Gleb Kurtsou has been working this summer working on FreeBSD kernel level cryptographic filesystem pefs as part of the Google Summer of Code. He thinks the project is now mature enough for public review and comments.
I’m using it to encrypt my mailbox for some time already without any issues. For testing I use mostly dbench and fsx tools.
Some of pefs features (comparing to other stacked filesystems):
- Kernel level implementation (no fuse and similar stuff)
- Random per file tweak value used for encryption
- Saves metadata only in encrypted file name (doesn’t change file content)
- Doesn’t change encrypted file size
- Arbitrary number of keys
- Mixing files encrypted with different keys in single directory
- Transparent mode of operation (no encryption, read-only, allows accessing filesystem snapshots easily)
- Key chaining (though user level utility)
- Modern encryption algorithms (AES and Camellia in CTR mode, Salsa20)