man cmkdir (Commandes) - create encrypted directory for CFS
NAME
cmkdir - create encrypted directory for CFS
SYNOPSIS
cmkdir [ -123bdmosp ] directory
DESCRIPTION
cmkdir creates directory and assigns to it cryptographic keys for use by the Cryptographic File System (CFS). Operation is similar to the ordinary mkdir(1) command, with the addition that the user is prompted for a passphrase which is used to generate the DES keys used by cfsd(8) to transparently encrypt the files. The smartcard version of cmkdir initializes a key smartcard and requires that a blank smartcard be inserted into the smartcard reader.
Once created, encrypted directories can be made available for use with the cattach(1) command. Users should not ordinarily read and write directly to directories created with cmkdir, since these files would not be stored in encrypted form.
By default, cmkdir creates directories for two-key hybrid mode triple DES. The -1 option specifies two-key hybrid mode single DES; this is faster, albiet at the expense of security. Three-key triple DES is specified with -3; directories created for three-key triple DES cannot be read by versions of CFS earlier than 1.3.2. Other cipher algorithms may also be available, depending on the local configuration.
Use the -o option to create directories that can be read by versions of CFS before 1.3; directories created under this option can be read by cname and ccat as well.
The -p ("puny") option creates directories that use much less memory when attached under cfsd. This is useful on machines with very little (less than, say, 8MBs with a window system and browser also running) memory. Files in directories created under -p may reveal slightly more about their structure than regular CFS files.
The -- option will read the key from standard input, and will not attempt to read from /dev/tty or change the terminal modes. This is useful for creating directories from other programs or scripts, and should not ordinarily be used.
Three new experimental block ciphers are included in the default distribution. The -b oprion specifies Schneier's popular "Blowfish" algorithm. It has a 128 bit nominal keyspace and is rather fast on most computers. Blowfish is a fairly new algorithm and has not enjoyed nearly the analytic attention that DES has, so it is not recommended for critical applications. The -m option specifies Blaze and Schneier's experimental "MacGuffin" cipher. It has 32 rounds, a 64 bit codebook size and a 128 bit nominal keyspace. Use this cipher at your own risk; it is much weaker than its keyspace suggests, and is included only as an example.
Another new cipher, James Massey's SAFER-SK128, is also available in this release. Specify SAFER-SK128 with the -s option. Again, this cipher hasn't been around nearly as long as DES, so use it at your own risk. SAFER is a little faster than triple DES.
FILES
- directory/...
- known-plaintext hash of the assigned keys.
- directory/..c
- identifies the cipher algorithm.
SEE ALSO
BUGS
The MacGuffin, Blowfish and SAFER ciphers aren't nearly as well-studied as DES. They are included primarly as an example of how to add ciphers to CFS. The author's personal files remain protected with the -2 option.
Some of the options (-2, -3) have different meanings from previous versions.
AUTHOR
Matt Blaze; for information on cfs, email to cfs@research.att.com.