Solaris Loopback Crypto & Compression
01 Apr '09 - 22:17 by benrLinux has always been in love with its loopback trickery for implementing compression and cryptography but a cry has gone out for similar capabilities in Solaris and those requests have been answered. The Solaris Loopback File driver (aka: LOFI) has supported compression for some time now, and as of snv_105 encryption has been added as well.
LOFI Basics
If your unfamiliar with LOFI, lets catch you up. LOFI is used for accessing a file as a block device. The most common use is for loopback mounting ISO images. You simply create a loopback device for the file and then mount the image (CD/DVD's are typically the HighSiera FileSystem: "hsfs" as opposed to the iso9960 filesystem type on Linux):
root@quadra ISO$ lofiadm -d /dev/lofi/1 root@quadra ISO$ root@quadra ISO$ lofiadm Block Device File Options root@quadra ISO$ lofiadm -a dfly-gui-2.2.0_REL.iso /dev/lofi/1 root@quadra ISO$ lofiadm Block Device File Options /dev/lofi/1 /home/benr/ISO/dfly-gui-2.2.0_REL.iso - root@quadra ISO$ mount -F hsfs /dev/lofi/1 /a root@quadra ISO$ cd /a root@quadra a$ ls COPYRIGHT autorun autorun.pif boot.catalog etc kernel.smp root sys var README autorun.bat bin dev etc.hdd mnt rr_moved tmp README.USB autorun.inf boot dflybsd.ico index.html proc sbin usr root@quadra a$ cd / root@quadra /$ umount /a root@quadra /$ lofiadm -d /dev/lofi/1 root@quadra /$ lofiadm Block Device File Options root@quadra /$
Another way to LOFI is to create an empty file, create a loopback device for it and then to treat it like a disk, creating a filesystem on it and such. This has its usefulness but can be kinda boring.
root@quadra ~$ mkfile 100m lumpospace
root@quadra ~$ lofiadm -a /home/benr/lumpospace
/dev/lofi/1
root@quadra ~$ newfs /dev/lofi/1
newfs: construct a new file system /dev/rlofi/1: (y/n)? y
/dev/rlofi/1: 204600 sectors in 341 cylinders of 1 tracks, 600 sectors
99.9MB in 22 cyl groups (16 c/g, 4.69MB/g, 2240 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 9632, 19232, 28832, 38432, 48032, 57632, 67232, 76832, 86432,
115232, 124832, 134432, 144032, 153632, 163232, 172832, 182432, 192032, 201632
root@quadra ~$ mount /dev/lofi/1 /a
root@quadra ~$ df -h /a
Filesystem Size Used Avail Use% Mounted on
/dev/lofi/1 94M 1.1M 84M 2% /a
root@quadra ~$ umount /a
root@quadra ~$ lofiadm -d /dev/lofi/1
LOFI Compression
Compression is slightly non-intuative in that you can compress and existing image but thereafter it is available read only. You can not read/write a compressed image. Images can be compressed by running lofiadm -C gzip somefile, before adding the file as usual. The only (currently) available algorithm is GZip, which can by default is set to gzip6 but can be tweek such as by specifying "gzip-9".
Lets compress the image we created with UFS above for fun. I've added 26MB of binaries to it and it was originally a 100MB file (image).
root@quadra /$ lofiadm -C gzip-9 /home/benr/lumpospace root@quadra /$ ls -lh /home/benr/lumpospace -rw------T 1 root root 9.7M Apr 1 15:15 /home/benr/lumpospace root@quadra /$ lofiadm -a /home/benr/lumpospace /dev/lofi/1 root@quadra /$ lofiadm Block Device File Options /dev/lofi/1 /home/benr/lumpospace Compressed(gzip-9) root@quadra /$ mount /dev/lofi/1 /a mount: I/O error mount: Cannot mount /dev/lofi/1
Notice the mount failed... thats because the image is read-only... try again with the read-only mount option (ro):
root@quadra ~$ mount -o ro /dev/lofi/1 /a root@quadra ~$ cd /a root@quadra a$ ls 7z avahi-publish-service chat cxref dvd+rw-format 7za avahi-resolve checkeq daps dvd+rw-mediainfo ...
So the result of compressing the image is that its now read-only... but the 100MB image with 26MB of data now only consumes 9.7MB of disk.
If you decide you need to add data to a compressed image, you'll need to uncompress it (using 'lofiadm -U compressedfile'), do your thing, then re-compress it.
Truth is, compressed lofi is fairly uninteresting in most cases because ZFS already does a great job with read/write compression. So... moving on to encryption....
LOFI Encryption
Encryption is more interesting. You can use a variety of algorithms including AES (128bit, 192bit, and 256bit), 3DES, and Blowfish, with a variety of key stores.
Lets do a simple example using Blowfish. Notice that if you do not specify a key store it will resort to using passwords:
root@quadra ~$ mkfile 100m secrets
root@quadra ~$ lofiadm -a secrets -c blowfish-cbc
Enter key: goawaynow
Re-enter key: goawaynow <--- Not echo'ed
/dev/lofi/1
root@quadra ~$ lofiadm
Block Device File Options
/dev/lofi/1 /home/benr/secrets Encrypted
root@quadra ~$ newfs /dev/lofi/1
newfs: construct a new file system /dev/rlofi/1: (y/n)? y
/dev/rlofi/1: 204600 sectors in 341 cylinders of 1 tracks, 600 sectors
99.9MB in 22 cyl groups (16 c/g, 4.69MB/g, 2240 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 9632, 19232, 28832, 38432, 48032, 57632, 67232, 76832, 86432,
115232, 124832, 134432, 144032, 153632, 163232, 172832, 182432, 192032, 201632
root@quadra ~$ mount /dev/lofi/1 /a
root@quadra ~$ cp IBM-TakeoverPlan /a
root@quadra ~$ umount /a
root@quadra ~$ lofiadm -d /dev/lofi/1
So we created an empty file for loopback use, added it with Blowfish encryption enabled, and created a UFS filesystem on it. Then we use it like any normal filesystem, unmount it and destroy the LOFI when we're done.
When you decided you need to use it again, you'll preform the exact same steps, however the password you enter will be the same password. This is the strange bit... if you get the password wrong everything will seem to work but the data is unreadable. (this is because the password is your key and the key is wrong, therefore the data won't decrypt):
root@quadra ~$ lofiadm -a secrets -c blowfish-cbc Enter key: thisismykey Re-enter key: thisismykey <--- this is not echo'ed /dev/lofi/1 root@quadra ~$ lofiadm Block Device File Options /dev/lofi/1 /home/benr/secrets Encrypted root@quadra ~$ mount /dev/lofi/1 /a mount: /dev/lofi/1 is not this fstype
When it comes to key stores... you have the option to use an ephemeral (one-time) key (-e), a raw key file (-k keyfile), or a PKCS#11 token (-T).
Lets try using a raw key file. We'll generate it for AES256 using the Solaris Key Management Framekwork's pktool:
root@quadra ~$ pktool genkey keystore=file outkey=lofi.key keytype=aes keylen=256 print=y
Key Value ="b2998f7634863a563e6030085dcf01d4680b4fd90f0de6661824fba215ba9cb9"
root@quadra ~$ mkfile 100m toomanysecrets
root@quadra ~$ lofiadm -a toomanysecrets -c aes-256-cbc -k lofi.key
/dev/lofi/1
root@quadra ~$ lofiadm
Block Device File Options
/dev/lofi/1 /home/benr/toomanysecrets Encrypted
root@quadra ~$ newfs /dev/lofi/1
newfs: construct a new file system /dev/rlofi/1: (y/n)? y
/dev/rlofi/1: 204600 sectors in 341 cylinders of 1 tracks, 600 sectors
99.9MB in 22 cyl groups (16 c/g, 4.69MB/g, 2240 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 9632, 19232, 28832, 38432, 48032, 57632, 67232, 76832, 86432,
115232, 124832, 134432, 144032, 153632, 163232, 172832, 182432, 192032, 201632
root@quadra ~$ mount /dev/lofi/1 /a
While KMF PKCS#11 is supported, all attempts on my part to use it failed... so I'll blog about that some other day when I work it out.
In parting, I'll suggest that anyone serious about crypto and compressed filesystem should check out the OpenSolaris FUSE Project and stay tuned for ZFS Crypto support.
Actually, lzma compression is available as well. Has been in the OpenSolaris distro releases since 2008.05, and was integrated into ON in build 111.
Dave Miner (Email) (URL) - 02 April '09 - 02:45
Good to know, thanks Dave!benr - 02 April '09 - 04:25
Lofi compression is primarily used for the livecd scenario. I developed it to compress filesystem images originally in the BeleniX livecd:[[http://www.belenix.org/?q=compression]]
It was later enhanced and improved during the beginnings of Project Indiana (around April 2005) and finally made it’s way into the official OpenSolaris kernel thanks to Alok Aggarwal.
Moinak Ghosh (Email) (URL) - 02 April '09 - 15:59
Recently mount was made lofi aware so that one can directly mount an image. Thusmount -F hsfs /opensolaris.iso /mnt
or mount -F ufs /mnt
will automatically create the lofi device and mount it.
sanjay nadkarni (Email) - 03 April '09 - 02:49
A minor nit but we don’t actually use the passphrase directly as they key, it is passed through PKCS#5 PBE to generate an encryption key of the correct length first.Darren Moffat (Email) (URL) - 03 April '09 - 18:36
Darren: That’s a given… :) Still curious why PKCS11 is so unhappy though.benr - 05 April '09 - 01:22
This seems to work with the caveat that once the encrypted file is mounted anyone with permissions can treat as just another mounted file system.The only value seems to be when you unmount the encrypted file then the contents are secure.
alan
Alan Pae (Email) (URL) - 21 April '09 - 20:52
The website sells the kinds of game gold, you can buy in here, and you can find the gold is very cheap.buy Sho Online gold (Email) (URL) - 12 May '09 - 08:00
While KMF PKCS#11 is supported, all attempts on my part to use it failed… so I’ll blog about that some other day when I work it out.kamas (Email) (URL) - 08 June '09 - 03:54
This seems to work with the caveat that once the encrypted file is mounted anyone with permissions can treat as just another mounted file system.ffxi gil (Email) (URL) - 08 June '09 - 03:57
[[http://www.saleveling.com]][[http://www.power-leveling-game.com]]
wow power leveling (Email) (URL) - 23 October '09 - 02:17
ey, I just wanted to say I adore this website. I come back almost every day, and I usually get a few laughs out of it. I think I’m starting to annoy my friend, because every few minutes I tell her to come look at this, or woah, you have to see this.christian louboutin shoes (Email) (URL) - 25 December '09 - 11:33
[[http://www.buykamagra.com]] buy kamagra[[http://www.viagracialis.com]] viagra cialis
M65 Jacket (Email) (URL) - 21 January '10 - 02:08
good postabercrombie clothing (Email) (URL) - 22 January '10 - 08:30
Wholesale Nokia n97 wholesale blackberry wholesale blackberry phones wholesale blackberry 9700 wholesale blackberry 9600 wholesale blackberryjavon (Email) (URL) - 25 January '10 - 09:23
Thanks for your sharing things! They’re gorgeous! We’re getting ready to launch our new online Christian Louboutin for smaller busted women, so I can definately appreciate all the hard work you’ve put into expanding your business! I know it’s quite a fete!!! Congratulations! Looking forward to seeing your shoes at more events and websites!christian louboutin (Email) (URL) - 25 January '10 - 12:44
Good post! Thanks for your information!As Seen On TV (Email) (URL) - 27 January '10 - 06:13
Good post! Thanks!eyeglasses online (Email) (URL) - 02 February '10 - 08:47
Nice post here. It does make senses, appreciate for sharing.[[http://www.bestmbtshoes.com]]
bullu (Email) (URL) - 02 February '10 - 08:59
Good post! Thank U![[http://www.best-glasses.com/]]
eyeglasses online (Email) (URL) - 05 February '10 - 01:29
Your article is very useful!ed hardy (Email) (URL) - 06 February '10 - 06:05
thank you for give me the chance to read the post .The GHD beauty products are sure to keep you satisfied for many more years to comeGHD hair straightener (Email) (URL) - 08 February '10 - 07:57
ok,i agree with it .CHI hair straightener will make you more style,you want be the center around the people ,right ?Chi Hair Straightener on sale (Email) (URL) - 08 February '10 - 07:57
beautiful post.UGG BOOTS is also come in a variety of colors, which gives you plenty of options when it comes to matching them to your existing clothes.ugg boots sale (Email) (URL) - 08 February '10 - 07:57
Your article is very useful!Thank you for sharing.Nice post.Tiffany Accessories (Email) (URL) - 08 February '10 - 08:40
Your article is very useful!casual dresses shoes (Email) (URL) - 23 February '10 - 08:18
casual dress shoescasual dress shoes (Email) (URL) - 23 February '10 - 08:42
Ed Hardy Hats were later launched with much fanfare.ed hardy (Email) (URL) - 25 February '10 - 03:31
He too, loved his 2nd wife. She is a very considerate person,always patient and in fact is the merchant’s confidante. Whenever the merchant faced some problems,
he always turned to his 2nd wife and she would always help him out and tide him through difficult times.
runescape gold (Email) (URL) - 02 March '10 - 06:29
People deserve good life and business loans or just collateral loan will make it better. Just because freedom is based on money.JaclynSalinas (Email) (URL) - 11 March '10 - 07:37
Cool blog. now i can remake my blog more better very helpful. thanks.mauna lani rentals (Email) (URL) - 17 March '10 - 02:37
if you want to buy here is some good Websitefor another you can see this any more
jordan shoes (Email) (URL) - 06 April '10 - 02:01
Better means more features.good post,I think so!
ysl boots (Email) (URL) - 07 April '10 - 12:22
abercrombieabercrombie hoodie
abercrombie (Email) (URL) - 19 April '10 - 18:20
The website sells the kinds of game gold, you can buy in here, and you can find the gold is very cheap.[[http://www.nikesshox.com]]
nike sale (Email) (URL) - 22 April '10 - 03:28
I very intersted in the articlecheap mbt shoes (Email) (URL) - 23 April '10 - 03:20
P90x .It really is not expensive if you factor in the costof a gym membership,P90x workout . The cost for P90X is
about three months of a paid gym membership but you get to
keep the program foreverP90x . You can try many of the
online sites, but it will be the same as buying from the
company or a Beachbody Coach. Make sure you are getting
original DVD’s. People are selling copies all over. The
problem is how long will they last, P90x workout ,and you
truly need the exercise and nutrition guide to even follow
the program. You can go to any site or you can go to
[[http://www.p90xmall.com]] and click on products. P90x dvd You can
order directly from the site,P90x dvd.
p90x (Email) (URL) - 05 May '10 - 05:40
Nike air max have utilized the technology of air in it’s sole to give us a more comfortable and supportive cushion to walk on.You may also love nike shox and it is natural to attract most consumers.Waiting for the shoe store to open up so you can get your hands on the first pair of nike shoes what you like. [[http://www.airmax-online.com/]]Online products (Email) (URL) - 06 May '10 - 09:42
company or a Beachbody Coach. Make sure you are getting[[http://www.towatches.com/Discount-Watc..]]
wholesale watch faces (Email) (URL) - 07 May '10 - 06:41
[[http://www.Iaamart.com]] | Use coupon code itj20im to save 20%-50% on all orders. How to use Coupon? Please go to [[http://www.iaamart.com/coupon]]china wholesale usb mp3 player (Email) (URL) - 11 May '10 - 09:57
hi there, thanks for your great post, it help me so much! now i wonder if you linke the mbt shoes from my site: the url is [[http://www.thesuitshoes.com]]mbt shoes (Email) (URL) - 12 May '10 - 06:54
Dell inspiron 9400 Battery [[http://www.adapterlist.com/dell/inspir..]]laptop battery (Email) (URL) - 14 May '10 - 09:35
Apple a1185 Battery [[http://www.globallaptopbattery.co.uk/a..]]laptop batteries (Email) (URL) - 14 May '10 - 09:47
MBT Shoes have special multi-layered soles that are designed to change the way you walk,so you workout your entire body while you wear them. They’re supposed to tone your legs, back and stomach, and improve balance, posture, and varicose veins. If you are engaged in the vogue or you want keep the same pace with the trend. Christian Louboutin could be your best choice. Good sharing !You can buy cheap Nike Air Max shoes from the following website: [[http://www.air-nike-max.com.]]. When you go shopping, with the GHD hair straightener making a simple hairstyle is very important. (ghdhair0515)hair straightener (Email) (URL) - 15 May '10 - 01:40
them bought then th[url=[[http://www.mydiscountjordanshoes.com/a..]]]] air-jordan-xv[/url] e current path of pulling in so many directions.
air jordan xv (Email) (URL) - 15 May '10 - 03:33
if you want to buy here is some good Websitecheck up (Email) (URL) - 17 May '10 - 16:01
nike shoes wholesale,cheap jordan sneakers
nike shoes wholesale (Email) (URL) - 20 May '10 - 08:17
The newest version of air max 90 are available now.Welcome to see our special nike air max 2009 and air max. They are your must-have nike air max 2010|air max 97|cheap air max.95 Air Max Air Max nike
air max (Email) (URL) - 21 May '10 - 06:40
Buy Nike Air Max 90 Shoes just $45-55 USD in[[http://www.iofferitems.com,]], 40-70% Off. Cheap Air Max 90 Shoes, Free Shipping! Buy Air Max 90 Now!nike air max 90 shoes (Email) (URL) - 28 May '10 - 02:22
Buy Nike Air Max 90 Shoes just $45-55 USD in [[http://www.iofferitems.com,]], 40-70% Off. Cheap Air Max 90 Shoes, Free Shipping! Buy Air Max 90 Now!nike air max 90 shoes (Email) (URL) - 28 May '10 - 05:36
Buy Cheap Christian Louboutin Shoes just $150-220 USD in [[http://www.luckyboot.com]] 40-70% Off.Discount Christian Louboutin Shoes, Free Shipping! Buy Christian Louboutin Now!Christian Louboutin Boots (URL) - 01 June '10 - 16:34
[[http://www.airjordanshoescheap.com/]]air jordan shoes (Email) (URL) - 02 June '10 - 02:15
[[http://www.vibramfivefinger.us/]] vibram five fingersvibram five fingers (Email) (URL) - 10 June '10 - 08:49
It’s very nice! I love what you wrote.I think we can make friends.
vibram five fingers (Email) (URL) - 22 June '10 - 08:21
[[http://www.mbtshoeslatest.com]][[http://www.nikeairmaxshoe.com]]
Nike air max shoe (Email) (URL) - 24 June '10 - 07:16
discount Mbt shoes can be found at our web, Mbtsport black and Mbt men’s shoes are good choices.[[http://www.discountmbt.com/]]
[[http://www.discountmbt.com/mbt-womens-..]]
mbt shoes (Email) (URL) - 29 June '10 - 09:18
NFL jerseys new arrival coming and football jerseys are all available,safe and fast delivery,cheap jerseys are in stock.Welcome to purchase [[http://www.mvpjersey.com/]]mvpjersey (Email) (URL) - 29 June '10 - 09:18
wolcome to my websiteugg boots (Email) (URL) - 03 July '10 - 08:40
American classic leather goods brand Coach, the style of which is simple and durable and are popular with most people. Coach Bags has good reputation, which are embraced by the high society and the common people. The original inspiration of designing Coach Handbags is from one softball glove. The first Coach Brand founder, Miles caha watch the softball game and found the special features of its gloves Coach Handbags 2010, which is convenient and durable and then he design Coach bags at once. As a result, it is popular by most consumers. Furthermore, these Cheap Coach Bags are at a competitive price which can easily accept by large people and now there are many Coach Outlet set up among many countries so you can buy it very easily.[[http://www.bag-salon.com]]
coach bags (Email) (URL) - 04 July '10 - 08:11
Do you like the ugg ? Ugg Classic Short Boots are UGG Australia’s original heritage styles. Ugg Classic Tall will keep your feet dry and the ultimate comfortable.[[http://www.ugg-boots-london.com/ugg-cl..]]
Ugg Classic Short (Email) (URL) - 07 July '10 - 01:14
It does make senses, appreciate for sharing. [[http://www.uggbootsroom.com]]uggbootsroom (Email) (URL) - 13 July '10 - 07:51
It is your colourful blog that brings me a lot of konwledge about living. Thank you so much. And wish you better in the future.Supra Skytop (Email) (URL) - 15 July '10 - 09:33
[url=[[http://www.cheapjerseyschina.com]cheap]] nba jerseys[/url][url=[[http://www.jerseyscloset.com]nfl]] jerseys[/url]