Saturday, October 22, 2005

Using CFS

Matt Blaze's Cryptographic File System (CFS) is a simple way to encrypt a directory under Unix. Unlike the loopback encryption system, you don't have to choose the size of the encrypted filesystem beforehand—it will grow as you add files to it. Here's the steps you need to take:
  1. Obtain the CFS sources or RPM distribution. I found an RPM called cfs-1.4.1-5.i386.rpm.
  2. Build and install the CFS programs. These include cmkdir, cattach and others. How to do this is left to you. I just installed the RPM with rpm -ivh.
  3. If building from source, you must create a directory in root: mkdir /.cfsfs. Add a line to /etc/exports: /.cfsfs localhost(). The RPM I used did this for me.
  4. Create another directory mkdir /securefs. This will be the root of your crypto filesystem (although more on this later). You don't have to call it securefs and it doesn't have to be in root. It's just a starting point—you won't use it in the future.
  5. Add the following to /etc/rc.local (or some other setup file that is called at boot time):
    # start up CFS
    if [ -x /usr/sbin/cfsd ]
     /usr/sbin/exportfs -a
     /usr/sbin/cfsd && mount -o port=3049,intr
         localhost:/.cfsfs /securefs
    Make sure the code that starts up cfsd and mounts the secure directory is all on one line. This will start up CFS on boot and associate the CFS directory with the exported .cfsfs NFS mount point. Now you can either reboot, or start CFS without rebooting. Just enter the commands in the block above. On reboot, if all is well, you will see a new directory /crypt. This is the CFS root.
  6. Make a secure directory, anywhere you like (your home directory, for example) with cmkdir <directory name>. You can call it anything you like, let's say cryptodir. You will be asked for a password. This must be long, 20 characters or more, so make sure you can remember it.
  7. Now you can 'attach' this directory to CFS. Use cattach <directory name> <name>. <name> can be anything you want; it will be the 'directory' that will appear in CFS. So, the command might look like cattach ~/cryptodir secrets. You will then be prompted for your password again. Enter this, and a 'directory' will appear in the CFS root: /crypt/secrets.
  8. You can then use this new directory just like any other. Note the overhead of encryption will make it seem quite slow. If you get a gigabyte an hour throughput you're doing well (by default the cipher algorithm is two-key hybrid mode triple DES).
  9. When you no longer want your secure directory to be available, detach it from CFS: cdetach <name> e.g. cdetach secrets.