Re: Questions about cfs
Even though I can mount the same encrypted folder with different users and create files, and permissions are 644 or 755 it is not possible to access files/folders created by other users, only own stuff. Neither is it possible, even as the owner, to change the ownership of files/folders inside the encrypted directory to another user. First, check your permissions. As root you should be able to do anything. Did you try running your commands as root? Ok I played around a bit and what I got so far is this. A file or directory created by a common user can be access by root as it should be. A file created by root can not read by a user even though the permissions allow it (644). When I issue chmod 644 file as root, it works. A directory created by root or a user works as it should. The same encrypted folder was attached two times, once from root and once from $user since either can not access each others mount. Since I couldn't find vnconfig for Linux I am wondering if there is there any other folder/partition/disc encryption method that both, BSD and Linux systems can access. Probably not. But you know, if you are looking for security you probably don't want to throw linux in the mix (yes that was snide) As much as I love OpenBSD, it lacks some features I like to use from time to time, like using my DVB-T adapter, playing some games that need 3D acceleration, stuff like that and I wouldn't want to reboot just to access my files.
Re: Questions about cfs
Ok I played around a bit and what I got so far is this. A file or directory created by a common user can be access by root as it should be. A file created by root can not read by a user even though the permissions allow it (644). When I issue chmod 644 file as root, it works. A directory created by root or a user works as it should. Little mistake. When creating a file as root, the file has 644 as permissions. When I do chmod 664 or anything else different from the original value and than chmod 644 back any $user can read it.
Re: Questions about cfs
Ok I played around a bit and what I got so far is this. A file or directory created by a common user can be access by root as it should be. A file created by root can not read by a user even though the permissions allow it (644). When I issue chmod 644 file as root, it works. A directory created by root or a user works as it should. Little correction to the above. When creating a file as root it got the permissions 644. A user may not access this file in any way. When I issue chmod 664 file or any other permission different from 644 and after that change back using chmod 644 file any $user can read it. Maybe there is some bug during file creation? Ahh and I forgot to meantion that not even root can change the ownership of any file or folder.
Re: Questions about cfs
Nick Guenther wrote: (you have 13 or so partitions you can fit into the disklabel). What am I saying? vnd disks are not connected to wd disks. There should be no arbitrary restriction. What would be the reason for disklabels in this case anyway? I just need a partition which is readable by BSD/Linux systems so either its going to be a big ffs within the disklabel or some extra ext/xfs partition which would make it easier to access from linux. Since partition encryption isn't possible, as far as I know (that is, if vnconfig doesn't work on linux), the partition than contains the encrypted directories which should be attachable by BSD and Linux systems. Ok need to check for vnconfig on linux first. Any ideas about which cipher to use? TDES / blowfish? Pros / cons? Thanks and thanks in advance. =) Michael
Re: Questions about cfs
I got another question, when attaching an encrypted folder the permissions are always set to 0700. When trying to change that I am getting the following error: chmod: /crypt/root: Operation not permitted I was hoping that I could make a shared world read and writeable folder for all users that is just protected in case the notebook is off and gets stolen. On the other hand, I could just insert the encrypting script (which reads a key from USB stick and cattaches the encraypted folder) into .profile and the shared folder gets assigned to the user on login. Still, anyone got an idea if the upper still is possible somehow? Changing permissions on those attached mounts. Michael
Re: Questions about cfs
On the other hand, I could just insert the encrypting script (which reads a key from USB stick and cattaches the encraypted folder) into .profile and the shared folder gets assigned to the user on login. This seems to work only partly in my scenario. Even though I can mount the same encrypted folder with different users and create files, and permissions are 644 or 755 it is not possible to access files/folders created by other users, only own stuff. Neither is it possible, even as the owner, to change the ownership of files/folders inside the encrypted directory to another user. Which would normally be just fine, but I also would like an encrypted shared folder that any user that got the key can read/write into, anyone got a solution for this? Since I couldn't find vnconfig for Linux I am wondering if there is there any other folder/partition/disc encryption method that both, BSD and Linux systems can access.
Re: Questions about cfs
On 8/23/06, Michael [EMAIL PROTECTED] wrote: On the other hand, I could just insert the encrypting script (which reads a key from USB stick and cattaches the encraypted folder) into .profile and the shared folder gets assigned to the user on login. This seems to work only partly in my scenario. Even though I can mount the same encrypted folder with different users and create files, and permissions are 644 or 755 it is not possible to access files/folders created by other users, only own stuff. Neither is it possible, even as the owner, to change the ownership of files/folders inside the encrypted directory to another user. First, check your permissions. As root you should be able to do anything. Did you try running your commands as root? Which would normally be just fine, but I also would like an encrypted shared folder that any user that got the key can read/write into, anyone got a solution for this? I'm confused what your setup is like. Is this a laptop or a rackmounted shell box? If it's the latter, you shouldn't really need to worry about encrypting your drives, so long as you keep the box secure. As for folders that only people with the right permissions can use ever hear of the Unix filesystem permissions scheme? Since I couldn't find vnconfig for Linux I am wondering if there is there any other folder/partition/disc encryption method that both, BSD and Linux systems can access. Probably not. But you know, if you are looking for security you probably don't want to throw linux in the mix (yes that was snide) -Nick
Questions about cfs
Hello, searches the web but couldn't find and usefull information and/or it didn't answer my questions. I am looking for some software to encrypt some large folders containing personal stuff. It should be possible to decrypt it on BSD and Linux systems. I found cfs in the ports tree but since it just got 3-key TDES and I am not sure about using blowfish and don't even know the others I am wondering how secure it is compared to other implementations like cryptsetup for Linux which can use AES. Since I a total beginner when it comes to programming I am wondering how hard it would be to enable aes in cfs and if 3-key TDES is still safe. Safe means, for me, that it needs too much time for decryption to even try. Also, if I understood correctly, it is possible to pipe a key into cmkdir when creating a folder and same when using cattach. Would it be possible to pipe the content of, lets say, a small image or a file filles from /dev/random or some other file as a key? Minimum key length is 16, whats the maximum key length? I am asking since I would like to use a floppy or USB stick to unlock the encrypted folders. Michael
Re: Questions about cfs
On 8/22/06, Michael [EMAIL PROTECTED] wrote: Hello, searches the web but couldn't find and usefull information and/or it didn't answer my questions. I am looking for some software to encrypt some large folders containing personal stuff. It should be possible to decrypt it on BSD and Linux systems. I found cfs in the ports tree but since it just got 3-key TDES and I am not sure about using blowfish and don't even know the others I am wondering how secure it is compared to other implementations like cryptsetup for Linux which can use AES. I have never used cfs and it looks like it hasn't been maintained lately. Someone recently vouched for it on here though. However, the typical solution to this problem is to make an encrypted vnd disk using vnconfig(8) and then newfs that disk. It's not as flexible as the cfs method, which can encrypt each folder separately, but if you don't have too many things to encrypt separately you can make it work (you have 13 or so partitions you can fit into the disklabel). I'm not sure if this could work from Linux though. Also, if I understood correctly, it is possible to pipe a key into cmkdir when creating a folder and same when using cattach. Would it be possible to pipe the content of, lets say, a small image or a file filles from /dev/random or some other file as a key? Minimum key length is 16, whats the maximum key length? I am asking since I would like to use a floppy or USB stick to unlock the encrypted folders. Seems like there would be no reason why not... you might want to make it a two-factor encryption method, then, by having a script take your key from the thumbdrive and concat it to a password you type in. Using /dev/urandom (not random) to generate the thumbdrive half is a good idea. -Nick
Re: Questions about cfs
On 8/22/06, Nick Guenther [EMAIL PROTECTED] wrote: On 8/22/06, Michael [EMAIL PROTECTED] wrote: [ . . . ] (you have 13 or so partitions you can fit into the disklabel). What am I saying? vnd disks are not connected to wd disks. There should be no arbitrary restriction. -Nick