Re: Encrypted data partition

2016-12-15 Thread Stuart Henderson 
In gmane.os.openbsd.misc, you wrote:
> On Thu, Dec 15, 2016 at 07:24:24AM +0100, Carsten Kunze wrote:
>> So it would really be great to have an up-to-date EncFS...
>
> This might be a good opportunity for you to give ports development a go
> ;-)
>
> http://www.openbsd.org/faq/ports/index.html
>

Possibly not the best beginner task, here's a start at it, but it needs
more work (doesn't build).

? encfs.ii
Index: Makefile
===
RCS file: /cvs/ports/security/encfs/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile1 Oct 2016 11:54:17 -   1.8
+++ Makefile15 Dec 2016 12:14:55 -
@@ -1,12 +1,17 @@
 # $OpenBSD: Makefile,v 1.8 2016/10/01 11:54:17 naddy Exp $
 
-BROKEN-hppa =  configure: error: Could not link against 
boost_serialization-boost_serialization
+BROKEN-hppa =  configure: error: Could not link against 
boost_serialization-boost_serialization
 BROKEN-sparc64 =   configure: error: Could not link against 
boost_serialization-boost_serialization
+
 COMMENT =  fuse-based cryptographic filesystem
-DISTNAME = encfs-1.7.4
-REVISION = 1
+
+V =1.9.1
+DISTNAME = encfs-$V
+
 SHARED_LIBS =  encfs   0.0 # 6.1
+
 CATEGORIES =   security
+
 HOMEPAGE = http://www.arg0.net/encfs
 
 # GPLv3
@@ -15,20 +20,18 @@ PERMIT_PACKAGE_CDROM =  Yes
 WANTLIB =  boost_filesystem boost_serialization boost_system c \
crypto fuse m pthread rlog ssl stdc++
 
-MASTER_SITES = ${MASTER_SITE_GOOGLECODE:=encfs/}
-EXTRACT_SUFX = .tgz
+MASTER_SITES = https://github.com/vgough/encfs/releases/download/v$V/
+
+MODULES =  devel/cmake \
+   gcc4
+MODGCC4_ARCHS =*
+MODGCC4_LANGS =c++
 
-MODULES =  devel/gettext
+BUILD_DEPENDS =devel/gettext-tools
 LIB_DEPENDS =  devel/boost \
+   devel/gettext \
devel/rlog

-CONFIGURE_STYLE =  gnu
-CONFIGURE_ARGS +=  --with-boost-serialization=boost_serialization \
-   --with-boost-filesystem=boost_filesystem \
-   --with-boost-system=boost_system
-# TODO convert code to use utimensat() instead of lutimes()
-CONFIGURE_ENV +=   CPPFLAGS="-Dlutimes=utimes -D_DIRENT_HAVE_D_TYPE"
-
 do-test:
${WRKSRC}/encfs/test
 
Index: distinfo
===
RCS file: /cvs/ports/security/encfs/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- distinfo17 Jan 2014 10:10:58 -  1.1.1.1
+++ distinfo15 Dec 2016 12:14:55 -
@@ -1,2 +1,2 @@
-SHA256 (encfs-1.7.4.tgz) = KC7w8E8t17o1J7RWIfq0hbfMUQws7uEWYA0DSNwhcKg=
-SIZE (encfs-1.7.4.tgz) = 931048
+SHA256 (encfs-1.9.1.tar.gz) = ZyA67/egbOe+g99JSNspa+iaAM/+EQigpByW10gRBqQ=
+SIZE (encfs-1.9.1.tar.gz) = 455910
Index: patches/patch-encfs_encfs_cpp
===
RCS file: patches/patch-encfs_encfs_cpp
diff -N patches/patch-encfs_encfs_cpp
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-encfs_encfs_cpp   15 Dec 2016 12:14:55 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- encfs/encfs.cpp.orig   Thu Dec 15 11:57:09 2016
 encfs/encfs.cppThu Dec 15 11:59:59 2016
+@@ -497,7 +497,7 @@ int encfs_utime(const char *path, struct utimbuf *buf)
+ 
+ int _do_utimens(EncFS_Context *, const string ,
+ const struct timespec ts[2]) {
+-#ifdef HAVE_UTIMENSAT
++#if 1 /* ifdef HAVE_UTIMENSAT; cmake check fails */
+   int res = utimensat(AT_FDCWD, cyName.c_str(), ts, AT_SYMLINK_NOFOLLOW);
+ #else
+   struct timeval tv[2];
Index: patches/patch-encfs_encfssh
===
RCS file: patches/patch-encfs_encfssh
diff -N patches/patch-encfs_encfssh
--- patches/patch-encfs_encfssh 9 May 2015 12:18:58 -   1.1
+++ /dev/null   1 Jan 1970 00:00:00 -
@@ -1,13 +0,0 @@
-$OpenBSD: patch-encfs_encfssh,v 1.1 2015/05/09 12:18:58 jca Exp $
-
-- no fusermount(1) on OpenBSD, umount(8) is enough
-
 encfs/encfssh.orig Sun Nov 29 23:04:12 2009
-+++ encfs/encfssh  Thu May  7 19:58:09 2015
-@@ -63,5 +63,5 @@ orig_dir=$(pwd)
- cd $unenc_dir
- 
- # Set the shell up
--exec /bin/sh -c "$SHELL ; cd $orig_dir ; fusermount -u $unenc_dir ; if ! 
$unenc_dir_given; then rmdir $unenc_dir; fi"
-+exec /bin/sh -c "$SHELL ; cd $orig_dir ; umount $unenc_dir ; if ! 
$unenc_dir_given; then rmdir $unenc_dir; fi"
- 
Index: patches/patch-encfs_main_cpp
===
RCS file: /cvs/ports/security/encfs/patches/patch-encfs_main_cpp,v
retrieving revision 1.3
diff -u -p -r1.3 patch-encfs_main_cpp
--- patches/patch-encfs_main_cpp9 May 2015 12:18:24 -

Re: Encrypted data partition

2016-12-15 Thread Jiri B 
On Thu, Dec 15, 2016 at 11:47:56AM +0100, Carsten Kunze wrote:
> Julian Suschlik  wrote:
> 
> > What about an encrypted backup to the USB drive and restore on the other
> > host? Preserves links and permissions. Can do deduplication and updates.
> > Borgbackup does this. You can carry binaries of the software for Linux and
> > OpenBSD on the USB drive.
> 
> Indeed an interesting tool.  Unfortunately I already have a special data sync 
> tool (does not encrypt).  So I need a transparent encryption file system 
> layer :)

What about git-annex to sync from any "client" via a remote storage?
It can do encryption and it does sync...
(syncthing does not save data to remote storage, it does sync only
alive clients.)

Although it is written in haskell and hs-xmpp is a problem if you would
need this part of git-annex working.

j.

Re: Encrypted data partition

2016-12-15 Thread Carsten Kunze 
Stefan Sperling  wrote:

> > So it would really be great to have an up-to-date EncFS...
> 
> This might be a good opportunity for you to give ports development a go
> ;-)

I even would be interested, but I need it for both OpenBSD *and* NetBSD.  A 
year ago I tried to update their pkgsrc version 1.2 to a current version, which 
did compile but not work.  My hope was to port the working OpenBSD package to 
NetBSD :)

If upstream would have any interest to give debug support on NetBSD, I'd like 
to update the OpenBSD package too.

Carsten

Re: Encrypted data partition

2016-12-15 Thread Carsten Kunze 
Julian Suschlik  wrote:

> What about an encrypted backup to the USB drive and restore on the other
> host? Preserves links and permissions. Can do deduplication and updates.
> Borgbackup does this. You can carry binaries of the software for Linux and
> OpenBSD on the USB drive.

Indeed an interesting tool.  Unfortunately I already have a special data sync 
tool (does not encrypt).  So I need a transparent encryption file system layer 
:)

Carsten

Re: Encrypted data partition

2016-12-15 Thread Stefan Sperling 
On Thu, Dec 15, 2016 at 07:24:24AM +0100, Carsten Kunze wrote:
> So it would really be great to have an up-to-date EncFS...

This might be a good opportunity for you to give ports development a go
;-)

http://www.openbsd.org/faq/ports/index.html

Re: Encrypted data partition

2016-12-15 Thread Julian Suschlik 
> Also in most cases ssh does not support changing mtime of symlinks,
> which is required for fast data synchronization (compare mtime
> instead of readlink).  For this reason I even use USB when the two
> systems are in the same network.
>
> So it would really be great to have an up-to-date EncFS...

What about an encrypted backup to the USB drive and restore on the other
host? Preserves links and permissions. Can do deduplication and updates.
Borgbackup does this. You can carry binaries of the software for Linux and
OpenBSD on the USB drive.

Julian

Re: Encrypted data partition

2016-12-14 Thread Carsten Kunze 
OpenBSD lists  wrote:

> For sharing encrypted data between OpenBSD and Linux, I just use an 
> OpenBSD-based file server and connect to it over NFS (using SSH to 
> secure the connection)
> 
> The file server is an old Intel Core-2 box with 4x 1 TB hard drives in a 
> softraid-5 configuration and a pair of 10 GB IDE disks for the OS using 
> hardware RAID.  I shut the machine down each night to keep the data safe.
> 
> 
> Much simpler configuration than hoping that the disk encryption software 
> stays compatible between builds (EG, the Linux version may upgrade to 
> use some kind of Linux-only technology that can't be adapted to work on 
> OpenBSD) or that the disk encryption software is even secure in the 
> first place.

This is for two reasons not of use for me: The Linux and the OpenBSD
systems are kilometers apart and the OpenBSD system is in a network
which allows no access from the internet.  So I have to transfer data
with a USB flash drive.

Also in most cases ssh does not support changing mtime of symlinks,
which is required for fast data synchronization (compare mtime
instead of readlink).  For this reason I even use USB when the two
systems are in the same network.

So it would really be great to have an up-to-date EncFS...

Carsten

Re: Encrypted data partition

2016-12-14 Thread OpenBSD lists 

Carsten Kunze wrote:

Gregor Best  wrote:


I just installed EncFS from ports, the version there is 1.7.4

With some short testing, it looks like it works nicely.


Thank you for this information and the test.
But it should be taken into account that this version is 6 years old, current 
release is 1.9.1.
(It would be great of course if the package maintainer would find the time to 
update the package to a somewhat newer version some day :)

Carsten



For sharing encrypted data between OpenBSD and Linux, I just use an 
OpenBSD-based file server and connect to it over NFS (using SSH to 
secure the connection)


The file server is an old Intel Core-2 box with 4x 1 TB hard drives in a 
softraid-5 configuration and a pair of 10 GB IDE disks for the OS using 
hardware RAID.  I shut the machine down each night to keep the data safe.



Much simpler configuration than hoping that the disk encryption software 
stays compatible between builds (EG, the Linux version may upgrade to 
use some kind of Linux-only technology that can't be adapted to work on 
OpenBSD) or that the disk encryption software is even secure in the 
first place.

.

Re: Encrypted data partition

2016-12-14 Thread Carsten Kunze 
Gregor Best  wrote:

> I just installed EncFS from ports, the version there is 1.7.4
> 
> With some short testing, it looks like it works nicely.

Thank you for this information and the test.
But it should be taken into account that this version is 6 years old, current 
release is 1.9.1.
(It would be great of course if the package maintainer would find the time to 
update the package to a somewhat newer version some day :)

Carsten

Re: Encrypted data partition

2016-12-14 Thread Gregor Best 
Hi Carste,

On Wed, Dec 14, 2016 at 12:49:14PM +0100, Carsten Kunze wrote:
> [...]
> Are you using EncFS on OpenBSD?  Which EncFS version?
> [...]

I just installed EncFS from ports, the version there is 1.7.4

With some short testing, it looks like it works nicely. Since the
kern.usermount option is gone, you'll have to mount the file system as
root, which means reading from and writing to the encrypted FS needs to
be done as root as well, since OpenBSD's fuse implementation doesn't yet
support the allow_* options to libfuse.

For reference, this is the commandline I used:

# encfs /home/gbe/test/enc /home/gbe/test/root

-- 
Gregor

Re: Encrypted data partition

2016-12-14 Thread Carsten Kunze 
Gregor Best  wrote:

> EncFS seems to be the most sensible option.

Are you using EncFS on OpenBSD?  Which EncFS version?

Carsten

Re: Encrypted data partition

2016-12-14 Thread Carsten Kunze 
Jan Betlach  wrote:

> I'd like to have an encrypted Ext2 data partition, which can be shared
> between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
> something like EncFS is the way to go?

I need the same and tried EncFS (cloned from GitHub) a year ago.  It compiles 
but doesn't work.  I asked upstream for support but they are not interested, 
they don't care for anything but Linux.  Which makes EncFS pointless--since 
there is LUKS--why should anyone use EncFS? (rhetorical question, don't answer)

If you get (a current version of) EncFS or any other portable encryption method 
to work, I would be very interested!

(But don't code it yourself, if you're not already an expert in this field.)

Carsten

Re: Encrypted data partition

2016-12-14 Thread Gregor Best 
On Wed, Dec 14, 2016 at 10:34:53AM +0100, Jan Betlach wrote:
> Hello,
> 
> I'd like to have an encrypted Ext2 data partition, which can be shared
> between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
> something like EncFS is the way to go?
> [...]

EncFS seems to be the most sensible option.

If you share an ext2 partition between Linux and OpenBSD, make sure it's
actually an ext2, not an ext[34]. While those can be mounted as ext2 by
OpenBSD (unless you create an ext4 with extents), things might become
weird if Linux writes to the partition using the journal, the power
fails and you reboot into OpenBSD.

-- 
Gregor

Re: Encrypted data partition

2016-12-14 Thread ds 

On 12/14/2016 10:34 AM, Jan Betlach wrote:

Hello,

I'd like to have an encrypted Ext2 data partition, which can be shared
between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
something like EncFS is the way to go?

Thank you

Jan




Rot 13 or caesar cipher should do the job just fine
why go all complex with luks/encfs? you're trading in complexity for 
convenience. why not write a slim kernel module to suit your needs? 
heck, if you stick to ansi c, you could even write it portable (use 
posix for best results!)


/s