Man Linux: Main Page and Category List


       cmkdir - create encrypted directory for CFS


       cmkdir [ -123bdmosp ] directory


       cmkdir  creates  directory and assigns to it cryptographic keys for use
       by the Cryptographic File System (CFS).  Operation is  similar  to  the
       ordinary  mkdir(1) command, with the addition that the user is prompted
       for a passphrase which is used to generate the DES keys used by cfsd(8)
       to  transparently  encrypt  the files.  The smartcard version of cmkdir
       initializes a key smartcard and requires  that  a  blank  smartcard  be
       inserted into the smartcard reader.

       Once  created, encrypted directories can be made available for use with
       the cattach(1) command.  Users should not  ordinarily  read  and  write
       directly  to  directories  created with cmkdir, since these files would
       not be stored in encrypted form.

       By default, cmkdir creates directories for two-key hybrid  mode  triple
       DES.   The  -1 option specifies two-key hybrid mode single DES; this is
       faster, albiet at the expense of security.   Three-key  triple  DES  is
       specified  with -3; directories created for three-key triple DES cannot
       be read by versions of CFS earlier than 1.3.2.  Other cipher algorithms
       may also be available, depending on the local configuration.

       Use the -o option to create directories that can be read by versions of
       CFS before 1.3; directories created under this option can  be  read  by
       cname and ccat as well.

       The  -p  ("puny")  option creates directories that use much less memory
       when attached under cfsd.  This is useful on machines with very  little
       (less  than,  say,  8MBs with a window system and browser also running)
       memory.  Files in directories created under -p may reveal slightly more
       about their structure than regular CFS files.

       The  --  option  will  read  the  key from standard input, and will not
       attempt to read from /dev/tty or change the terminal  modes.   This  is
       useful  for  creating  directories  from other programs or scripts, and
       should not ordinarily be used.

       Three new experimental  block  ciphers  are  included  in  the  default
       distribution.   The  -b  oprion specifies Schneier’s popular "Blowfish"
       algorithm.  It has a 128 bit nominal keyspace and  is  rather  fast  on
       most computers.  Blowfish is a fairly new algorithm and has not enjoyed
       nearly the analytic attention that DES has, so it  is  not  recommended
       for   critical   applications.   The  -m  option  specifies  Blaze  and
       Schneier’s experimental "MacGuffin" cipher.  It has 32 rounds, a 64 bit
       codebook  size and a 128 bit nominal keyspace.  Use this cipher at your
       own risk; it is much weaker than its keyspace suggests, and is included
       only as an example.

       Another  new  cipher,  James Massey’s SAFER-SK128, is also available in
       this release.  Specify SAFER-SK128 with the  -s  option.   Again,  this
       cipher  hasn’t been around nearly as long as DES, so use it at your own
       risk.  SAFER is a little faster than triple DES.


              known-plaintext hash of the assigned keys.

              identifies the cipher algorithm.


       cfsd(8), cattach(1)


       The MacGuffin, Blowfish and SAFER ciphers aren’t nearly as well-studied
       as DES.  They are included primarly as an example of how to add ciphers
       to CFS.  The author’s personal  files  remain  protected  with  the  -2

       Some  of  the  options  (-2,  -3) have different meanings from previous


       Matt Blaze; for information on cfs, email to