Re: Encrypted data partition
In gmane.os.openbsd.misc, you wrote: > On Thu, Dec 15, 2016 at 07:24:24AM +0100, Carsten Kunze wrote: >> So it would really be great to have an up-to-date EncFS... > > This might be a good opportunity for you to give ports development a go > ;-) > > http://www.openbsd.org/faq/ports/index.html > Possibly not the best beginner task, here's a start at it, but it needs more work (doesn't build). ? encfs.ii Index: Makefile === RCS file: /cvs/ports/security/encfs/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile1 Oct 2016 11:54:17 - 1.8 +++ Makefile15 Dec 2016 12:14:55 - @@ -1,12 +1,17 @@ # $OpenBSD: Makefile,v 1.8 2016/10/01 11:54:17 naddy Exp $ -BROKEN-hppa = configure: error: Could not link against boost_serialization-boost_serialization +BROKEN-hppa = configure: error: Could not link against boost_serialization-boost_serialization BROKEN-sparc64 = configure: error: Could not link against boost_serialization-boost_serialization + COMMENT = fuse-based cryptographic filesystem -DISTNAME = encfs-1.7.4 -REVISION = 1 + +V =1.9.1 +DISTNAME = encfs-$V + SHARED_LIBS = encfs 0.0 # 6.1 + CATEGORIES = security + HOMEPAGE = http://www.arg0.net/encfs # GPLv3 @@ -15,20 +20,18 @@ PERMIT_PACKAGE_CDROM = Yes WANTLIB = boost_filesystem boost_serialization boost_system c \ crypto fuse m pthread rlog ssl stdc++ -MASTER_SITES = ${MASTER_SITE_GOOGLECODE:=encfs/} -EXTRACT_SUFX = .tgz +MASTER_SITES = https://github.com/vgough/encfs/releases/download/v$V/ + +MODULES = devel/cmake \ + gcc4 +MODGCC4_ARCHS =* +MODGCC4_LANGS =c++ -MODULES = devel/gettext +BUILD_DEPENDS =devel/gettext-tools LIB_DEPENDS = devel/boost \ + devel/gettext \ devel/rlog -CONFIGURE_STYLE = gnu -CONFIGURE_ARGS += --with-boost-serialization=boost_serialization \ - --with-boost-filesystem=boost_filesystem \ - --with-boost-system=boost_system -# TODO convert code to use utimensat() instead of lutimes() -CONFIGURE_ENV += CPPFLAGS="-Dlutimes=utimes -D_DIRENT_HAVE_D_TYPE" - do-test: ${WRKSRC}/encfs/test Index: distinfo === RCS file: /cvs/ports/security/encfs/distinfo,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 distinfo --- distinfo17 Jan 2014 10:10:58 - 1.1.1.1 +++ distinfo15 Dec 2016 12:14:55 - @@ -1,2 +1,2 @@ -SHA256 (encfs-1.7.4.tgz) = KC7w8E8t17o1J7RWIfq0hbfMUQws7uEWYA0DSNwhcKg= -SIZE (encfs-1.7.4.tgz) = 931048 +SHA256 (encfs-1.9.1.tar.gz) = ZyA67/egbOe+g99JSNspa+iaAM/+EQigpByW10gRBqQ= +SIZE (encfs-1.9.1.tar.gz) = 455910 Index: patches/patch-encfs_encfs_cpp === RCS file: patches/patch-encfs_encfs_cpp diff -N patches/patch-encfs_encfs_cpp --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-encfs_encfs_cpp 15 Dec 2016 12:14:55 - @@ -0,0 +1,12 @@ +$OpenBSD$ +--- encfs/encfs.cpp.orig Thu Dec 15 11:57:09 2016 encfs/encfs.cppThu Dec 15 11:59:59 2016 +@@ -497,7 +497,7 @@ int encfs_utime(const char *path, struct utimbuf *buf) + + int _do_utimens(EncFS_Context *, const string , + const struct timespec ts[2]) { +-#ifdef HAVE_UTIMENSAT ++#if 1 /* ifdef HAVE_UTIMENSAT; cmake check fails */ + int res = utimensat(AT_FDCWD, cyName.c_str(), ts, AT_SYMLINK_NOFOLLOW); + #else + struct timeval tv[2]; Index: patches/patch-encfs_encfssh === RCS file: patches/patch-encfs_encfssh diff -N patches/patch-encfs_encfssh --- patches/patch-encfs_encfssh 9 May 2015 12:18:58 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,13 +0,0 @@ -$OpenBSD: patch-encfs_encfssh,v 1.1 2015/05/09 12:18:58 jca Exp $ - -- no fusermount(1) on OpenBSD, umount(8) is enough - encfs/encfssh.orig Sun Nov 29 23:04:12 2009 -+++ encfs/encfssh Thu May 7 19:58:09 2015 -@@ -63,5 +63,5 @@ orig_dir=$(pwd) - cd $unenc_dir - - # Set the shell up --exec /bin/sh -c "$SHELL ; cd $orig_dir ; fusermount -u $unenc_dir ; if ! $unenc_dir_given; then rmdir $unenc_dir; fi" -+exec /bin/sh -c "$SHELL ; cd $orig_dir ; umount $unenc_dir ; if ! $unenc_dir_given; then rmdir $unenc_dir; fi" - Index: patches/patch-encfs_main_cpp === RCS file: /cvs/ports/security/encfs/patches/patch-encfs_main_cpp,v retrieving revision 1.3 diff -u -p -r1.3 patch-encfs_main_cpp --- patches/patch-encfs_main_cpp9 May 2015 12:18:24 -
Re: Encrypted data partition
On Thu, Dec 15, 2016 at 11:47:56AM +0100, Carsten Kunze wrote: > Julian Suschlikwrote: > > > What about an encrypted backup to the USB drive and restore on the other > > host? Preserves links and permissions. Can do deduplication and updates. > > Borgbackup does this. You can carry binaries of the software for Linux and > > OpenBSD on the USB drive. > > Indeed an interesting tool. Unfortunately I already have a special data sync > tool (does not encrypt). So I need a transparent encryption file system > layer :) What about git-annex to sync from any "client" via a remote storage? It can do encryption and it does sync... (syncthing does not save data to remote storage, it does sync only alive clients.) Although it is written in haskell and hs-xmpp is a problem if you would need this part of git-annex working. j.
Re: Encrypted data partition
Stefan Sperlingwrote: > > So it would really be great to have an up-to-date EncFS... > > This might be a good opportunity for you to give ports development a go > ;-) I even would be interested, but I need it for both OpenBSD *and* NetBSD. A year ago I tried to update their pkgsrc version 1.2 to a current version, which did compile but not work. My hope was to port the working OpenBSD package to NetBSD :) If upstream would have any interest to give debug support on NetBSD, I'd like to update the OpenBSD package too. Carsten
Re: Encrypted data partition
Julian Suschlikwrote: > What about an encrypted backup to the USB drive and restore on the other > host? Preserves links and permissions. Can do deduplication and updates. > Borgbackup does this. You can carry binaries of the software for Linux and > OpenBSD on the USB drive. Indeed an interesting tool. Unfortunately I already have a special data sync tool (does not encrypt). So I need a transparent encryption file system layer :) Carsten
Re: Encrypted data partition
On Thu, Dec 15, 2016 at 07:24:24AM +0100, Carsten Kunze wrote: > So it would really be great to have an up-to-date EncFS... This might be a good opportunity for you to give ports development a go ;-) http://www.openbsd.org/faq/ports/index.html
Re: Encrypted data partition
> Also in most cases ssh does not support changing mtime of symlinks, > which is required for fast data synchronization (compare mtime > instead of readlink). For this reason I even use USB when the two > systems are in the same network. > > So it would really be great to have an up-to-date EncFS... What about an encrypted backup to the USB drive and restore on the other host? Preserves links and permissions. Can do deduplication and updates. Borgbackup does this. You can carry binaries of the software for Linux and OpenBSD on the USB drive. Julian
Re: Encrypted data partition
OpenBSD listswrote: > For sharing encrypted data between OpenBSD and Linux, I just use an > OpenBSD-based file server and connect to it over NFS (using SSH to > secure the connection) > > The file server is an old Intel Core-2 box with 4x 1 TB hard drives in a > softraid-5 configuration and a pair of 10 GB IDE disks for the OS using > hardware RAID. I shut the machine down each night to keep the data safe. > > > Much simpler configuration than hoping that the disk encryption software > stays compatible between builds (EG, the Linux version may upgrade to > use some kind of Linux-only technology that can't be adapted to work on > OpenBSD) or that the disk encryption software is even secure in the > first place. This is for two reasons not of use for me: The Linux and the OpenBSD systems are kilometers apart and the OpenBSD system is in a network which allows no access from the internet. So I have to transfer data with a USB flash drive. Also in most cases ssh does not support changing mtime of symlinks, which is required for fast data synchronization (compare mtime instead of readlink). For this reason I even use USB when the two systems are in the same network. So it would really be great to have an up-to-date EncFS... Carsten
Re: Encrypted data partition
Carsten Kunze wrote: Gregor Bestwrote: I just installed EncFS from ports, the version there is 1.7.4 With some short testing, it looks like it works nicely. Thank you for this information and the test. But it should be taken into account that this version is 6 years old, current release is 1.9.1. (It would be great of course if the package maintainer would find the time to update the package to a somewhat newer version some day :) Carsten For sharing encrypted data between OpenBSD and Linux, I just use an OpenBSD-based file server and connect to it over NFS (using SSH to secure the connection) The file server is an old Intel Core-2 box with 4x 1 TB hard drives in a softraid-5 configuration and a pair of 10 GB IDE disks for the OS using hardware RAID. I shut the machine down each night to keep the data safe. Much simpler configuration than hoping that the disk encryption software stays compatible between builds (EG, the Linux version may upgrade to use some kind of Linux-only technology that can't be adapted to work on OpenBSD) or that the disk encryption software is even secure in the first place. .
Re: Encrypted data partition
Gregor Bestwrote: > I just installed EncFS from ports, the version there is 1.7.4 > > With some short testing, it looks like it works nicely. Thank you for this information and the test. But it should be taken into account that this version is 6 years old, current release is 1.9.1. (It would be great of course if the package maintainer would find the time to update the package to a somewhat newer version some day :) Carsten
Re: Encrypted data partition
Hi Carste, On Wed, Dec 14, 2016 at 12:49:14PM +0100, Carsten Kunze wrote: > [...] > Are you using EncFS on OpenBSD? Which EncFS version? > [...] I just installed EncFS from ports, the version there is 1.7.4 With some short testing, it looks like it works nicely. Since the kern.usermount option is gone, you'll have to mount the file system as root, which means reading from and writing to the encrypted FS needs to be done as root as well, since OpenBSD's fuse implementation doesn't yet support the allow_* options to libfuse. For reference, this is the commandline I used: # encfs /home/gbe/test/enc /home/gbe/test/root -- Gregor
Re: Encrypted data partition
Gregor Bestwrote: > EncFS seems to be the most sensible option. Are you using EncFS on OpenBSD? Which EncFS version? Carsten
Re: Encrypted data partition
Jan Betlachwrote: > I'd like to have an encrypted Ext2 data partition, which can be shared > between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe > something like EncFS is the way to go? I need the same and tried EncFS (cloned from GitHub) a year ago. It compiles but doesn't work. I asked upstream for support but they are not interested, they don't care for anything but Linux. Which makes EncFS pointless--since there is LUKS--why should anyone use EncFS? (rhetorical question, don't answer) If you get (a current version of) EncFS or any other portable encryption method to work, I would be very interested! (But don't code it yourself, if you're not already an expert in this field.) Carsten
Re: Encrypted data partition
On Wed, Dec 14, 2016 at 10:34:53AM +0100, Jan Betlach wrote: > Hello, > > I'd like to have an encrypted Ext2 data partition, which can be shared > between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe > something like EncFS is the way to go? > [...] EncFS seems to be the most sensible option. If you share an ext2 partition between Linux and OpenBSD, make sure it's actually an ext2, not an ext[34]. While those can be mounted as ext2 by OpenBSD (unless you create an ext4 with extents), things might become weird if Linux writes to the partition using the journal, the power fails and you reboot into OpenBSD. -- Gregor
Re: Encrypted data partition
On 12/14/2016 10:34 AM, Jan Betlach wrote: Hello, I'd like to have an encrypted Ext2 data partition, which can be shared between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe something like EncFS is the way to go? Thank you Jan Rot 13 or caesar cipher should do the job just fine why go all complex with luks/encfs? you're trading in complexity for convenience. why not write a slim kernel module to suit your needs? heck, if you stick to ansi c, you could even write it portable (use posix for best results!) /s