Re: Encrypted remote backups & issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Christian" == Christian Jaeger <christian.jaeger@xxxxxxxxxxxxxxx> writes:
    Christian> Now, independently of the above security considerations, do
    Christian> you mean that accessing a large file through NFS for
    Christian> crypto-loop purposes is going to be more stable than accessing
    Christian> it through NBD? Both NFS and NBD are in the kernel, and while
    Christian> NBD is *meant* to deliver block devices accessible by other
    Christian> kernel code, NFS files are meant to be accessed from
    Christian> userspace, so I have some doubt as to whether NFS files would
    Christian> be less prone to deadlocks when used for crypto-loop.

  I would say yes.

  NBD is designed to provide raw blocks. While the concept is ages old
and predates NFS by 5 years (Sun2's used to network boot with Sun's "ND" 
driver), the NFS code in Linux, while not as solid as other implementations,
has been beat on a lot more than NBD.

  /dev/loop doesn't really care if it lives atop a file or a raw device.

  NFSv3 can live over TCP, and NFSv4 prefers to, but I don't think we have
an NFSv4 implementation yet. NFSv4 supports thinkgs like GSSAPI, but as you
point out, that is for protection of eavesdropping, not to assure file
privacy/integrity.

  I understand what you want - I don't think that it has been done in
cryptoloop. I think that it has to be integrated into the file system,
each each directory entry and inode really needs to be given seperate
cryptographic integrity checks, so that you can recover some of them.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

  

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP2xqT4qHRg3pndX9AQECPQP+PLE4gU0HPpuVPNcd97XaTL80qsTpoXWK
ernadgyBzc3Ahd+txMzMj0JSJlzEQhvkOvstha5smjJm6nKQkMImmh+irwq64KGv
laU/yqMZFDOEsX1xRbKISL9LGvhM7pab+ztzz5l97wGx+J0kJKqBSV9RUhUkzmgM
8kFgEUsDnfM=
=nqTt
-----END PGP SIGNATURE-----
-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/
[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux