On Sun, Feb 02, 2003 at 05:57:56AM -0000, Rajaram Suresh Gaunker wrote:
> I want to make some changes to ext2 fs and want it to co-exists
> with the present ext2 fs .
>
> I want to add encryption feature to ext2 fs and make it as
> ext2encfs
> and want to add it to the the linux kernel source tree
>
> how to go abt this
The Al Viro way to do this is can be found in the kernelnewbies.org
fortunes file:
> cp -a fs/ext{2,69}
> cp -a include/linux/ext{2,69}_fs.h
> cp -a include/linux/ext{2,69}_fs_i.h
> cp -a include/linux/ext{2,69}_fs_sb.h
> for i in fs/ext69/* include/linux/ext69*; do
> vi '-cse ext|%s/(ext|EXT)2/\169/g|x' $i;
> done
> vi '-c/EXT/|y|pu|s/2/69/|s/Second/FUBAR/|x' fs/Config.in
> vi '-c/ext2/|y|pu|s/ext2/ext69/g|//|y|pu|&g|//|y|pu|&g|//|y|pu|&g|x' \
> include/linux/fs.h
>
> had done the trick last time I needed something like that, but that was long
> time ago...
>
> - Al Viro explaining some simple commands on linux-kernel
This is the way ext3 was made: start with the ext2 codebase and add new
features (journaling, in the case of ext3).
Anyway, to return to your issue:
Encrypting individual files is a bad idea, because it still gives an
eavesdropper information. Suppose I want to know if you're subscribed
to the kernelnewbies list. I would somehow get hold of your harddisk
and find a file named /home/rajaram/Mail/kernelnewbies. I can't read it
because it's encrypted, but it gives me enough information to figure
out you're subscribed. Even worse: because you and I are subscribed to
the same mailing list, I *know* the contents of the file so it enables
me to do a known-plaintext attack on your cryptosystem. There might
even be more files the same on our systems, which makes attacking the
cypher even easier. Not good.
The right way to encrypt a filesystem is to encrypt the block device
below the filesystem. In this way all information about the filesystem
is encrypted and if I get hold of your disk, I can't make head or tails
from it because I can't even figure out if and where individual files
are located on the disk. This kind of encryption is already available
for linux, it can be done with the loop devices. Get the encryption
patches from http://www.kerneli.org/ , install them in your kernel, and
you can use the losetup command to setup and access an encrypted
blockdevice.
Interesting to note is that Microsoft's NTFS has the capability to
encrypt individual files, but nobody uses it. Instead of that, people
who need their information to be encrypted, use third party software
that encrypts the filesystem at the block layer, just like Linux
encrypted loop devices.
Erik
--
J.A.K. (Erik) Mouw
Email: J.A.K.Mouw@its.tudelft.nl mouw@nl.linux.org
WWW: http://www-ict.its.tudelft.nl/~erik/
Attachment:
pgp00280.pgp
Description: PGP signature
