Page 1 of 1

create secured partition with AES encryption.

PostPosted: Wed Jun 07, 2017 6:41 am
by adam81

I’d like to create a secured partition to store sensitive files that only certain processes will get access to.
I’ve chosen to use some sort of AES encryption method that uses symmetric key for encoding/decoding my files from that partition -
only eligible processes should read the files and decrypt them properly. other entities who attempt to access this partition, will get the data encrypted.

I also wish to be able to access files in this partition directly from system calls like mmap/read and write without any user space intervention.

is there any way to do so without implementing new file system from scratch ?


Re: create secured partition with AES encryption.

PostPosted: Wed Jun 07, 2017 4:21 pm
by morpheus
There is, and it's exactly what NSDataProtectionClass does - but on a per-file level rather than a per-partition. There's no easy way to do it on a per partition table without implementing a file system. Though if you wanted to do something transparent in kernel mode, you can also implement a mach Pager. But look into NSDataProtection, which is even stronger now with the new APFS enabled.

Re: create secured partition with AES encryption.

PostPosted: Wed Jun 07, 2017 9:18 pm
by adam81
Hi and thanks for the reply.

Regaring the NSDataProtectionClass, I couldn't find the exact type but I guess you probably meant NSFileProtectionType in NSFileManager, which have the option of NSFileProtectionComplete.

This configuration says that the key is given by user passcode, and the file is accessible as long as the device is not locked or not logged in by the user.

However, my goal is to enable certain processes access the file, and not per-user resolution.. and I also need it for MacOS as well where this feature works on *OS only.
If a process could somehow grant file access by suppling the key, which will be inherited in its memory space - obfuscated of course.


Regarding the low level approach of implementing mach pager, perhaps you can suggest me where to start, I saw that the vnode pager is pretty good example but I'm not sure if there's a kpi to insert new pager (like in filesystem case where you have vfs_fsadd).

As an alternative I can patch the already existed vnode pager methods that read and write from file to memory and add the encryption there. do you know what are those functions ?

As a last resort, I will implement my own filesystem, which is a huge overkill for such a small feature :-(