CFS to the user with all the usual system

CFS provides a secure file service using cryptography where user need not type the same key several times in a single section.CFS provides a transparent Unix file system interface to directory hierarchies that are automatically encrypted with user supplied keys.Users issue a simple command to “attach” a cryptographic key to a directory. Attached directories are then available to the user with all the usual system calls and tools.But, the files are automatically encrypted as they are written and decrypted as they are read. CFS ensures that clear text file contents and name data are never stored on a disk or transmitted over a network.CFS presents a virtual file system on the client’s machine, mounted on /crypt , through which users access their encrypted files. The ‘attach’ command creates entries in CFS that associate cryptographic keys with directories elsewhere in the system namespace. Files are stored in encrypted form and with encrypted path names in the associated standard directories, although they appear to the user who issued the attach command in clear form under /crypt . Users control CFS through a small suite of tools that create, attach, detach, and administer encrypted directories. Each directory is protected by set of cryptographic keys. These keys can be supplied by user entry via the keyboard or through removable “smart cards” connected to the client computer. When entered from the keyboard, keys take the form of arbitrary-length “passphrases” which are used to generate the set of internal cryptographic keys used by CFS’s encryption routines. In the smartcard-based system, the keys are copied directly from the card interface to the client computer.File names are encrypted and encoded in an ASCII representation of their binary encrypted value padded out to the cipher block size of eight bytes.Encrypted directories can be backed up along with the rest of the file system. The cname program translates back and forth between cleartext names and their encrypted counterparts for a particular key, allowing the appropriate file name to be located from backups if needed. If the system on which CFS is running should become unavailable, encrypted files can be decrypted individually, given a key, using the ccat program. Even if no machine is available on which to run the full CFS system,encrypted file contents will always be recoverableThe CFS prototype is implemented entirely at user level,communicating with the Unix kernel via the NFS interface. Each client machine runs a special NFS server, cfsd (CFS Daemon), on its localhost interface, that interprets CFS file system requests. At boot time, the system invokes cfsd and issues an NFS  mount of its localhost interface on the CFS directory ( / crypt ) to start CFS