In kernel stacked cryptographic filesystem (pefs)
FreeBSD supports only whole filesystem encryption at device level (with GELI or GBDE), but lacks in kernel cryptographic filesystem that can be used transparently atop of other filesystem. Some progress has been seen here recently with userlevel cryptographic filesystems, but userlevel implementations are slow and relay and 3rd party software not included in base system (namely fuse kmod and library). I propose to implement in kernel cryptographic filesystem utilizing stackable VFS layers (like nullfs+crypto).
Links
Sources repository: http://github.com/glk/pefs
Howto encrypt directory: http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html
Cryptographic primitives used: http://glebkurtsou.blogspot.com/2009/09/pefs-crypto-primitives.html
Benchmark: http://glebkurtsou.blogspot.com/2009/09/pefs-benchmark.html
Milestones
- May 23 - June 14. Use nullfs codebase as a start point. Add trivial encryption (XOR, single key) to simplify development.
- June 15 - June 21. Import XTS implementation into kernel. (I already have one, but it's too memory hungry, fix it, or use one from OpenBSD)
- June 22 - July 5. Add kernel device for specifying keys for mounted filesystem. Add userspace configuration utility.
- July 6. Midterm evaluation
- July 6 - July 12. Enable real encryption.
- July 13 - July 26. Add per-directory key support.
- July 27 - August 9. Implement key chaining.
- August 9 - August 17. Final bug hunting and stress testing.
- August 17. Final evaluation.