Working with encryption can be onerous if it requires the constant encryption and decryption of files in an archive that you use on a regular basis. In these circumstances, you may want to consider the use of disk encryption. One of the
To install the package found on the site, run the following command:
rpm -vv -i cfs-1.4.1-5.i386.rpm
This will install a complete package for CFS. It is recommended that you take this approach, as it
Change to the first rc directory where there is an error:
Remove the old file:
Then use the following command to relink to the script to files to shut the program down cleanly:
ln -s ../cfsd K15cfsd
Repeat the above steps for /etc/init.d/rc1.d and /etc/init.d/rc2.d.
In /etc/init.d/rc3.d and /etc/init.d/rc5.d, use the following command to create the links to start the program:
"rm S65cfsd ; ln -s ../cfsd S65cfsd"
Edit the /etc/init.d/cfsd script to make your mount points appropriate to your needs if you are changing from the default.
You can now restart the system and CFS will run normally. If you wish, you may change the mount points by modifying the /etc/exports file, and modifying the /etc/init.d/cfsd script to reflect the locations you prefer.
Since it is all too likely that you will have to build and install CFS for yourself, the steps to do so will be laid out for you here. There may be some differences among the flavors of CFS out there, but many of the essential elements will be the same. There are more steps in this method, but if you want to tweak things, this will get you started. If you have installed the RPM binary package, you can skip this section.
The following command will install the necessary sources in the /usr/src/packages/SOURCES directory:
rpm -install cfs-1.4.1-5.src.rpm
From there it is a matter of unpacking the files and building the source trees. This version of CFS needs the RSAref2 package, which is included as a part of the RPM. Since it needs to be installed first, the following steps should be taken:
Set your umask to 022, and cd to the /usr/src/packages/SOURCES/ directory.
gzip -dc rsaref2.tar.gztar -xvf -
cd into the resulting rsaref2 directory.
cd further into the install directory, then the unix directory.
Type make to build the software with default options. This will result in two programs and one library file. The programs are dhdemo and rdemo, demonstration programs for Diffie-Hellman extensions to the RSA reference package, and for the RSA cryptographic functions. The library file is named rsaref.a, and contains functions needed to compile CFS.
Copy dhdemo and rdemo into /usr/local/bin.
Copy rsaref.a into /usr/local/lib, then run ranlib on it to reset the libraries contents manually, by executing the following command:
Copy the header files from the rsaref2/sources directory into /usr/local/include. You may want to specify the -i switch to avoid possibly overwriting similar header files if they exist. The command with full pathnames would look like this:
# cp -i /usr/src/packages/SOURCES/rsaref2/sources/*.h /usr/local/include
These locations will later be used in the CFS makefile to tell it where to look for the files.
That s all there is to that step. There is no install option in the makefile, so installation needs to be done by hand. In the
Unpack the CFS software from the gzipped tar file with the following command:
gzip -dc cfs-1.4.1.tar.gztar -xvf -
into the cfs-1.4.1 directory, and
On line 78, change the COPT=-O2 -DPROTOTYPES=1 line to say COPT=-O2 -DPROTOTYPES=0 .
On line 87, change the RSALIB= variable to say /usr/local/lib/rsaref.a instead of the default of /usr/mab/rsaref/install/rsaref.a, which will not exist on your system.
On line 88, change the RSAINCLUDES= line to read /usr/local/include instead of the original /usr/mab/rsaref/source.
Uncomment lines 128 to 131, and remove the -traditional flag from line 128 so that your text looks something like this:
CFLAGS=$(COPT) -U__OPTIMIZE__ -Dd_fileno=d_ino -I$(RINCLUDES) LIBS= COMPAT= RPCOPTS= -k -b
Put a comment at the beginning of line 232 to make it look like this:
Save the file and exit.
Following that, you will be ready to build CFS. This is straightforward; in the source directory, typing make alone will give you the potential targets:
make cfs, esm, install_cfs or install_esm
The first step is to make CFS, so to do so just type
. Next type
to make the
program. Once these builds have completed without errors, you can install the software by typing
. You will then have to install the man pages by hand. You will do this from the CFS source directory as
cp *.1 /usr/local/man/man1 cp *.8 /usr/local/man/man8
That is the last step to installing the software. Next you need to configure it for use. CFS has some uncommon requirements because it operates over the loopback network interface, and functions much like a normal NFS mount would.
To configure it for use, take the following steps:
Pick a bootstrap mount point. This will not get used for anything, but is necessary for everything to run. It s easiest to make a directory called /null to do this. Create the directory and remove unnecessary permissions as follows:
mkdir /null;chmod 0 /null
Add a line to your /etc/exports file that contains the words /null localhost on a single line.
Make a directory where you want your encrypted file system to be mounted. For example, mkdir /crypt will put it in the root directory on /.
Create an rc startup script that should be run by the system after the mount command is run. This should be put in /etc/init.d/rc2.d under SUSE, and /etc/rc2.d under Red Hat. The contents of the script should be something like this:
if [ -x /usr/local/etc/cfsd ]; then /usr/local/etc/cfsd && \ /etc/mount -o port=3049,intr localhost:/null /crypt fi
This contains the mount points that we specified earlier. If you want them located in different places, the file systems containing them must be mounted before cfsd starts in order for it to function correctly.
At this point you may either reboot or start CFS manually. To do so you will have to export the null mount that you created before, by executing
. You may also have to start /usr/sbin/rpc.
Run the following command to set up the mount over the loopback:
mount -o port=3049,intr localhost:/null /crypt
If everything has
#df -a Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda7 8385636 2020300 6365336 25% / proc 0 0 0 - /proc devpts 0 0 0 - /dev/pts /dev/sda5 15522 5734 8987 39% /boot shmfs 144144 0 144144 0% /dev/shm usbdevfs 0 0 0 - /proc/bus/usb localhost:/null 0 0 0 - /crypt
Notice that the mount over the loopback device is visible as
for a source export, and the
To test and use CFS, the first command you will run will be cmkdir exampledir to create an encrypted directory. The command is straightforward, and will create a directory in the place of your choosing that is an empty CFS file system. In this example,
werewolf:/home/budcobackup/testcfs # cmkdir cfstest Key: Again:
you can see that cmkdir prompts twice for a password. Thereafter, this is the password you want to use to attach the encrypted directory for use.
This created a directory called cfstest relative to the location in which it was run. In this case it is a directory inside our home directory. Listing the contents of this directory yields output that looks like this:
werewolf:/home/budcobackup/testcfs/cfstest # ls -al total 16 drwxr-xr-x 2 root root 144 2004-05-24 18:21 . drwxr-xr-x 4 root root 96 2004-05-24 18:21 .. -rw-r--r-- 1 root root 8 2004-05-24 18:21 ... -rw-r--r-- 1 root root 1 2004-05-24 18:21 ..c -rw-r--r-- 1 root root 32 2004-05-24 18:21 ..k -rw-r--r-- 1 root root 7 2004-05-24 18:21 ..s
Next you want to run the cattach program to mount your encrypted directory and be able to use it like you would a normal file system. Use the following syntax,
where the argument is the directory name you used when you ran the cmkdir command. In the following example, you can see that cattach prompted for your password and then exited:
werewolf:/home/budcobackup/testcfs # cattach cfstest Key:
Now, however, looking in /crypt we can see a new directory,
# ls -l /crypt total 1 drwxrwxrwx 4 root root 8192 2004-05-24 18:23 . drwxr-xr-x 24 root root 552 2004-05-24 17:27 .. drwx------ 2 root root 144 2004-05-24 18:21 cfstest
which shows that there is a new directory cfstest available for use. If you copy files into that /crypt/cfstest directory, you will be able to work with them as though they were in a normal directory. However, if the encrypted directory is not mounted or attached, you will not be able to see them. To
werewolf:/ # cdetach cfstest werewolf:/ # ls -l /crypt total 1 drwxrwxrwx 4 root root 8192 2004-05-24 18:39 . drwxr-xr-x 24 root root 552 2004-05-24 17:27 ..
The files are there, just encrypted and stored under the directory that was made when you ran the cmkdir command earlier.
With a little creativity, it is very easy to customize locations that are suitable for use with CFS. Care must be taken with mounting file systems, as the cleartext space inside the directories that you have attached are visible to