[CentOS] Cryptographic Filesystem

Fri Feb 2 07:04:53 UTC 2007
Rodrigo Barbosa <rodrigob at darkover.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Feb 02, 2007 at 01:53:29PM +0800, Ow Mun Heng wrote:
> > I have 2 problems while using cfs so far. Both were due to a small
> > problem on the ext2 filesystem where it was stored. I was copying
> > a file to the cfs filesystem (both on the same ext2 fs).
> > 
> 
> Is CFS a file-by-file encryption or file-based block encryption?? (I
> forget)

File-by-file.

> > I've got a complete lockdown on cfsd, and had to hardboot the
> > machine. In both cases, I've lost nothing, and only the specific
> > file I was copying, on the destination, was "lost" (partially copied).
> > It gave me a VERY good impression of cfs' robustness.
> 
> That sounds Good. heh..

On the other hand, CFS is VERY succeptible to a nasty nfs related deadlock.
The scenario is easy to imagine.

Say cfsd tried to write to the disk and has to wait. Then, you will get
a nfs timeout. Since you have a nfs timeout, processed will stall.
Since cfsd is stalled, you can't get out of the timeout.

I'm still trying to figure out the best way to solve this. Maybe multithreading
cfsd, or maybe simply using O_NONBLOCK. If I can think of a good way to solve 
this, I might be able to patch it. I'm not sure about the O_NONBLOCK solution.
It is kind of basic, and someone would have though of it before is it was
all it takes, I guess.

This condition is VERY easy to trigger for me, if I copy a file from
to the crypted filesystem, and both (crypted and non-crypted) as located
on an external USB disk I have here.

I wonder how eCrypt (with is on the newer stock kernel, and likely
on CentOS 5) works. Is it file-by-file too ?

[]s

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFwuKVpdyWzQ5b5ckRAq2ZAKCG5EI3KmnSCCaxzc1wCAQk66HEowCgs+gN
iksroqIJnekDQIihanlSAkg=
=bxjG
-----END PGP SIGNATURE-----