The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
Setting up an encrypted file system --- by Niklas Saers 6 January 2001
Need more help on this topic? Click here
This article has 6 comments
Show me similar articles
This article was written by Niklas Saers
I had long been hearing from my Linux using friends about their different encrypted filesystems and wanted one for FreeBSD.  The reasons for this are many: I have copies of all my emails and mails from the golden BBS days until now with the exception of a few harddrive crashes, and I wouldn't want whoever to read this.  I also find encryption interesting and I would see how this worked performancewise.  Although there are no encrypted file systems in the kernel, I found one in ports/security.   This file system is really a RPC server for the NFS protocol.  It uses 3DES by default but has other forms of encryption available as well.  However, for this introduction we'll stick with the standard.

First of all, use su to become root and install the port security/cfs. A simple:

cd /usr/ports/security/cfs && make install clean

should do the trick.  If you for some reason don't use ports, you can fetch the package from

The next step is setting up the daemon.  cfs requires an entry in /etc/exports for emulating NFS, and the cfsd attaches encrypted directories to this mounted NFS.  Since it only needs some directory and you're only going to allow your own computer to access this, insert the following line to /etc/exports (create /etc/exports with this line only if you don't have one already) :

/var/tmp localhost

All right. If you do not have NFS up and running already, we're going to have to start the portmap and the mountd dæmons. Add the following lines to your /etc/rc.conf:


and then start the dæmons by issuing these commands:

/sbin/mountd -r

You now have the dæmons started and they will start automatically next time you boot your computer.

Since it's quite handy to have the filesystem mounted directly after loading the server, edit /usr/local/etc/rc.d/ and include the following line directly before the "exit 0" line:

mount -o port=3049,intr,nfsv2 localhost:/var/tmp /crypt

Of course you have to be sure to create the /crypt directory. Then we have to start the server. First check that /usr/local/etc/rc.d/ at least has read and execute permission by root. Then do a

/usr/local/etc/rc.d/ start

Voila, now you can log root out.  In your home directory, for instance, we are going to make a storage for your encrypted data.  All your data will be stored here in encrypted form, so don't delete and don't worry about not understanding your data.   Let's call this directory crypt:

cmkdir crypt

and write your password twice.  Be sure to make it long.  Then we attach it to the encrypted file system:

cattach crypt mysafestorage

And write your password again.  Voila, now there is a directory in /crypt/mysafestorage that only you can access (log in as root and verify this yourself. Don't take my word for it! I might be the one reading your secret email anyways ;) )  Also make sure you don't understand anything about the contents of the crypt directory.  I would personally have prefferred one big file which would even hide how many files there are stored, what size they are and when they were last modified, but at least this is some kind of privacy.

All done.  For convenience sake you could make a symlink from /crypt/mysafestorage to somewhere in your homedirectory.  When you are done and want to be sure that no-one browses your files when you're to lazy to log out from your terminal, just do a

cdetach mysafestorage

Now, for the performance evaluation.  On my really great laptop with the really poor chipset which makes even a process niced to -20 hang and wait for the IO to finish, I did a

date && dd if=/dev/zero count=100000 && rm && date

on my home directory and in my encrypted filesystem which was stored in my home directory.  In my home directory I got

Thu Nov  2 13:49:42 EST 2000
100000+0 records in
100000+0 records out
51200000 bytes transferred in 10.266791 secs (4986953 bytes/sec)
Thu Nov  2 13:49:53 EST 2000

Thus an 11 seconds operation give or take half a second, while compared with my encrypted filesystem I got:

Thu Nov  2 13:55:14 EST 2000
100000+0 records in
100000+0 records out
51200000 bytes transferred in 21.279745 secs (2406044 bytes/sec)
Thu Nov  2 13:55:35 EST 2000

Thus roughly 21,5 seconds. A 100% increase in time consumption, but still doable.   And of course, I would love to hear about how your performance was.  My email is safe and sound now as long as I remember my password. :)


Need more help on this topic? Click here
This article has 6 comments
Show me similar articles