Runs on top of your file system. No messing around with complex configuration and additional storage devices. Available as FreeBSD port.
PEFS is open source free software available under the BSD license. The project is hosted on GitHub.
Current release 2016.06.11: Performance and stability improvements including shared vnode locking.
Complete POSIX semantics combined with high performance make PEFS drop-in replacement that improves storage security. Used in both private and enterprise environments.
Tuned for optimal and secure operation. Only standard and up to date encryption algorithms are used. Successfully passed security audit.
PEFS (Private Encrypted File System) is a kernel level stacked cryptographic file system for FreeBSD. PEFS transparently encrypts data and runs on top of any existing file system. Leveraging capabilities of the underlying file system helps to reduce configuration complexity and eliminates necessity of additional storage devices.
Primary usecase for PEFS has historically been encryption of the user home directory. Besides, PEFS may prove useful in the following cases:
Enterprise environments will additionally benefit from complete POSIX semantics provided by PEFS, e.g. sparse files, hardlinks, and atomic rename. Incremental backups and improved reliability in case of the system crash are achieved by each PEFS-encrypted file being self-contained, and elimination of external metadata associated with file or directory. File system operates at kernel level providing better performance comparing to user-level file systems.
PEFS is tuned for optimal and secure operation out-of-the-box. It means there is no user configurable options that could change behavior of the system lowering its overall security. Only standard and up to date encryption algorithms are used (AES and Camellia in XTS mode, PKCS#5v2 and HKDF for key generation).
There is a number of techniques PEFS employs to mitigate off-line attacks. Files with the same plaintexts are indistinguishable even when encrypted with the same key because of a new random tweak generated for each file. The same applies to file names, i.e. the same file name will be encrypted differently in any two directories.
PEFS is open source free software available under the BSD license.
Gleb Kurtsou started to work on PEFS in 2009 while participating in the Google Summer of Code. Gleb continues to develop the project mostly by his own with support by other open source community enthusiasts. He is a FreeBSD src committer, and specializes in data security, storage systems, and high performance networking.
When not coding, Gleb enjoys playing bass and exploring California nature with his Samoyed dog Redwood.
# pkg install pefs-kmod
# cd ports/sysutils/pefs-kmod # make install
# git clone git://github.com/glk/pefs.git pefs # cd pefs # make obj all # make install # make clean
Start by creating new directory and populating it with key chain database (.pefs.db) containing your password protected key. Note that database file is always created on unencrypted file system. Mount PEFS, in this example we are using the same directory ~/Private as both source and target mount point. As a final step, add key to the file system. -c option is there to verify password in database.
% mkdir ~/Private % pefs addchain -fZ ~/Private Enter parent key passphrase: Reenter parent key passphrase: % pefs mount ~/Private ~/Private % pefs addkey -c ~/Private Enter passphrase:
Links to external publications about PEFS:
Lets stay in touch to keep on improving PEFS together! Your comments, questions, and new feature suggestions are highly appreciated.
Email us: email@example.com
Read latest news on the project development, secure data storage, and cryptography in PEFS blog.
As an open source project, PEFS exists and advances only because of community enthusiasts and users support. We would be grateful if you could make a donation to help the project financially. Our PayPal account:
We are always open to collaboration with other people and organizations