NAME
cattach - attach encrypted directory to CFS
SYNOPSIS
cattach [ -l ] [ -- ] [ -t minutes] [ -i minutes] directory name
DESCRIPTION
cattach associates the encrypted directory (previously created with
cmkdir(1)) with the specified name. cattach prompts for a passphrase,
which is used to generate cryptographic keys sent to the cfs daemon
cfsd(8) and used to transparently encrypt and decrypt the files as
needed. If the correct passphrase is given (as verified by a known-
plaintext hash file in the encrypted directory), the user may
thereafter access the cleartext of the files in a virtual directory
called name under the CFS mount point (usually /crypt). Otherwise, no
virtual directory is created. The underlying directory may be
specified either as an absolute path or relative to the current
directory.
If no name is specified, the last path component of directory is used
as a default.
If the -l ("lower security mode") option is given, newly created
identical files will encrypt to identical ciphertexts. Otherwise, the
creation time plus the original inode number of the encrypted file is
used to perturb each file, frustrating certain cryptanalytic attacks.
Under highly concurrent operation with multiple instances of the same
encrypted directory, however, lower security mode may be required to
avoid some race conditions. This mode also makes recovery (from
backups) of individual encrypted files a bit simpler.
Note that attached virtual directories may be used only by users whose
UID is the same as the issuer of the cattach command.
Ordinarily, the names of all currently attached directories can be
obtained by listing the contents of /crypt (e.g., with ls(1)). If the
specified name begins with a ’.’ (dot), however, cfsd will not include
the name in directory listings. By using a hard-to-guess name, this
mechanism can be used to provide some protection against attackers who
can spoof the UID on the client machine. See the ssh(1) command for an
example of this usage.
The -t option causes the attach to automatically go away after the
specified number of minutes. The -i option deletes the attach after a
specified number of minutes of inactivity. Note that these options, if
used, should be chosen with some care; too short timeouts may actually
increase the risk of compromise of frequently re-typed passphrases.
cattach will normally attempt to read the passphrase from the tty
device (/dev/tty) and will not echo. The -- options forces cattach to
read from stdin.
Virtual directories should be removed with the cdetach(1) command when
no longer in use.
EXAMPLES
cattach /u/mab/secrets mab
associates encrypted directory "/u/mab/secrets" with the
cleartext name "mab". Creates virtual directory "/crypt/mab".
cattach /u/mab/secrets .123xyzzy
associates encrypted directory "/u/mab/secrets" with the
cleartext name ".123xyzzy". The cleartext name will not appear
in a listing of /crypt.
cattach -l secrets mab
associates the encrypted directory "secrets" in the current
directory with the cleartext name "mab". Identical files will
encrypt to the same ciphertext.
FILES
/crypt/*
currently attached cleartext instances
SEE ALSO
cfsd(8), cdetach(1), cmkdir(1), ssh(1)
BUGS
Really, really slow machines can time out on the RPC before cfsd is
finished processing the attach command, especially when 3-DES is used.
Such machines should probably be considered too slow to be running an
encrypted file system anyway.
You can’t attach an already encrypted directory, lest the single-
threaded cfsd find itself in a deadlock.
There really should be a better security mechanism than the UID to
protect against spoofing currently attached directories. The .name
hack is an ugly kludge. In particular, it would be better to limit
access to the process group of the user who issued the cattach command.
Unfortunately, that information is not passed to cfsd.
The timeout isn’t perfect, and may occur a minute or two later than
expected.
AUTHOR
Matt Blaze; for information on cfs, email to cfs@research.att.com.