Secure Storage

  One of the areas of least development in OpenBSD has been that of secure storage. While a number of utilities (e.g., vi(1), ed(1), bdes(1), etc.) directly support encryption services, our goal is to provide this service as transparently as possible to users. Ideally, we would like a layer either over or under the current native filesystem that would provide safe storage services.

As an interim solution, CFS [5] is included in the OpenBSD ports system and can be readily used. However, it does not provide the level of transparency we would like, and its performance is well below what we consider acceptable for general use. Clearly, more work is needed in this area.

Another issue related to secure storage is that of secure logging. Logs (and especially security-related logs) are extremely important in determining whether a system is under attack or has been compromised. The current logging facility, syslog, does not provide any facilities for detecting log-tampering, other than the option to send log messages to another host's syslogd. We are currently porting the ssyslog package [37] and are hoping to seamlessly replace the currently-used syslogd.

The remainder of this section briefly covers our bcrypt, approach to protecting user passwords, developed inside OpenBSD.