The FreeBSD Diary

First of all, use su to become root and install the port security/cfs. A simple:

cd /usr/ports/security/cfs && make install clean

should do the trick.  If you for some reason don't use ports, you can fetch the package from freebsd.org

The next step is setting up the daemon.  cfs requires an entry in /etc/exports for emulating NFS, and the cfsd attaches encrypted directories to this mounted NFS.  Since it only needs some directory and you're only going to allow your own computer to access this, insert the following line to /etc/exports (create /etc/exports with this line only if you don't have one already) :

/var/tmp localhost

All right. If you do not have NFS up and running already, we're going to have to start the portmap and the mountd dæmons. Add the following lines to your /etc/rc.conf:

single_mountd_enable="YES"
mountd_flags="-r"
portmap_enable="YES"
portmap_program="/usr/sbin/portmap"

and then start the dæmons by issuing these commands:

/usr/sbin/portmap
/sbin/mountd -r

You now have the dæmons started and they will start automatically next time you boot your computer.

Since it's quite handy to have the filesystem mounted directly after loading the server, edit /usr/local/etc/rc.d/cfsd.sh and include the following line directly before the "exit 0" line:

mount -o port=3049,intr,nfsv2 localhost:/var/tmp /crypt

Of course you have to be sure to create the /crypt directory. Then we have to start the server. First check that /usr/local/etc/rc.d/cfsd.sh at least has read and execute permission by root. Then do a

/usr/local/etc/rc.d/cfsd.sh start

Voila, now you can log root out.  In your home directory, for instance, we are going to make a storage for your encrypted data.  All your data will be stored here in encrypted form, so don't delete and don't worry about not understanding your data.   Let's call this directory crypt:

cmkdir crypt

and write your password twice.  Be sure to make it long.  Then we attach it to the encrypted file system:

cattach crypt mysafestorage

And write your password again.  Voila, now there is a directory in /crypt/mysafestorage that only you can access (log in as root and verify this yourself. Don't take my word for it! I might be the one reading your secret email anyways ;) )  Also make sure you don't understand anything about the contents of the crypt directory.  I would personally have prefferred one big file which would even hide how many files there are stored, what size they are and when they were last modified, but at least this is some kind of privacy.

All done.  For convenience sake you could make a symlink from /crypt/mysafestorage to somewhere in your homedirectory.  When you are done and want to be sure that no-one browses your files when you're to lazy to log out from your terminal, just do a

cdetach mysafestorage

Now, for the performance evaluation.  On my really great laptop with the really poor chipset which makes even a process niced to -20 hang and wait for the IO to finish, I did a

date && dd if=/dev/zero of=deleteme.now count=100000 && rm deleteme.now && date

on my home directory and in my encrypted filesystem which was stored in my home directory.  In my home directory I got

Thu Nov  2 13:49:42 EST 2000
100000+0 records in
100000+0 records out
51200000 bytes transferred in 10.266791 secs (4986953 bytes/sec)
Thu Nov  2 13:49:53 EST 2000

Thus an 11 seconds operation give or take half a second, while compared with my encrypted filesystem I got:

Thu Nov  2 13:55:14 EST 2000
100000+0 records in
100000+0 records out
51200000 bytes transferred in 21.279745 secs (2406044 bytes/sec)
Thu Nov  2 13:55:35 EST 2000

Thus roughly 21,5 seconds. A 100% increase in time consumption, but still doable.   And of course, I would love to hear about how your performance was.  My email is safe and sound now as long as I remember my password. :)

    -Niklas