[OpenAFS-devel] Re: [GSoC 2010] Encrypted storage

Andrew Deason adeason@sinenomine.net
Wed, 24 Mar 2010 14:59:36 -0500


On Thu, 25 Mar 2010 00:54:47 +0530
Sanket Agarwal <sanket@sanketagarwal.com> wrote:

>    - As we're looking for a fresh implementation[rather
>    protocol/algorithm] for encryption various choices[encryption] can
>    be provided to the user. It should be mapped to a configurable
>    parameter/switch. OpenSSL would be the way to go!

Simon or someone else can feel free to correct me... but you need to be
doing this in the kernel[0], which rules out OpenSSL (as I understand
it). The only feasible options I remember being discussed were Heimdal's
hcrypto or something in-tree like Marcus' k5ssl.

Although neither of those things are currently in the OpenAFS build
system for you to use, if you start looking at those APIs, it's going to
look a lot more similar to the real thing than if you're looking at
OpenSSL.

[0] It is technically possible to do the encryption in user-space, if
you call out to a userspace binary like we do for afsdb lookups. In the
long run, that approach becomes infeasible... but in the short term for
GSoC I wonder if that's good enough? If you went that way, that part of
the project would need to be re-done later to be in kernelspace, but I
wonder if the rest of the project would still be worthwhile, then.

-- 
Andrew Deason
adeason@sinenomine.net