SFS means Steganographic File System and describes a system to encrypt complete
partitions steganographically under linux. This means that the data cannot be
recovered without the correct passphrase and that nobody can prove that any data
exists on the SFS encrypted partition. The steganographic FS accomplishes this by
creating random data on the device, and then hiding the actual data inside this data
while using a modified IDEA stream chiffre algorithm. But why SFS?
This is important for example in european countries, where people can be
persecuted if it can be proven that they possess encrypted data
and they refuse to give their passwords to the law enforcement.
5 Step Installation: 1. Extract the sfspatch-2.0.36 from the package and patch your kernel, like it is described in the included README. Note: Should you have a kernel different than 2.0.36, you need to get a different package which you can find at: http://www-users.rwth-aachen.de/Peter.Schneider-Kamp/
2. Re-compile your kernel and include the SFS (fs section) as a MODULE. 3. Compile the sfstools - they need the upgraded kernel to compile. 4. Insmod sfs and then use mksfs from the sfstool package. E.G. to create a SFS on a floppy disk: mksfs /dev/fd0 - if you use HD partitions, remember you need a dedicated partition on which all data will be overwritten. It will ask you for a password, use a long one. 5. Create a mountpoint e.g. /mnt/test for your sfs device, and type: sfsmount /dev/fd0 /mnt/test. Your floppy disk (in this example) will now be mounted as /mnt/test and you can access it like any other mount point. Be aware that unlike CFS, SFS does not support a timeout yet, which the seriously paranoid might want. Also chmod 700 your mount-point; sfs will not check if it is world-readable.
CFS stands for Cryptographical File System. It is a filesys daemon that implies
the possibility to transparently encrypt and decrypt files on unix
systems. CFS uses NFS, the network file system and requires nfsd and the
portmap service to be running. Once you installed CFS, you will be able
to create cfs-directories with cmkdir that are protected by
unique passwords. Once the system is rebooted or the directory is detached,
all files stored in that directory are only retrievable by supplying the
correct passphrase for the dir.
Installation of CFS: Download CFS 1.3.3 RPM package and install by typing
rpm -i cfs.rpm. Then, enable RPC NFSd and portmap (make sure
you are using non-vulnerable versions!). Add the following line to /etc/exports:
/ localhost. Then, type "cfsd" to enable the daemon,
create a directory "/crypt" and mount it with: /bin/mount -o port=3049,intr localhost:/ /crypt.
You need to start cfsd and mount your dir each system startup!.
Now you can create a crypted directory using: cmkdir /root/test crypt1
This creates /root/test with the CFS name crypt1 (/crypt/crypt1 will be created)
You can now use cdetach, cattach and cpasswd on the dir. You will be prompted
for your password(s) automatically.
PGP uses asymmetric keys to make it possible to send private data
over the net. It works like this: you generate a key pair, consisting of a
public key and private key. Everything encrypted with the public key can be
decrypted with the private key only and everything encrypted with the private
key can be decrypted with the public key only.
The private key is stored on your machine only and protected by a passphrase,
while the public key is sent over the net and can theoretically be accessed
by anyone. This makes it possible to encrypt data without ever sending the
private key to anyone.
As long as you use a keylength of >= 1024 bits, PGP is pretty safe. Shorter
keys can be decrypted sooner or later and are rather 'Pretty Gay Privacy'.
Example: Bill G. wants to send a file worlddom.txt to Steve C. Both public
keys are available for each other, while private keys are only available for
themselves. Bill G. uses the public key from Steve C. to encrypt the data and
sends it over the net. Now, Steve C.'s private key is required to decrypt the
data, so Steve C. is the only person who can ever decrypt it.
(If Bill used his private key to encrypt it, Steve Case couldīve decrypted it
it with Bills public key, but everyone who knew Bills public accessible key
could also get the data. Therefore, BOTH parties need to have a key pair.)
Something else you can realize with PGP is the digital signature. It works
like this: a checksum of the data is created (MD5 hash) and is encrypted with
your private key to a signature. To verify the signature, it is decrypted
with the public key and a checksum of the same data is created and compared
with the decrypted one. If they match, the signature is valid and the only
one who couldīve singed the data is the owner of the private key it was signed with.