Wednesday, October 03, 2001

Crytographic File System

Here I will explain how to use, cfs, the Cryptographic Filesystem. This is a filesystem (that is, a way of organizing file in the hard disk or other storage device) where all files are encrypted. I will not explain how to install cfs, since it requires a bit of background, and thus I leave it for a future post. But I will explain how to use it, assuming that is installed in your machine.

To check if cfs is installed execute the command mount. You should get some file system with the name cfs or similar. For example, in my machine I get the following among many other output lines (output is split so you can easily read it):


localhost:/var/lib/cfs/.cfsfs on /var/cfs type nfs
(rw,port=3049,intr,nfsvers=2,addr=127.0.0.1)

This means that the cfs is in the directory called /var/cfs.

To store files in the cfs you need to make a directory with a special command, for example:

cmkdir crypted

This will create a directory called crypted that you can use under cfs. You will be ask to enter (and confirm) a key that will be needed any time you want to work in that directory. The key should be at least 16 characters long (at least in my system). Warning: if you forget the key you will not be able to recover your files, not even the superuser can do it. So put a complicated key, but something you can remember.

To write or edit files in encrypted form first you need to make the directory crypted "available" to cfs. That is done as in this example:

cattach crypted directory12345

The last word should be a unique name for cfs to work on your directory. You can put some arbitrary thing, or a name based on a PID (whatever that is :-) ), etc.

Now you can save files in encrypted form under the directory /var/cfs/directory12345. Do not work on the directory crypted but in the name you gave in the attach command. Actually, the full name of the directory is also has the part where cfs "lives" as you can see in the above example: /var/cfs is the cfs parent directory (the result of mount) and directory12345 is the name you gave.

Work on files in that directory as you work on files in any other directory. When you finish saving, editing, removing your files, you have to detach the directory with a command like this:

cdetach directory12345

Then all your files in that directory will get actually saved in the crypted directory, encrypted, so your data is safe from other users’ eyes.