Using CFS, the Cryptographic Filesystem
If you want to keep private your personal
files, such as those containing phone numbers, correspondence or
journals, you could keep them in a hidden directory named
~/.private with mode 0700, so only you could read the files. Are
you chuckling yet? Then let's consider employing a stronger privacy
technique: cryptography. Specifically, let's look at Matt Blaze's
open-source Cryptographic Filesystem (CFS) for UNIX and
Linux.Briefly, CFS allows you to safeguard your files in encrypted
form in a normal directory. By using a key (or password, if you
will), you temporarily decrypt your files to clear-text form for
the window of time in which you need to work with them.CFS makes your clear-text files available to you via a local
loopback NFS mount; the CFS documentation refers to this as an
"attach". Modifications you make to your clear-text files then are
reflected automatically in the encrypted versions. You end your CFS
session with a "detach", which makes your clear-text files
disappear until the next time that you attach them.This article reports some of the benefits and methods of
using CFS as of version 1.4.0beta2. Some handy tools for use with
CFS also accompany this article; see the Resources section.CFS vs. Other ToolsOther ways to improve your privacy with open source tools are
available; there's TCFS, the Transparent Cryptographic Filesystem,
and OpenSSL, among other tools. Here's a brief summary of the
relative merits of some of them, including TCFS, CFS and
OpenSSL:
- CFS: runs in user space, and no kernel patches are
required. CFS uses an ordinary NFS loopback (a local NFS export
with a local mount) that may create some security worries. Use
caution in exporting directories. CFS was developed on SunOS and
BSDI, then ported to Linux and other OSes, which bodes well for its
ongoing utility. CFS supports several choices of encryption
algorithms. - TCFS: requires a Linux-specific NFS module or
kernel configuration. The tighter kernel bindings and extended
filesystem attribute requirements yield better security but,
potentially, less portability. - OpenSSL: runs in user space, and no kernel patches
are required. OpenSSL supports a wide variety of encryption
methods, as well as support for hardware tokens. OpenSSL is
available for Linux, MS Windows and other environments. OpenSSL
handles encryption or decryption of only one stream or file at a
time, as of version 3.4. - OpenSSH: apples and oranges. You might use OpenSSH
in conjunction with the other tools, but OpenSSH is mainly for
interactive session privacy, not stored data privacy. - Linux loop device mount: comes with Red Hat Linux.
At this time, DES appears to be the only serious encryption method
available for loop device mounts. It requires preparation of a
fixed-size container file and either root privileges or user
permissions on loop device files. See mount(8) and
losetup(8).
Installing CFSA source RPM, cfs-1.4.0.beta2j-6.2a.src.rpm, is available
with the other tools accompanying this article on the
LJ FTP site; see the Resources section. The
beta2j version of the RPM includes, in addition to the components
of the base beta2: one more security patch for Linux; two Red Hat
Linux-friendly setup scripts, cfs.init and cfs-setup; and two handy
tools, decrypt and dpw.py. All of these are broken out separately
for those of you disinclined to use RPMs. This RPM was tested on
Red Hat Linux 6.2, 7.1 and 7.2.Always consider searching for later versions of CFS in either
RPM or tarball form, and check for security patches. CFS version
1.4.1 exists as of this writing (see the Resources section); it
adds support for NetBSD but no new features or bug fixes.NFS is a prerequisite for using CFS. Be very selective with
whom you share your filesystem resources--don't export your root
directory and everything below it to the whole world. Consider
using a personal firewall to forbid external access to most service
ports, especially the ports the NFS and RPC port mapper
dæmons use, 2049 and 111 (TCP and UDP), respectively.In the following examples of commands, prompts are shown in
bold type. The # shell prompt indicates root privileges; $ is the
prompt for ordinary (non-root) users of bash and Bourne shells.
Make any appropriate adjustments for your choice of shell.Install the CFS source RPM package with the usual RPM command
as root:# rpm -iv
cfs-1.4.0.beta2j-6.2a.src.rpmAfterward, build and install the CFS package as follows,
again as root:
# cd /usr/src/redhat/SPECS
# rpm -bb cfs.spec
# cd ../RPMS/i386
# rpm -ivv cfs-1.4.0.beta2j.i386.rpm
If you have difficulties installing this particular RPM, by
all means seek out and install a more suitable RPM or tarball of
the CFS distribution. Adapt the value-added files accompanying this
article (on the FTP site) to your own needs and tastes. In
particular, note that some NFS set up is required. See the
cfs-setup script accompanying this article or read Matt Blaze's
document "CFS Installation and Operation" (see Resources).Getting Started with CFSThe following instructions are suitable for use with Red Hat
Linux 6.2, 7.1, 7.2, and 7.3; you may need to make some adjustments
for your variant of Linux.Make certain that NFS is running:# ps auxww | grep
rpc.mountdIf rpc.mountd isn't running, then crank up NFS:# /etc/rc.d/init.d/nfs
startThen start the CFS dæmon, cfsd, by running its
boot-time startup file as root:# /etc/rc.d/init.d/cfsd
startAs yourself, create a private notes directory and attach it.
We'll demonstrate two ways of doing this:
- The easy way uses the decrypt tool that accompanies
this article (see the Resources section):
$ decrypt -init
Key: (type your key here to create the private directory, and
remember the key)
Again: (type your key again here)
Key: (retype your key to proceed with the attachment)
uses the native CFS cmkdir and cattach tools:
$ mkdir ~/cdata
$ cd ~/cdata
$ cmkdir notes
Key: (type your key here and remember it for future use)
Again: (type your key again here)
$ cattach notes $LOGNAME-notes
Key: (re-type your key)
(In the example above, the predefined environment variable
$LOGNAME contains your login name. It's used in order to avoid name
collisions, but feel free to substitute a simpler clear-text
directory name.)In both cases it may take a minute or two before the CFS
dæmon (cfsd) makes available the clear-text directory,
$LOGNAME-notes.Next, create a test file in the attached clear-text
directory, as follows:
$ pushd /mnt/crypt/$LOGNAME-notes
$ echo "Test." > test.txt
$ popd
End your CFS session, and see what transpired in the relevant
directories:
$ cdetach $LOGNAME-notes
$ ls /mnt/crypt
$ ls -R ~/cdata
The listing of ~/cdata should show an obscured name for your
test.txt file, such as 03fa2aa5242d5a741866a6605de1ae3b.Re-attach the directory in order to verify that your test
file is still there. Again, there are two ways to do that:
- Here's the easy way, using
decrypt:
$ decrypt
Key: (retype your key)
$ cd ~/cdata
$ cattach notes $LOGNAME-notes
Key: (retype your key)
Next, verify that your test file is still there:$ cat
/mnt/crypt/$LOGNAME-notes/test.txtNow go in search of the documentation for CFS, which includes
on-line man pages for the commands cmkdir, cattach, cdetach,
cpasswd and others. The underpinnings of CFS are described well in
Matt Blaze's papers, "CFS Installation and Operation" and "A
Cryptographic Filesystem for Unix". Read these using nroff
-ms /usr/doc/cfs*/notes.ms. Among other useful tidbits in
these papers is a suggestion for speeding up CFS performance by
modifying the NFS rsize and wsize mount options.After that, look for the README file that accompanies this
article (see the Resources section), and check out the decrypt and
dpw.py tools. The decrypt script simplifies the management of your
private directories with CFS. Try this command:$ decrypt
-helpThe dpw.py tool provides a graphical user interface for
searching a private file of passwords you maintain with decrypt.
Run dpw.py and click the help button. The dpw.py tool requires the
standard Python module Tkinter, among others.Strengths and Vulnerabilities of CFSCFS's strengths include certain kinds of error reduction or
error prevention:
- After working with your clear-text files, CFS
doesn't require a separate re-encryption step, thus avoiding the
problem of re-encrypting with the wrong key. - Revision control, at least with RCS, is less
error-prone. In contrast, where files are individually decrypted
with OpenSSL, accidentally checking-in the clear-text file would
leave it exposed. - CFS supports an inactivity timeout so the
clear-text file isn't accidentally left available for long periods
of time. Be sure to use the timeout option (-i) with the cattach
CFS command.
Vulnerabilities to consider when using CFS and some other
privacy tools:
- Keyboard snooping can expose your secret key when
you type the key for encryption or decryption. - Privileged users (intruders or not) can snoop out
your attached clear-text files through various means. - Your clear-text files may be exposed on the network
in various ways. OpenSSH can help to some extent, but it's best to
confine your use of CFS and OpenSSL to your unshared local host's
directly connected console and keyboard and to confine your private
data and clear-text attach points to your local host's
filesystems. - Consider keeping some private files in separate
private directories; that way, not everything can be compromised
simultaneously. - When applying revision control tools to your
private files, think carefully about how to keep your clear-text
files exposed only temporarily, for example, in the face of CVS's
directory copying approach. With CFS, consider using RCS in the
clear-text attach directory, as in cd
/mnt/crypt/mycleartext && co -l myjournal.
Matt Blaze's CFS documents more thoroughly examine CFS's
security issues and design considerations.ConclusionWe shouldn't delude ourselves that CFS alone is going to
protect us if we attract the interest of tenacious snoopers or if
we're careless with our network security. We should use CFS for the
same reason that we lock our doors and secure our windows at home.
It's not necessarily going to prevent the worst, but offering some
obstacles may help to keep things safer, longer.A mobile laptop computer running Linux likely would be a
fabulous place to employ CFS. A laptop, being largely
self-contained and unshared, offers fewer vulnerabilities when
other practical security precautions are employed, such as erecting
a personal firewall and disabling unnecessary network services. And
in the event that your laptop is stolen, your CFS-encrypted private
files most likely will remain unseen. Don't forget to back
up.On my wish list of desired improvements to the open-source
version of CFS would be hardware security token support, perhaps
borrowed from OpenSSL. Requiring a hardware security token
ameliorates the problem of password exposure from keyboard
sniffing, although not necessarily keystroke capture over time.
Also desirable would be a port of CFS to MS Windows for use with
multiboot hosts.AcknowledgmentsMy thanks to Greg
Hao and Claude
Johnson for test-driving the CFS installation instructions
and accompanying scripts on Red Hat Linux 7.x. Thanks also to
Enrico
Scholz for the base SRPM.ResourcesThe
files accompanying this article, including the
cfs-1.4.0.beta2j CFS source RPM, decrypt, dpw.py, cfs-setup and
README files.The
base SRPM from which the cfs-1.4.0.beta2j source RPM was
created for this article (see previous item).Blaze, Matt. "CFS Installation and Operation". 1997. This
paper is available in the CFS documentation directory,
nroff -ms /usr/doc/cfs*/notes.ms. Or look for
notes.ms among the C source files, e.g. in
/usr/src/redhat/BUILD/cfs*/.Blaze, Matt. "A Cryptographic Filesystem for Unix". 1993.
This paper also is available in notes.ms, along with the preceding
paper.Mauriello, Ermelindo. "TCFS: Transparent Cryptographic
Filesystem". 1997. Available on
Linux Journal's web
site.Matt Blaze's own
CFS software distribution page. The latest release as of
this writing is cfs-1.4.1, while the version described in this
article is cfs-1.4.0beta2. Version 1.4.1 adds support for NetBSD
but offers no new features or bug fixes. For Linux you may continue
to use cfs-1.4.0beta2j.www.openssl.org:
home of OpenSSLwww.openssh.com:
home of OpenSSHJerry Sweet is a system
administrator and programmer in the USA.
email: cfs-tools@akamail.com










This week 5 lucky Members will receive a copy of The Official Ubuntu Server Book by Benjamin Mako Hill and Linux Journal's very own Kyle Rankin. No entry necessary. Check back here early next week to find out who the lucky Online Members are.




Comments
cmkdir hangs
This comment assumes a knowledge of C.
If you are finding cmkdir is hanging, you can patch the code yourself (cmkdir.c).
First add these header files
#include <sys/types.h>#include <sys/stat.h>
#include <fcntl.h>
Next declare two new variables
int fd;unsigned char uc;
In cmkdir.c there are two places where the code is asking for random numbers. The first is at about line 160
for (i=0; i<32; i++) {ekey[i] ^= randbyte();
}
Alter this to read
fd=open("/dev/random",O_RDONLY);for (i=0; i<32; i++) {
read(fd,&uc,1);
ekey[i] ^= uc;
}
close(fd);
Then at about line 170 is a line that reads
*r = trand32();Replace this with
fd=open("/dev/random",O_RDONLY);read(fd,&r,4);
close(fd);
Then do
make cfsagain, copy the modified executable to its install directory, and you're good to go.Re: Using CFS, the Cryptographic Filesystem
Notes on running CFS with Fedora Core 2:
cmkdir stops working. Apparently SIGALRM or something in the C library or kernel has changed such that the random number collection hangs for longer than I was willing to wait. I changed the code to use /dev/urandom; those who would like to wibble their mouse around for five minutes or more might consider /dev/random. Patches available on request from the sschaefer account at acm.org.
The mount command now defaults to tcp,vers=3, which doesn't work with cfsd, so your mount of /mnt/crypt (or /crypt) needs to look like
mount -o port=3049,intr,udp,vers=2 localhost:/null /mnt/crypt
Finally, I'm sad to say that the cfs-users e-mail list looks like it's gone: my attempts to subscribe to cfs-users-request@nsa.research.att.com only generated a refusal to relay.
Re: Using CFS, the Cryptographic Filesystem
You write:
"Linux loop device mount: comes with Red Hat Linux. At this time, DES appears to be the only serious encryption method available for loop device mounts."
I don't think that's right. I'm using loopback crypto with losetup using
aes encryption right now like this:
/sbin/losetup -e aes /dev/loop0 /dev/hdd5
mount /dev/loop0 /home
it also supports several other encryption methods. Here's the man page excerpt:
--encryption, -e encryption
enable data encryption. The following keywords are
recognized:
NONE use no encryption (default).
XOR use a simple XOR encryption.
aes use Advanced Encryption Standard encryption.
AES encryption is only available if you are
using the international kernel and AES
encryption has been enabled in the Crypto
API. enabled in the Crypto API.
blowfish
use Blowfish encryption. Blowfish encryption
is only available if you are using the
international kernel and Blowfish encryption
has been enabled in the Crypto API.
twofish
use Twofish encryption. Twofish encryption
is only available if you are using the
international kernel and Twofish encryption
has been enabled in the Crypto API.
cast5 use CAST5 encryption. CAST5 encryption is
only available if you are using the interna-
tional kernel and CAST5 encryption has been
enabled in the Crypto API.
DES use DES encryption. DES encryption is only
available if the optional DES package has
been added to the kernel. DES encryption
uses an additional start value that is used
to protect passwords against dictionary
attacks. Use of DES is deprecated.
des_ede3
use 3DES encryption. 3DES encryption is only
available if you are using the international
kernel and 3DES encryption has been enabled
in the Crypto API.
dfc use DFC encryption. DFC encryption is only
available if you are using the international
kernel and DFC encryption has been enabled
in the Crypto API.
idea use IDEA encryption. IDEA encryption is only
available if you are using the international
kernel and IDEA encryption has been enabled
in the Crypto API.
mars use MARS encryption. MARS encryption is only
available if you are using the international
kernel and MARS encryption has been enabled
in the Crypto API.
rc5 use RC5 encryption. RC5 encryption is only
available if you are using the international
kernel and RC5 encryption has been enabled
in the Crypto API.
rc6 use RC6 encryption. RC6 encryption is only
available if you are using the international
kernel and RC6 encryption has been enabled
in the Crypto API.
serpent
use Serpent encryption. Serpent encryption
is only available if you are using the
international kernel and Serpent encryption
has been enabled in the Crypto API.
dfc decryption
Thanks a lot for your article. I tried to understand a little beat but may be can you explain to me how to decrypt a file with the extension .dfc? Which tool can be used for that?
Thanks in advance for your answer.
Sandra Sya
Re: Using CFS, the Cryptographic Filesystem
My RedHat Linux 9 losetup man page shows only NONE, XOR and DES.
And actually losetup -e aes .... does not work here!
Post new comment