cmkdir - create encrypted directory for CFS
cmkdir [ -123bdmosp ] directory
cmkdir creates directory and assigns to it cryptographic keys for use
by the Cryptographic File System (CFS). Operation is similar to the
ordinary mkdir(1) command, with the addition that the user is prompted
for a passphrase which is used to generate the DES keys used by cfsd(8)
to transparently encrypt the files. The smartcard version of cmkdir
initializes a key smartcard and requires that a blank smartcard be
inserted into the smartcard reader.
Once created, encrypted directories can be made available for use with
the cattach(1) command. Users should not ordinarily read and write
directly to directories created with cmkdir, since these files would
not be stored in encrypted form.
By default, cmkdir creates directories for two-key hybrid mode triple
DES. The -1 option specifies two-key hybrid mode single DES; this is
faster, albiet at the expense of security. Three-key triple DES is
specified with -3; directories created for three-key triple DES cannot
be read by versions of CFS earlier than 1.3.2. Other cipher algorithms
may also be available, depending on the local configuration.
Use the -o option to create directories that can be read by versions of
CFS before 1.3; directories created under this option can be read by
cname and ccat as well.
The -p ("puny") option creates directories that use much less memory
when attached under cfsd. This is useful on machines with very little
(less than, say, 8MBs with a window system and browser also running)
memory. Files in directories created under -p may reveal slightly more
about their structure than regular CFS files.
The -- option will read the key from standard input, and will not
attempt to read from /dev/tty or change the terminal modes. This is
useful for creating directories from other programs or scripts, and
should not ordinarily be used.
Three new experimental block ciphers are included in the default
distribution. The -b oprion specifies Schneier’s popular "Blowfish"
algorithm. It has a 128 bit nominal keyspace and is rather fast on
most computers. Blowfish is a fairly new algorithm and has not enjoyed
nearly the analytic attention that DES has, so it is not recommended
for critical applications. The -m option specifies Blaze and
Schneier’s experimental "MacGuffin" cipher. It has 32 rounds, a 64 bit
codebook size and a 128 bit nominal keyspace. Use this cipher at your
own risk; it is much weaker than its keyspace suggests, and is included
only as an example.
Another new cipher, James Massey’s SAFER-SK128, is also available in
this release. Specify SAFER-SK128 with the -s option. Again, this
cipher hasn’t been around nearly as long as DES, so use it at your own
risk. SAFER is a little faster than triple DES.
known-plaintext hash of the assigned keys.
identifies the cipher algorithm.
The MacGuffin, Blowfish and SAFER ciphers aren’t nearly as well-studied
as DES. They are included primarly as an example of how to add ciphers
to CFS. The author’s personal files remain protected with the -2
Some of the options (-2, -3) have different meanings from previous
Matt Blaze; for information on cfs, email to email@example.com.