transparency
minimal user interactio
unmodified appli function

storong key managemnet
p.uggable PKI
gnuPG tPM
linux kernel keyring

performance
bult encryption done inside kernel
caching
flexibility
accomplished through policy

"Encliped by Default" concept
"enterprise encryption needs"

-DM-cyrpt
everything cript, key-> block
-CFS
rpc base, overhead
-EncFS
context sw overhead
password based key
key-> mount granuality

-Reiser4 security plugins
mil grade security
remain within security domains.

eCryptfs design concept
HMAC's
Per file context
openPGP-ish format
bulk encryption in kernel
PAM module
Kernel keystore

dynamic integrity verification
必要なときに必要なだけチェック。でかいファイルを全部チェックするとパフォーマンスつらい。
read errorとしてみえる。

per file
-> backup is good. other solution is not fit to backup

underlying file format
-> patterned after RFC2440(OpenPGP)
header should rewrite when every append and trancate

efficiency
asynchronous kernel cyrpto API
dynamic integrity verification
only encrypting files that need encryption
in-kernel solution

Components
Kernel VFS module
- 8000 line code
- top of arbitary fs
- invokes the key manager via keryring service
key manager
- userspace application
- policy parser/generator
- provides a pluggable PKI API

Interface daemon
invoked by the key manager
- prompt the user (crypt or not, keypahase)

Integration w/ PAM
pam_ecryptfs.so module
-> login passpharase

Trasted Platform Module module(TPM)
hardware managed system key
USB key drive

Window manager integration