TCFS for BSD: installation roadmap INTRODUCTION This is a prototype of TCFS for BSD and it is released only for developers. Every other use is strongly discouraged. This is a minimal implementation and not all features planned (see the section "What it do6s not do") have been implemented. The code has been written for OpenBSD 2.2, Somewere the code is rather obscure because I followed the motto "First make it works, then make it well". WHAT IT DOES The TCFS filesystem layer provides: * File encryption/decryption using DES or RC5 (other ciphers can be easily added) * Management of keys on a per-user, per-group and per-process base. * Management of different keys for each filesystem mounted. * A set of utilities for users and system administrator. N.B. Currently, it is possible to mount a TCFS filesystem only on top of a FFS filesystem. WHAT IT DOES NOT DO At the moment we are working on: * Directory encription/decryption (i.e., encryption/decryption of the filenames). * Independence from underlying filesystem. TCFS FILE SYSTEM INSTALLATION 1. Download files openbsd-tcfs.tar.gz and openbsd-mount_tcfs.tar.gz 2. Make sure packages /usr/src/sys and /usr/src/sbin have been installed 3. Expand the tar.gz archives as root (cd /; tar xvfz path/to/openbsd-tcfs.tar.gz) (cd /; tar xvfz path/to/openbsd-mount_tcfs.tar.gz) the archive openbsd-tcfs.tar.gz contains some files of the original distribution which have been modified. Their original was renamed to namefile.orig. 4. Add the line file-system TCFS to your kernel configuration file and save it in /usr/src/sys/arch/yourarch/conf/YOURKERNEL 5. Configure and compile YOURKERNEL cd /usr/src/sys/arch/yourarch/conf/ config YOURKERNEL cd ../compile/YOURKERNEL make depend && make cp /bsd /bsd.old mv bsd / 6. Compile the mount_tcfs program cd /usr/src/sbin/mount_tcfs make make install 7. Reboot the system TCFS UTILITIES INSTALLATION 1. Download the archive openbsd-tcfs_utils and expand it from root (cd /;tar xvfz path/to/openbsd-tcfs_utils.tar.gz) 2. Compile tcfs utilities cd /usr/src/tcfs-utils_0.1 make make install 3. Add /usr/tcfs/bin and /usr/tcfs/sbin to your path MOUNTING TCFS FILESYSTEM You can mount a TCFS filesystem by running the mount command example: mount -t tcfs /mnt2 /mnt/tcfs If you want to mount the filesystem automatically at the boot, edit the file /etc/fstab ad insert a line concerning a TCFS filesystem. example: /mnt2 /mnt/tcfs tcfs rw 0 0 MANAGING PROTECTED FILES In order to create a protected file, you need to push a user key into TCFS. The easiest way to do this is to run tcfsputkey -k -p /mnt/tcfs example: tcfsputkey -k -p /mnt/tcfs # give TCFS the encryption key cd /mnt/tcfs echo "Hello World!">first # the file is not coded tcfsflag x first # toggles first's cryptographic flag # now first is stored encrypted cat first # you see the content of first # i.e., the string "Hello World!" vi first # edit first tcfsflag x first # toggles first's cryptographic flag # now first is stored in clear cat first # you see the content of first tcfsrmkey # remove your key from TCFS The filesystem does not permit further accesses to encrypted files to any user which has not registered his key. This happens even if the user owns the file. SELECTING THE CIPHER The mount_tcfs command searches the file /usr/tcfs/etc/tcfstab to select the cipher to be used for the new tcfs-filesystem. Each entry of this file is composed by three fields. fs-label:mount-point:cipher-number The first field indicate an alias which can be used to alternatively refer the associated mount-point (indicated in the second field) by the tcfs support utilities. The third field is the cipher-id that must be used encrypt/decryupt files. Currently only TDES and RC5 are available and can be referred respectively as number 0 and number 1. So, if we can configure the filesystem /mnt/tcfs2 (labeled "foo") to use RC5, we can insert, in the tcfstab file, the row: foo:/mnt/tcfs2:1 Note that the entry default must be present.