Encrypting filesystems

Encrypting filesystems

Using the marry(ADM) command, you can associate an empty regular file with a block special device name and enable encryption on the file. A filesystem is created on the block special device using the mkfs(ADM) command, and the block special device is mounted using the mount(ADM) command. Once mounted, all data written to the file is encrypted using the 128-bit Advanced Encryption Standard (also known as 128bit AES and the Rijndael block cipher); all data read from the file is decrypted. A simple example follows:

  1. For the commands run in this step, regfile is the full pathname to the regular file that will contain the encrypted filesystem. Make sure that regfile does not exist; if it does, rename or delete it before continuing.

    Create regfile and assign appropriate permissions and ownership by running the following:

    # touch regfile
    # chmod 660 regfile
    # chown root regfile
    # chgrp appgrp regfile

  2. For the commands run in this step, mountpoint is the full pathname of the directory to be used to mount the filesystem. Make sure that mountpoint is an empty directory; move or delete any data residing there before continuing. If mountpoint does not exist, create it and assign appropriate permissions and ownership, as in this example:

    # mkdir mountpoint
    # chown root mountpoint
    # chgrp appgrp mountpoint
    # chmod 750 mountpoint

  3. Marry a block special device to regfile and enable encryption on the device:

    # cryptfs=`marry -a -b blksz -c "passphrase" regfile'

    The blksz is the maximum size of the married device, in 512-byte blocks, plus 5 blocks for encryption information. So, if you want a filesystem with a maximum size of 10,000 512-byte blocks, use 10,005 for blksz. The passphrase (similar to a password, but longer) is used to generate the keys that encrypt and decrypt the contents of regfile. See the marry(ADM) manual page for a full explanation of passphrase.

  4. Make and mount the filesystem:

    # mkfs -F vxfs $cryptfs blksz-5
    # mount $cryptfs mountpoint

    Note that $cryptfs is the output of the marry command from the previous step. Also note that the block size used in the mkfs command must be 5 blocks less than the blksz used in the previous marry command.

Please note that an encrypted filesystem requires more system overhead than a regular filesystem; this can have a significant effect on performance, depending on the intended use of the encrypted filesystem. See the marry(ADM) and marry(HW) manual pages for more information, including the limitations of this interface.

© 2007 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 05 June 2007