A Vnode Level Stackable Encrypted File System
The source files present in this directory consist of source-code to add support for address_space operations
instead of vm_ops
operations and 128 bit AES-CTR
encryption of data written to files in the WrapFS file system. Please download the appropriate Wrapfs source files for your use from http://wrapfs.filesystems.org/
The attached code has been written for Linux kernel stable version 3.2.62.
###Source Files Below mentioned files are modified version of original wrapfs:
-
wrapfs/wrapfs.h - Added extra fields in
wrapfs_sb_info
struct to hold mount options and 128 bit key for encryption. Created a structure which holds the mount options. Addedwrapfs_parse_options
function which parses the mount options. Added extra file_operations structure. I also definedcalcualted_md5()
andencrypt_decrypt()
functions over here to include -
wrapfs/file.c - Added new file operations structure. Modified
->read, ->write, ->unlocked_ioctl
to handle encryption-decryption and address space operations by changing calls tovfs_read()
andvfs_write()
todo_sync_read()
anddo_sync_write()
respectively. Modified->mmap
operation to assignaddress_operations
according to the mount options provided. -
wrapfs/lookup.c - Modified
wrapfs_iget()
function to make it point to the necessaryfile_operations
andaddress_operations
according to the mount options specified. -
wrapfs/main.c - Modified
wrapfs_read_super()
function to store and initialize mount options and key inwrapfs_sb_info structure
. Modifiedwrapfs_mount()
function to parse for mount options. The parsing function can recognize the optionsmmap
anddebug
. Thedebug
mount option is not fully implemented but the parser is having the capability to parse it from the mount command. I did not remove this code as it does not affect other parts. -
wrapfs/mmap.c - Added new
address_operations structure
and instantiated a dummyaddress_operations
structure to point it according to the mount options. I have taken up some code fromecryptfs
sources. I have used->readpage, ->write_begin, ->bmap, ->write_end and ->writepage
fromecryptfs
. Also appropriate function calls have been made within the->readpage, ->writepage and ->write_end
functions for encrypting and decrypting the data during reading and writing. Further implementation about encryption and decryption is given incrypto.c
file. -
wrapfs/super.c - Added
wrapfs_parse_options
to parse mount options. Necessary structures needed for parsing are also added in this file. -
wrapfs/Makefile - I have edited the
Makefile
to take one more flag to include conditional compiling. I have also added commands to compile and clean the user programs accordingly. -
crypto.c - This is a newly added file which handles the encryption part. It has two functions implemented
calculate_md5()
to calculate the MD5 hash of the key andencrypt_decrypt()
to encrypt or decrypt the data passed into it depending on the corresponding option passed. Pass 1 for encryption and 0 for decryption.
The kernel sources can be downloaded from http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.2.tar.bz2
Once downloaded, copy the contents of wrapfs folder to fs/wrapfs/
in kernel sources or put your own patch from http://wrapfs.filesystems.org/
###Steps to be followed for compiling and executing this project
Now we have three ways to use this implementation of file system viz.
- Run a minimalist original Wrapfs implementation without any address space operations.
- Run Wrapfs with address space operations.
- Run Wrapfs with AES-CTR encryption using address space operations.
Compiling
cd /path/to/wrapfs
make
ormake all
if you want to use Wrapfs with option 1 or 2 i.e without encryption.make CRYPTO+=-DWRAPFS_CRYPTO
to use Wrapfs with encryption which is set as the WRAPFS_CRYPTO flag.
Insert module
Execute insmod wrapfs.ko
to load the compiled module wrapfs.ko
.
Mounting
- To use Wrapfs with option 1:
mount -t wrapfs /mnt/lower /mnt/wrapfs
- To use Wrapfs with option 2 or 3:
mount -t wrapfs -o mmap /mnt/lower /mnt/wrapfs
. It takes mmap option to specify the use of address space operations.
Use encryption
In case you are using encryption you need to pass a passphrase
to set the encryption key
. Do that as follows:
./wrapfs_setkey -k passphrasevalue /mnt/wrapfs
to set the key and subsequently write or read from filesystem./wrapfs_setkey -k 0 /mnt/wrapfs
, passing a string of one or more zeroes as passphrase will revoke the key.
Unmounting
umount /mnt/wrapfs
to dismount the filesystem.
Removing module
rmmod wrapfs
to remove the loadable kernel module from memory.
###Performance Evaluation Passed all evaluations from filebench, by FSL Stony Brooks University: http://filebench.sourceforge.net The performance numbers can be checked here: https://docs.google.com/document/d/1Lxo-JuuGSUeWKJtaE_1KToh6VwqBv0HENnt90rmF-vM/edit?usp=sharing
###References
-
I have referred to code from
ecryptfs
andold unionfs
source codes for implementation of address space operations. -
I have referred
->readpage, ->write_begin, ->write_end
fromecryptfs
and->writepage
from unionfs.
####Help In case you feel that my code is not clear enough or have some doubts regarding implementation etc feel free to contact me on [email protected] :)