From mboxrd@z Thu Jan 1 00:00:00 1970 From: Edward Shushkin Subject: Re: Proposal for keying encrypted filesystem Date: Fri, 04 Apr 2003 21:19:15 +0400 Sender: edward Message-ID: <3E8DBE93.8BAEAF29@namesys.com> References: <200303282026.23543.phma@webjockey.net> <200304031822.12677.phma@webjockey.net> <200304041401.h34E1Hli003929@turing-police.cc.vt.edu> <200304040930.29884.phma@webjockey.net> <200304041447.h34Eluli004869@turing-police.cc.vt.edu> <3E8DA3CF.711EE4C0@namesys.com> <3E8DB7E5.9080407@namesys.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: list-help: list-unsubscribe: list-post: Errors-To: flx@namesys.com List-Id: Content-Type: text/plain; charset="us-ascii" To: Hans Reiser Cc: Valdis.Kletnieks@vt.edu, reiserfs-list@namesys.com, reiserfs-dev@namesys.com Hans Reiser wrote: > > Edward Shushkin wrote: > > >Valdis.Kletnieks@vt.edu wrote: > > > > > >>On Fri, 04 Apr 2003 09:30:29 EST, Pierre Abbat said: > >> > >> > >> > >>>But I'd also like to be able to have several encrypted directories on one > >>>partition, with different keys, such that when I give the key any process > >>>with the right UID can access them. I might have a cron job that needs access > >>> > >>> > >>>to encrypted data. > >>> > >>> > >>You need to apply "least privilege" - you don't give the key to any process > >>that doesn't need it. In your example, you would make sure that any process > >>running under UID nnn gets given the key, so that other processes couldn't > >>do anything even if they *did* access them. > >> > >>Properly applied, you can even leverage it further - for instance, if your > >>backup process doesn't have the key tokens, you can safely let it have access > >>to all the files - it can read the 127 meg of data to back it up in a bitwise > >>manner, > >> > >> > > > >I am sorry, bitwise manner seems to be impossible in reiser4: the only access > >to crypto files is via page cache, it requires a valid key.. > > > this is not desirable. I understand, but direct io is incompatible with transaction semantics. On the other hand, on the last seminar we made a conclusion to check key validness in oredr to avoid a possible security hole when read() first looks for uptodate (decrypted!) pages in memory before reading encrypted data from disk.. > Encypted files need to be backed up too... They will be as ordinary unix files.. Edward. > > > > >Edward. > > > > > > > > > >>but it can't actually DO anything with the data - this is something > >>that you can't do in the "give everything the token" model.... > >> > >> ---------------------------------------------------------------------------------------------------- > >> Part 1.2Type: application/pgp-signature > >> > >> > > > > > > > > > > -- > Hans