Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  CMKDIR (1)


cmkdir - create encrypted directory for CFS


See Also


cmkdir [ -123bdmosp ] directory


cmkdir creates directory and assigns to it cryptographic keys for use by the Cryptographic File System (CFS). Operation is similar to the ordinary mkdir(1) command, with the addition that the user is prompted for a passphrase which is used to generate the DES keys used by cfsd(8) to transparently encrypt the files. The smartcard version of cmkdir initializes a key smartcard and requires that a blank smartcard be inserted into the smartcard reader.

Once created, encrypted directories can be made available for use with the cattach(1) command. Users should not ordinarily read and write directly to directories created with cmkdir, since these files would not be stored in encrypted form.

By default, cmkdir creates directories for two-key hybrid mode triple DES. The -1 option specifies two-key hybrid mode single DES; this is faster, albiet at the expense of security. Three-key triple DES is specified with -3; directories created for three-key triple DES cannot be read by versions of CFS earlier than 1.3.2. Other cipher algorithms may also be available, depending on the local configuration.

Use the -o option to create directories that can be read by versions of CFS before 1.3; directories created under this option can be read by cname and ccat as well.

The -p ("puny") option creates directories that use much less memory when attached under cfsd. This is useful on machines with very little (less than, say, 8MBs with a window system and browser also running) memory. Files in directories created under -p may reveal slightly more about their structure than regular CFS files.

The -- option will read the key from standard input, and will not attempt to read from /dev/tty or change the terminal modes. This is useful for creating directories from other programs or scripts, and should not ordinarily be used.

Three new experimental block ciphers are included in the default distribution. The -b oprion specifies Schneier’s popular "Blowfish" algorithm. It has a 128 bit nominal keyspace and is rather fast on most computers. Blowfish is a fairly new algorithm and has not enjoyed nearly the analytic attention that DES has, so it is not recommended for critical applications. The -m option specifies Blaze and Schneier’s experimental "MacGuffin" cipher. It has 32 rounds, a 64 bit codebook size and a 128 bit nominal keyspace. Use this cipher at your own risk; it is much weaker than its keyspace suggests, and is included only as an example.

Another new cipher, James Massey’s SAFER-SK128, is also available in this release. Specify SAFER-SK128 with the -s option. Again, this cipher hasn’t been around nearly as long as DES, so use it at your own risk. SAFER is a little faster than triple DES.


  known-plaintext hash of the assigned keys.
  identifies the cipher algorithm.


cfsd(8), cattach(1)


The MacGuffin, Blowfish and SAFER ciphers aren’t nearly as well-studied as DES. They are included primarly as an example of how to add ciphers to CFS. The author’s personal files remain protected with the -2 option.

Some of the options (-2, -3) have different meanings from previous versions.


Matt Blaze; for information on cfs, email to
Search for    or go to Top of page |  Section 1 |  Main Index

--> CMKDIR (1)

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.