Gleb Kurtsou

Secure backups for a lazy developer

2011-04-14T23:46:00.005+03:00

Developer is always afraid of loosing source code. As a rule after crash you'll be able restore all but several last revisions, or you'll get sources but have repository damaged. It doesn't happen often, but it's better to feel safe. Backup of a central repository on server and personal project backup are two very different stories. Developers are too lazy to use server-like backup methods.

PEFS changelog

2011-01-22T09:12:00.000+02:00

PEFS changelog since September 2010: Add AESNI hardware acceleration support. Several rename fixes: vnode reference leak, incorrect locking, livelock, missing lookup(), always perform nfs-style dummy rename. Skip directory entries with zero inode number (empty entry) (could result in reusing invalid entries). Fix mounting ZFS snapshots (incorrect vn_fullpath locking). Reduce possibility of free

XTS support in pefs

2010-09-07T01:50:00.003+03:00

I've replaced CTR encryption mode with XTS. Salsa20 stream cipher was also removed. CTR mode was inappropriate design for a filesystem, and allowed encrypted data to be easily manipulated by attacker and could even reveal plantext in cases when previous encrypted data snapshots where available to attacker, i.e. filesystem level snapshots. There should be no visible performance degradation because

Projects status

2010-05-06T02:23:00.000+03:00

The oldest project l2filter is almost certainly doomed. Patch no longer apply after ipfw3 was imported to -CURRENT and then merged to 8-STABLE. It still applies to 7-STABLE, but I don't use 7-STABLE. Merging only support for layer2 filtering with pfil and pf should be rather trivial. I'd like to keep patches in sync with recent -CURRENT but.. no time, no testers. pefs looks much better. I keep

pefs and l2filter moved to github

2009-12-08T20:16:00.003+02:00

I've just moved pefs and l2filter development to github. Hope it helps people to follow development. pefs repository (github.com/glk/pefs) can be used to to compile and run pefs without applying any patches. pefs changelog: support running on msdosfs enable dircache only on file systems that are known to support it add man page add pefs getkey command intial implementation of pefs PAM module

pefs dircache benchmark

2009-10-16T20:08:00.004+03:00

I've recently added directory caching into pefs.Despite of being directory listing cache (like dirhash for ufs) it also acts as encrypted file name cache. So that there is no need to decrypt names for the same entries all the time. That was really big issue because directory listing has to be reread on almost every vnode lookup operation. It made operations on directories with 1000 and more files

Encrypting private directory with pefs

2009-10-01T20:06:00.007+03:00

pefs is a kernel level cryptographic filesystem. It works transparently on top of other filesystems and doesn't require root privileges. There is no need to allocate another partition and take additional care of backups, resizing partition when it fills up, etc. After installing pefs create a new directory to encrypt. Let it be ~/Private: % mkdir ~/Private And mount pefs on top of it (root

pefs crypto primitives (updated)

2009-09-23T20:03:00.003+03:00

Supported data encryption algorithms: AES and Camellia (with 128, 192 and 256 bits key sizes). Adding another block cipher with 128 block size should be trivial. File names are always encrypted using AES-128 in CBC mode with zero IV. Encrypted file name consists of a unique per file tweak, checksum and name itself: XBase64(checksum || E(tweak || filename)) Checksum is VMAC of encrypted tweak

pefs benchmark

2009-09-16T19:55:00.005+03:00

pefs is a stacked cryptographic filesystem for FreeBSD. It has started as a Goggle Summer of Code'2009.I've just come across performance comparison of eCryptfs against plain ext4 filesystem on Ubuntu, benchmark I was going to perform on my own.I run dbench benchmarks regularly while working on pefs. But use it mostly as a stress test tool. I haven't reached the point I can start working on

Layer2 dummynet

2009-03-24T19:48:00.003+02:00

Haven't posted about progress with lyear2 filtering for a while. One notable improvement is addition of ethernet address masks to dummynet.Just configure a pipe. New masks available: src-ether and dst-ether (and a shortcut for specifying both of them: ether)# ipfw pipe 1 config bw 1Mb mask etherAnd use it:# ipfw add 1100 pipe 1 src-ether 00:11:11:11:11:11 dst-ether 00:22:22:22:22:22 out via

ipfw: layer2 lookup tables

2008-11-23T19:47:00.001+02:00

I had an opportunity to spend some extra time improving layer2 filtering.I've extended lookup tables in ipfw to support several layer2 addresses for a single layer3 address/mask. It means that it's possible to assign mac addresses to network (in case ip's are dynamically distributed by dhcp or whatever). Besides, wildcard ip address 'any' is supported, and entries with wildcard ip can be used for

Layer2 filtering with pf

2008-07-30T19:39:00.003+03:00

Instead of trying to describe all the changes regarding layer2 filtering in pf I'd better provide some examples.Ethernet address can be specified for host or interface name:pass in on bridge0 from 10.0.0.1 ether 00:11:11:11:11:11 to 10.0.0.2 ether 00:22:22:22:22:22pass in on bridge0 from ($int_if:network) ether 00:11:11:11:11:11 to anyEthernet addresses are supported in table entries:table

Filtering on bridge

2008-06-29T19:37:00.001+03:00

There used to be a flaw in using ipfw on bridge interface. It's impossible to distinguish incoming packets on member interface from incoming packets on bridge itself. For example consider two rules:add 1 allow ip from any to any in recv bridgeadd 2 allow ip from any to any in recv memberFirst rule will never match. The logic is ok here (if you are aware of ipfw's handling of interface options).

Incompatibility and some new features

2008-06-22T19:36:00.003+03:00

I've made some changes that break backward compatibility. But I've tried not to break anything intentionally but to do a cleanup work.First of all most of sysctl's responsible for layer2 filtering were replaced by per interface flags.net.link.ether.ipfw and net.link.bridge.ipfw are replaced by l2filter interface flag. So sysctl net.link.ether.ipfw=1 became ifconfig if1