fans] Encrypting file systems

[Mechiel Lukkien]

On Tue, Mar 29, 2011 at 02:42:06PM +0000, smiley at zenzebra.mv.com wrote:
> Hello,
> 
> Back in 2009, someone on this list posted about encrypting /usr on a
> Plan 9 laptop they had.  Does anyone know how to encrypt a file system
> on Plan 9?  (I'm talking about encrypting the storage on disk, not just
> the network connection to it.)

i wrote cryptfile, for inferno:

	http://www.ueber.net/code/r/cryptfile

it provides random block access to an encrypted file.
haven't used it in a while though.

mjl

[9fans] Encrypting file systems

[Jacob Todd]

What i called cdfs was actually something for inferno, written in limbo.
It's on contrib, but I've already forgot where and what it's actual name
was. Cryptfs is either fs(3) or kfs(4) with block level encryption, i have
no idea which. It probably wasn't added because it wasn't 'critical' for
using the system.
On Mar 30, 2011 1:21 PM, <smiley at zenzebra.mv.com> wrote:
> Jacob Todd <jaketodd422 at gmail.com> writes:
>
>> There's two implementations that i know of: one is in russ' contrib, and
>> there another one called cbfs (i think), which is also on contrib,
although
>> i don't remember where. The latter version could be russ' implementation
>> with changes, it's been a while since I tried either. Russ' didn't
compile
>> at first, there were two variables with the same name iirc.
>
> I was able to find the former, but not the latter. Russ' "cryptfs"
> appears to be a modification of kfs. But isn't kfs one of the file
> systems that's now considered deprecated?
>
> How come crypto wasn't put right in fs(3)? It seems like doing that
> would give all disk-based file systems immediate cryptography support.
>
> Also, if you have any idea where I can find that "cbfs", please let me
> know...
>
> Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.9fans.net/private/9fans/attachments/20110330/c536ad2e/attachment.html>

[9fans] Encrypting file systems

[erik quanstrom]

> I was able to find the former, but not the latter.  Russ' "cryptfs"
> appears to be a modification of kfs.  But isn't kfs one of the file
> systems that's now considered deprecated?

why would it be considered depricated?  because it's
easy to use, easy to understand, and just works?

no history, though.  but i don't see how that's a
downside for folks considering using fossil-venti.

- erik

[9fans] Encrypting file systems

[smiley at zenzebra.mv.com]

Jacob Todd <jaketodd422 at gmail.com> writes:

> There's two implementations that i know of: one is in russ' contrib, and
> there another one called cbfs (i think), which is also on contrib, although
> i don't remember where. The latter version could be russ' implementation
> with changes, it's been a while since I tried either. Russ' didn't compile
> at first, there were two variables with the same name iirc.

I was able to find the former, but not the latter.  Russ' "cryptfs"
appears to be a modification of kfs.  But isn't kfs one of the file
systems that's now considered deprecated?

How come crypto wasn't put right in fs(3)?  It seems like doing that
would give all disk-based file systems immediate cryptography support.

Also, if you have any idea where I can find that "cbfs", please let me
know...

Thanks!

[9fans] Encrypting file systems

[ron minnich]

I've got a rejected-by-usenix paper somewhere about writing a 9p
encryption fs which you could stack on anything that served 9p:
exportfs, fossil, tarfs, whatever. It essentially attached to a 9p
server, you set the key, it encrypted/decrypted the data as it wrote
to its server.

The neat thing about such an encrypting server is you can stack it
anywhere you have  9p server, which is quite fun; you can even stack
it over another instance of itself. You don't need to be root to use
it. You can pick an arbitrary key and don't have to share it with
anyone. And so on.

I have no idea where it is at this point.

maybe you can take cfs and make encrypting?

ron

[9fans] Encrypting file systems

[Jacob Todd]

There's two implementations that i know of: one is in russ' contrib, and
there another one called cbfs (i think), which is also on contrib, although
i don't remember where. The latter version could be russ' implementation
with changes, it's been a while since I tried either. Russ' didn't compile
at first, there were two variables with the same name iirc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.9fans.net/private/9fans/attachments/20110329/ff2d3ce4/attachment.html>

[9fans] Encrypting file systems

[smiley at zenzebra.mv.com]

Hello,

Back in 2009, someone on this list posted about encrypting /usr on a
Plan 9 laptop they had.  Does anyone know how to encrypt a file system
on Plan 9?  (I'm talking about encrypting the storage on disk, not just
the network connection to it.)

My intuition would be to look for a "crypt" command in the fs(3) driver.
But there doesn't seem to be any.  (And the man pages suggest that keyfs
only stores files 40 bytes in size?)  Yes, I know I could export a
device from another OS (like Linux), but I'm looking for a native Plan 9
solution.

How might one go about encrypting a Plan 9 file system, either at the
block level or file level?

Thanks!

-- 
+---------------------------------------------------------------+
|E-Mail: smiley at zenzebra.mv.com             PGP key ID: BC549F8B|
|Fingerprint: 9329 DB4A 30F5 6EDA D2BA  3489 DAB7 555A BC54 9F8B|
+---------------------------------------------------------------+