EFS: Encrypted File system
An Introduction & Final Project
CSE785: Computer Security
EFS: What? Why?
Mounting file system
Minix System Call
Some design & implementation ideas
My help session topics
EFS: what is it?
Encrypted File System (EFS) provides the core
file encryption technology used to store
encrypted files on the File System.
Corporate world is very competitive, so any code,
system specifications, often needs to be
We have to share data among many users or
groups, the potential risk for a computer security
from a users perspective.
Password Security – Does nothing to preventing
a disk being mounted on a different system and
reading the contents.
EFS: why do we need it?
Security—First and Foremost
Secures Data from being accessed by any malicious user
Ensure that private data is not accessed by other users (
may not be malicious).
Reliability – An integral component
Only responsible people are provided access to
Many users can use the same system and still can work
The Disk Encryption reduce risk of data exposure
in a specific, if uncommon, scenario.
To avoid system risks such as:
Computer is bodily stolen.
Someone inside the company is trying to compromise
The system is cracked while attached to a network or
with some malicious software.
The primary benefit of the encrypted disk system
is defense against device theft, and making your
system a more secured one. Though, the risks
are partially mitigated.
EFS: a definition from whatis.com
The Encrypting File System (EFS) is a feature of the
Windows 2000 operating system that lets any file or folder
be stored in encrypted form and decrypted only by an
individual user and an authorized recovery agent. EFS is
especially useful for mobile computer users, whose
computer (and files) are subject to physical theft, and for
storing highly sensitive data. EFS simply makes encryption
an attribute of any file or folder. To store and retrieve a file
or folder, a user must request a key from a program that is
built into Windows 2000.
Although an encrypting file system has existed in or been
an add-on to other operating systems, its inclusion in
Windows 2000 is expected to bring the idea to a larger
StegFS: A Steganographic File System for Linux,
University of Cambridge.
CFS: Cryptographic File System , Temple
SFS: Secure File system, University of Minnesota
TCFS :Transparent Cryptographic File System)
University of Salerno (Italy).
In this project, we would like you to
Design a scheme to add security features
to the existing file system and
Devise ways to encrypt / decrypt files
using the encryption algorithms
Two types of Encryption/Decryption Schemes
Symmetric Key (Secret-key) Scheme
DES: Data Encryption Standard
AES: Advanced Encryption Standard
Asymmetric Key (public-key) Scheme
RSA: reinvented by Rivest, Shamir, and
ECC: Elliptic Curve Cryptography
Symmetric Key Algorithms
A symmetric-key algorithm is an
algorithm for cryptography that uses the
same cryptographic key to encrypt and
decrypt the message. (Actually, it is
sufficient for it to be easy to compute the
decryption key from the encryption key
and vice versa.)
Other terms for symmetric-key encryption
are single-key and private-key
Advanced Encryption Standard, a symmetric 128-
bit block data encryption technique developed by
Belgian cryptographers Joan Daemen and Vincent
AES works at multiple network layers simultaneously.
The U.S government adopted the algorithm as its
encryption technique in October 2000, replacing the DES
encryption it used.
The National Institute of Standards and Technology
(NIST) of the U.S. Department of Commerce selected
the algorithm, called Rijndael, out of a group of five
algorithms under consideration, including one called
MARS from a large research team at IBM.
Asymmetric Key Algorithms
An encryption method that uses a two-
part key: a public key and a private key.
To send an encrypted message to someone,
you use the recipient's public key, which can
be sent to you via regular e-mail or made
available on any public Web site or venue.
To decrypt the message, the recipient uses the
private key, which he or she keeps secret.
Contrast with "secret key cryptography," which
uses the same key to encrypt and decrypt
Usually we call it Public Key algorithms
Mounting File System
All files accessible in a Unix system are
arranged in one big tree, the file
hierarchy, rooted at /. These files can be
spread out over several devices.
The mount command serves to attach the file
system found on some device to the big file
Conversely, the umount command will detach
System Call Implementation
We expect the implementation in kernel
level, so you should make use of system
On how to implement system calls, please
refer to materials in help session 3:
system call creation & implementation
We expect you to design and implement a
working encrypted file system for the
Minix operating system, which includes:
Individual users should have their keys for
encrypting and decrypting files
Key management in the system
Authenticate the user trying to login to the
General Kernel Architecture.
open(), read(), write(), etc User Process
System Call Interface
Minix FS Ext2fs
Disk Controller Hardware
Design and Implementation Ideas..
Many of the Implementation that we have
seen here, has a kernel level
implementation of the file system.
Certain implementations have also user
level daemons running that call the kernel
level programs ( e.g.: NFS)
I am just describing one system
architecture, each of the project team has
to come up with their own creative
Example -- General System
KeyID This blocks data
Each Blocks max size
Block Size Encrypted Data
User Accessible Memory
Key DB write()
Key Encryption and
Design Issues..areas to be looked on...
The file pointer issues.
Buffer overflow problems – how are you going to
deal with this.
Key Management – An area worth thinking about
how you will manage your keys.
What effect does the process like read and write
have on the files?
How are you going to define your system policy?
Problems related with revocation, change
Refer to some other EFS systems
As mentioned in the related work slide
StegFS: A Steganographic File System for
Linux, University of Cambridge.
CFS: Cryptographic File System, Temple
SFS: Secure File system, University of
Minnesota and StorageTek.
TCFS :Transparent Cryptographic File System
University of Salerno (Italy).
Sample EFS demo sites
You can run and see how the EFS works, I
am listing some sample sites:
My help session topics
Temporarily, I have the following schedule
for the help session before project due:
Location: Star Lab in CST 1-120
Time: The following afternoons 1:00~4:00pm
04/14: AES algorithms
04/21: Mounting your file system
04/28: File system management
05/05: Last minute rush
* May change according to your feedback
Thank you & Good luck!