Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
CMKDIR(1)		    General Commands Manual		     CMKDIR(1)

       cmkdir -	create encrypted directory for CFS

       cmkdir [	-123bdmosp ] directory

       cmkdir  creates	directory and assigns to it cryptographic keys for use
       by the Cryptographic File System	(CFS).	Operation is  similar  to  the
       ordinary	 mkdir(1) command, with	the addition that the user is prompted
       for a passphrase	which is used to generate the DES keys used by cfsd(8)
       to  transparently  encrypt  the files.  The smartcard version of	cmkdir
       initializes a key smartcard and requires	that a blank smartcard be  in-
       serted into the smartcard reader.

       Once  created, encrypted	directories can	be made	available for use with
       the cattach(1) command.	Users should not ordinarily read and write di-
       rectly  to directories created with cmkdir, since these files would not
       be stored in encrypted form.

       By default, cmkdir creates directories for two-key hybrid  mode	triple
       DES.   The  -1 option specifies two-key hybrid mode single DES; this is
       faster, albiet at the expense of	security.   Three-key  triple  DES  is
       specified  with -3; directories created for three-key triple DES	cannot
       be read by versions of CFS earlier than 1.3.2.  Other cipher algorithms
       may also	be available, depending	on the local configuration.

       Use the -o option to create directories that can	be read	by versions of
       CFS before 1.3; directories created under this option can  be  read  by
       cname and ccat as well.

       The  -p	("puny")  option creates directories that use much less	memory
       when attached under cfsd.  This is useful on machines with very	little
       (less  than,  say,  8MBs	with a window system and browser also running)
       memory.	Files in directories created under -p may reveal slightly more
       about their structure than regular CFS files.

       The  --	option will read the key from standard input, and will not at-
       tempt to	read from /dev/tty or change the terminal modes.  This is use-
       ful for creating	directories from other programs	or scripts, and	should
       not ordinarily be used.

       Three new experimental block ciphers are	included in the	 default  dis-
       tribution.  The -b oprion specifies Schneier's popular "Blowfish" algo-
       rithm.  It has a	128 bit	nominal	keyspace and is	rather	fast  on  most
       computers.   Blowfish  is  a  fairly  new algorithm and has not enjoyed
       nearly the analytic attention that DES has, so it  is  not  recommended
       for   critical	applications.	The  -m	 option	 specifies  Blaze  and
       Schneier's experimental "MacGuffin" cipher.  It has 32 rounds, a	64 bit
       codebook	 size and a 128	bit nominal keyspace.  Use this	cipher at your
       own risk; it is much weaker than	its keyspace suggests, and is included
       only as an example.

       Another	new  cipher,  James Massey's SAFER-SK128, is also available in
       this release.  Specify SAFER-SK128 with the -s option.  Again, this ci-
       pher  hasn't  been  around nearly as long as DES, so use	it at your own
       risk.  SAFER is a little	faster than triple DES.

	      known-plaintext hash of the assigned keys.

	      identifies the cipher algorithm.

       cfsd(8),	cattach(1)

       The MacGuffin, Blowfish and SAFER ciphers aren't	nearly as well-studied
       as DES.	They are included primarly as an example of how	to add ciphers
       to CFS.	The author's personal files remain protected with the  -2  op-

       Some of the options (-2,	-3) have different meanings from previous ver-

       Matt Blaze; for information on cfs, email to



Want to link to this manual page? Use this URL:

home | help