Private Encrypted File System

Easy to Use

Runs on top of your file system. No messing around with complex configuration and additional storage devices. Available as FreeBSD port.

Open Source

PEFS isĀ open sourceĀ free software available under the BSD license. The project is hosted on GitHub.

Latest Updates

Current release 2018.12.29: Build fixes for FreeBSD 13-CURRENT; workaround for LazyFPU security bug.


Complete POSIX semantics combined with high performance make PEFS drop-in replacement that improves storage security. Used in both private and enterprise environments.


Tuned for optimal and secure operation. Only standard and up to date encryption algorithms are used. Successfully passed security audit.

Stay in Touch

Be a part of the community by submitting a fix or reporting a bug. Follow us on social networks and PEFS blog.


PEFS (Private Encrypted File System) is a kernel level stacked cryptographic file system for FreeBSD. PEFS transparently encrypts data and runs on top of any existing file system. Leveraging capabilities of the underlying file system helps to reduce configuration complexity and eliminates necessity of additional storage devices.

Primary usecase for PEFS has historically been encryption of the user home directory. Besides, PEFS may prove useful in the following cases:

  • Encryption of the data shared over network or on cloud storage
  • Encryption of the data on portable storage like USB thumb drive
  • Setting up multiple encrypted folders for sensitive information
  • Login with PEFS password and automatic decryption of the home directory (pam module)
  • Support of multiple keys makes it possible to hide encrypted directories, similar to the hidden secondary volumes concept.

Enterprise environments will additionally benefit from complete POSIX semantics provided by PEFS, e.g. sparse files, hardlinks, and atomic rename. Incremental backups and improved reliability in case of the system crash are achieved by each PEFS-encrypted file being self-contained, and elimination of external metadata associated with file or directory. File system operates at kernel level providing better performance comparing to user-level file systems.

PEFS is tuned for optimal and secure operation out-of-the-box. It means there is no user configurable options that could change behavior of the system lowering its overall security. Only standard and up to date encryption algorithms are used (AES and Camellia in XTS mode, PKCS#5v2 and HKDF for key generation).

There is a number of techniques PEFS employs to mitigate off-line attacks. Files with the same plaintexts are indistinguishable even when encrypted with the same key because of a new random tweak generated for each file. The same applies to file names, i.e. the same file name will be encrypted differently in any two directories.

PEFS is open source free software available under the BSD license.


Gleb Kurtsou

Gleb Kurtsou started to work on PEFS in 2009 while participating in the Google Summer of Code. Gleb continues to develop the project mostly by his own with support by other open source community enthusiasts. He is a FreeBSD src committer, and specializes in data security, storage systems, and high performance networking.

When not coding, Gleb enjoys playing bass and exploring California nature with his Samoyed dog Redwood.

How to

Installation instructions

PEFS can be installed from official FreeBSD package repository, ports or by building from sources.

# pkg install pefs-kmod
# cd ports/sysutils/pefs-kmod
# make install
# git clone git:// pefs
# cd pefs
# make obj all
# make install
# make clean

Create encrypted directory

Start by creating new directory and populating it with key chain database (.pefs.db) containing your password protected key. Note that database file is always created on unencrypted file system. Mount PEFS, in this example we are using the same directory ~/Private as both source and target mount point. As a final step, add key to the file system. -c option is there to verify password in database.

% mkdir ~/Private
% pefs addchain -fZ ~/Private
Enter parent key passphrase:
Reenter parent key passphrase:
% pefs mount ~/Private ~/Private
% pefs addkey -c ~/Private
Enter passphrase:


Links to external publications about PEFS:





Lets stay in touch to keep on improving PEFS together! Your comments, questions, and new feature suggestions are highly appreciated.

Email us:

Be a part of the PEFS community: submit a fix through GitHub pull request option or report an issue.

Follow us on social networks: Youtube, Twitter, Facebook, Google+

Read latest news on the project development, secure data storage, and cryptography in PEFS blog.

We are always open to collaboration with other people and organizations