ECFS: An Enterprise-Class Cryptographic File System for Linux

Proposed is a secure and efficient approach for designing and implementing an enterprise-class cryptographic file system for Linux ECFS in kernel-space. It uses stackable file system interface to introduce a layer for encrypting files using symmetric keys, and public-key cryptography for user authentication and file sharing, like other existing enterprise-class cryptographic file systems. It differs itself from existing systems by including all public-key cryptographic operations and public-key infrastructure PKI support in kernel-space that protects it from attacks that may take place with a user-space PKI support. It has a narrower domain of trust than existing systems. It uses XTS mode of AES algorithm for file encryption for providing better protection and performance. It also uses kernel-keyring service for improving performance. It stores the cryptographic metadata in file's access control list ACL as extended attributes to ease the task of file sharing. A secure protocol has also been designed and implemented to guard against various possible attacks, when its files are accessed remotely over an untrusted network.

[1]  Erez Zadok,et al.  Proceedings of the General Track: 2003 Usenix Annual Technical Conference Ncryptfs: a Secure and Convenient Cryptographic File System , 2022 .

[2]  Andreas Grünbacher,et al.  POSIX Access Control Lists on Linux , 2003, USENIX Annual Technical Conference, FREENIX Track.

[3]  Erez Zadok,et al.  Extending File Systems Using Stackable Templates , 1999, USENIX Annual Technical Conference, General Track.

[4]  Kent D. Boklan Large Key Sizes and the Security of Password-Based Cryptography , 2009, Int. J. Inf. Secur. Priv..

[5]  Erez Zadok A Stackable File System Interface For Linux , 1999 .

[6]  Kazuhiko Minematsu,et al.  Comments on XTS-AES , 2008 .

[7]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[8]  Cyril Guyot,et al.  The XTS-AES Disk Encryption Algorithm and the Security of Ciphertext Stealing , 2012, Cryptologia.

[9]  Erez Zadok,et al.  FIST: a language for stackable file systems , 2000, OPSR.

[10]  Giuseppe Cattaneo,et al.  Design and Implementation of a Transparent Cryptographic File System for Unix , 2007 .

[11]  Abdul Rahman Ramli,et al.  A parallel XTS encryption mode of operation , 2009, 2009 IEEE Student Conference on Research and Development (SCOReD).

[12]  Morris J. Dworkin SP 800-38E. Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices , 2010 .

[13]  Rajat Moona,et al.  TransCryptDFS: A secure distributed Encrypting File System , 2010, International Congress on Ultra Modern Telecommunications and Control Systems.