TCFS for BSD: installation roadmap

INTRODUCTION
     This is a prototype of TCFS for BSD and it is released only for
developers. Every other use is strongly discouraged. This is a minimal
implementation and not all features planned (see the section "What it do6s
not do") have been implemented. The code has been written for OpenBSD 2.6,
Somewere the code is rather obscure because I followed the motto 
"First make it works, then make it well".

WHAT IT DOES
     The TCFS filesystem layer provides:

   * File encryption/decryption using DES or RC5 (other ciphers can be
     easily added)
   * Management of keys on a per-user, per-group and per-process base.
   * Management of different keys for each filesystem mounted.
   * A set of utilities for users and system administrator.

     N.B. Currently, it is possible to mount a TCFS filesystem only on top
of a FFS filesystem.

WHAT IT DOES NOT DO
     At the moment we are working on:

   * Directory encription/decryption (i.e., encryption/decryption of the
     filenames).
   * Independence from underlying filesystem.

TCFS FILE SYSTEM INSTALLATION

  1. Download files openbsd-tcfs.tar.gz and openbsd-mount_tcfs.tar.gz
  2. Make sure packages /usr/src/sys and /usr/src/sbin have been installed
  3. Expand the tar.gz archives as root

                     (cd /; tar xvfz path/to/openbsd-tcfs.tar.gz)
                     (cd /; tar xvfz path/to/openbsd-mount_tcfs.tar.gz)

     the archive openbsd-tcfs.tar.gz contains some files of the original
     distribution which have been modified. Their original was renamed to
     namefile.orig.
  4. Add the line

                     file-system     TCFS

     to your kernel configuration file and save it in

                     /usr/src/sys/arch/yourarch/conf/YOURKERNEL

  5. Configure and compile YOURKERNEL

                     cd /usr/src/sys/arch/yourarch/conf/
                     config YOURKERNEL
                     cd ../compile/YOURKERNEL
                     make depend && make
                     cp /bsd /bsd.old
                     mv bsd /

  6. Compile the mount_tcfs program

                     cd /usr/src/sbin/mount_tcfs
		     make
                     make install

  7. Reboot the system

TCFS UTILITIES INSTALLATION

  1. Download the archive openbsd-tcfs_utils and expand it from root

                     (cd /;tar xvfz path/to/openbsd-tcfs_utils.tar.gz)

  2. Compile tcfs utilities

                     cd /usr/src/tcfs-utils_0.1
		     make
                     make install

  3. Add /usr/tcfs/bin and /usr/tcfs/sbin to your path

MOUNTING TCFS FILESYSTEM
     You can mount a TCFS filesystem by running the mount command

          example:

                mount -t tcfs /mnt2 /mnt/tcfs

     If you want to mount the filesystem automatically at the boot, edit the
file /etc/fstab ad insert a line concerning a TCFS filesystem.

          example:

                /mnt2   /mnt/tcfs       tcfs    rw             0 0

MANAGING PROTECTED FILES
     In order to create a protected file, you need to push a user key into
TCFS. The easiest way to do this is to run

                tcfsputkey -k -p /mnt/tcfs

        example:

                tcfsputkey -k -p /mnt/tcfs # give TCFS the encryption key
                cd /mnt/tcfs
                echo "Hello World!">first  # the file is not coded
                tcfsflag x first           # toggles first's cryptographic flag
                                           # now first is stored encrypted
                cat first                  # you see the content of first
                                           # i.e., the string "Hello World!"

                vi first                   # edit first
                tcfsflag x first           # toggles first's cryptographic flag
                                           # now first is stored in clear
                cat first                  # you see the content of first
                tcfsrmkey                  # remove your key from TCFS

     The filesystem does not permit further accesses to encrypted files to
any user which has not registered his key. This happens even if the user
owns the file.

SELECTING THE CIPHER

    The mount_tcfs command searches the file /usr/tcfs/etc/tcfstab 
    to select the cipher to be used for the new tcfs-filesystem.
    Each entry of this file is composed by three fields.

	fs-label:mount-point:cipher-number

    The first field indicate an alias which can be used to alternatively refer
    the associated mount-point (indicated in the second field) by the 
    tcfs support utilities. The third field is the cipher-id
    that must be used encrypt/decryupt files.

    Currently only TDES and RC5 are available and can be referred respectively
    as number 0 and number 1.

    So, if we can configure the filesystem /mnt/tcfs2 (labeled "foo") to 
    use RC5, we can
    insert, in the tcfstab file, the row:
	
	foo:/mnt/tcfs2:1

    Note that the entry default must be present.