Creating an SFS Volume
----------------------

Before SFS can use an disk volume, you will need to convert it from a normal
DOS volume into an encrypted SFS one.  The program does this is mksfs (Make
Secure Filesystem), which is very loosely patterned after the Unix mkfs
utility.  mksfs takes a standard DOS volume (which may be either freshly
formatted or may already contain files) and turns in into an encrypted SFS one.
The encryption process is non-destructive, so you won't lose any information
already on the volume, except for the (fortunately very rare) case of there
being a power cut while the encryption is taking place (this means that power
to the system is removed as the disk is being written to, which would cause
problems under virtually any software).  If the data being encrypted is
extremely valuable or there is a risk of a power cut occurring, you should back
up the volume completely before you encrypt it, but this step should only be
necessary in exceptional circumstances.

If you use mksfs on a fixed disk, it will encrypt an entire disk partition
rather than individual files.  This is necessary because an SFS partition may
contain a DOS filesystem, or an OS/2 one, or a HPFS one, or an NTFS one, or any
one of a dozen other possible filesystems.  However you may only have a single
large partition on your hard drive which is used entirely for DOS, so that to
use SFS you would have to make a complete backup of the contents of the
partition, use the FDISK utility to create two smaller partitions, and then
restore the backed-up data onto one of the new partitions.  You can avoid this
problem by using one of several programs which will nondestructively split an
existing partition into two smaller partitions, one of which you can then use
as an SFS volume[1][2].

If the hardware or software setup you are using is somewhat unusual (for
example you have drives which are compressed with DoubleSpace, Stacker, or JAM,
or you have unusual drive hardware which needs special software like SpeedStor
to manage it), you should read the section "Troubleshooting" below.  In
addition, mksfs may, during normal operation, trigger a number of virus
detectors which monitor access to certain critical disk and memory areas which
software would not normally access.  Finally, mksfs will check to see whether
you are running it under Quarterdeck's DesqView or Microsoft Windows, as you
should in general not run it while DesqView, Windows, or some other
multitasking software is active.  Since mksfs takes an entire disk volume and
encrypts it sector by sector, any other software which tries to simultaneously
access the volume while mksfs is running will come to grief.  If mksfs detects
that it is being run under either DesqView or Windows, it will display a
warning message with an option to quit and re-run it from DOS only.  Only if
there is no chance that any other program will access the disk volume being
encrypted is it safe for you to run mksfs under multitasking software.

The mksfs program is run in the following manner:

  mksfs [-c] [-o] [-t] [-e] [serialnumber=<serial number>] [multiuser]
        [access=<mode>] [timeout=<timeout>] [wipe] [volume=<volume name>]
        [<drive letter>]

Since all arguments are named, you can give them in any order.  The order shown
here is merely an example.  In addition, you can abbreviate all commands, so
that for example you can give the `volume=' command as `volume=', `vol=', or
even just `v='.  The full commands are given in the documentation for
completeness.

The -t and -c options are present to allow integrity checks on the SFS
encryption code and on the operation of mksfs itself, and are covered in more
detail in the sections "Troubleshooting" and "Security Analysis" respectively.

The drive specifies the DOS drive which will be converted into an SFS volume.
For example to create an SFS volume from the disk currently in the A: drive the
command would be:

  mksfs a:

It is recommended that you give each SFS volume a unique name for
identification purposes.  Although you can create unnamed (or anonymous)
volumes, this is not a good idea if you are working with fixed disks which can
contain multiple SFS volumes.  If the volumes are anonymous then you have no
easy way of telling SFS which one you want to work with, apart from using the
mount option with the SFS driver, which is explained in more detail in the
section "Advanced SFS Driver Options" below.  mksfs will check for and warn you
about the creation of anonymous volumes on fixed disks.

You can specify name to give the SFS volume with the `volume=' option.  For
example if the name was "Secure disk volume" then the command would be:

  mksfs "volume=Secure disk volume" d:

Note that the volume name, which in this case contains spaces, has been quoted.
This is necessary because DOS will break the name apart into separate words if
it contains spaces.  If the name is a single word, you don't need to quote it.

You can specify the volume serial number with the `serialnumber=' option.  If
you don't provide a serial number, mksfs will generate one itself.  There is no
real need for you to specify a volume serial number, but the option has been
provided in case you need it.  If you do specify a serial number, it should be
a unique value since SFS uses it to distinguish between different volumes.  If
mksfs is left to choose the serial number itself it will automagically use a
unique value.  The serial number is independant of the volume mount identifier,
which is explained in the section "Advanced SFS Driver Options" below.  This
serial number is not the same as the serial number which some operating systems
may write to a disk for their own use, and is used only by SFS to identify
volumes.

Some (mostly extinct) variants of DOS treat removable disks in a peculiar
manner, so that mksfs cannot determine the exact disk format.  If this happens,
it will perform a check on secondary format information stored on the disk.  If
the information checks out, it will report, for example:

  Warning: The disk information reports an unusual disk format, performing
           check on secondary disk information...

           The disk appears to be in 1.2 MB DSHD format

If mksfs still can't be sure of the disk format, it will exit with an error
message.  Otherwise it will ask:

           Are you sure you want to process the disk in this format [y/n]

If the reported disk format is correct then you should enter 'Y' to continue,
or enter 'N' to exit the program.

If you require the ability for multiple users to access the volume, you should
set the `multiuser' option, which records extra information which you can later
edit with the adminsfs program to allow other users access to the volume.  You
can find more information on multiuser SFS volumes in the section "Sharing SFS
Volumes Between Multiple Users" below.

If you use the `multiuser' option mksfs will warn:

  Warning: You have specified that access to the volume for multiple users
           be enabled.  Are you sure you want to do this [y/n]

At this point you can enter 'Y' to continue or 'N' to exit the program.

The SFS driver can automatically unmount volumes if you have not accessed them
for a certain period of time.  This feature is useful if there is a chance that
an interruption may call you away from a system with mounted SFS volumes which
would allow others access to the encrypted data, or you can simply use it as a
general safety precaution to automatically unmount the volumes after a sizeable
period of inactivity.  However, you should take care to allow a large enough
safety margin for the timeout, as having a volume take itself offline five
seconds before you want to save your work to it can be annoying.

The easiest way to set an auto-unmount timeout is to associate a timeout value
with the volume when it is created with mksfs, although you can add this
setting or modify an existing setting at a later point with the chsfs program
(this is explained in more detail in the section "Changing the Characteristics
of an SFS Volume" below).  When the volume is mounted, the setting of the
timeout is automatically taken care of by the SFS software.

You can specify the auto-unmount timeout value in minutes with the `timeout='
option.  For example to create the volume used in the previous example with an
auto-unmount timeout of half an hour, the command would be:

  mksfs "volume=Secure disk volume" timeout=30 d:

The drive on which the volume is being created may be able to handle a
different, faster access mode than the one which is normally used.  SFS
supports a number of these faster access modes, which you can test for using
the `mksfs -c' option which is explained in more detail in the section
"Troubleshooting" below.  If the tests are successful, mksfs will report the
fast access mode which can be used to access the drive.  You can specify this
mode with the `access=' option when you create a new volume, and all accesses
to the volume will then use the alternative, faster method instead of the
default, somewhat slower one.  Alternatively, you can enable the use of the
faster access mode at a later time with the `chsfs newaccess=' command, which
is explained in more detail in the section "Changing the Characteristics of an
SFS Volume" below.

For example if testing the drive with `mksfs -c' reported that an access mode
of `ide' was possible, then the previous volume creation example could be
changed to:

    mksfs "volume=Secure disk volume" access=ide

When mounted, all accesses to this volume will be made with the specified
access mode.

If the volume you are encrypting already contains files, the encryption process
will replace the original files with their encrypted equivalents.  However this
may not be enough to safely wipe all traces of the original data.  In order to
provide a more thorough means of overwriting it, you can use the `wipe' option
to force mksfs to perform multiple overwrite passes on the original data.  The
encrypted data will not be destroyed by performing these wipes, they simply
ensure that the original unencrypted data is removed with a high degree of
certainty.

In total, mksfs will use 35 separate overwrite passes which have been selected
to provide the best possible chances of destroying data for various disk
encoding schemes.  The exact details of the overwrite process, and information
on data deletion in general, are given in the section "Deletion of SFS Volumes"
below.  This process, while very thorough, is *extremely slow*.  If you are
running mksfs on large volumes with the `wipe' option enabled, the encryption
with overwrite may take hours to run to completion.  Some hard drives can run
quite hot with continuous access, so you may want to ensure that adequate
ventilation is available before you start an encrypt with overwrite process.
It is recommended that you only use the wipe option if the data you are
encrypting is of a highly sensitive nature.

You don't need to use the wipe option on an unused, freshly-formatted disk
which has never contained any data.

mksfs will now scan all drives in the system to check whether the name and
serial number for the new volume conflict with the names or serial numbers of
any existing SFS volumes.  This disk scan may take a few seconds to run to
completion.  If both the volume name and serial number conflict, this will make
future manipulation of the volume difficult as there is no real way to uniquely
identify it, and mksfs will exit with the error message:

  Error: An SFS volume with the given name and serial number already exists.
         You should either choose a new name or serial number, or not specify a
         serial number at all, in which case mksfs will choose a unique serial
         number for the new volume.

If the volume with the conflicting name or serial number is on removable media,
you can temporarily remove the disk from the drive until mksfs has been run,
but this still leaves the problem of accessing the volume in the future.  A
preferable solution is to either choose a unique volume name or to let mksfs
choose the volume serial number - it will always choose a number which doesn't
conflict with an existing volumes serial number.

If only the volume name clashes, mksfs will warn:

  Warning: An SFS volume with the given name already exists.  Are you sure
           you want to create a new volume with the same name [y/n]

At this point you can enter 'Y' to continue or 'N' to exit the program.

If you try to create an anonymous volume on a fixed disk, mksfs will warn:

    Warning: You have not specified a name for the volume to be created.
             This may make future manipulation of the volume difficult.  Are
             you sure you want to create an anonymous volume [y/n]

At this point you can enter 'Y' to continue and 'N' to exit the program.

If it's really necessary, you can override these safety checks later on by
using chsfs to change the volume's characteristics after it has been created.
Unlike mksfs, chsfs is not particular about what the volume name is set to, as
it makes the (possibly incorrect) assumption that you know what you are doing.

Once the preliminary processing has been done, mksfs will, in the case of a
fixed disk, scan it for the volume which is to be encrypted.  Along the way it
will perform various checks on the volume to make sure the it is accessible, is
a standard DOS volume, is not marked as being bootable (booting off an
encrypted volume is somewhat difficult), is not the one currently in use, and
can be encrypted.  Note that the bootability check may not be completely
foolproof, as some disk managers[4] perform strange tricks with bootable
volumes to handle multiple operating systems on the same disk.

mksfs performs an additional check if the volume specified for encryption is
the C: drive, which is usually the primary DOS drive and which you should under
normal circumstances never encrypt.  If you do try to encrypt the C: drive,
mksfs will prompt:

  Warning: You have chosen to encrypt the C: drive which is usually the
           primary DOS drive and shouldn't be encrypted.  Are you sure you
           want to do this [y/n]

At this point you can enter 'Y' to continue or 'N' to exit the program.

If the various checks succeed, mksfs will display an informational message
giving details on the volume to be created.  An example of the information
displayed for a fixed drive might be:

  Volume `Encrypted disk' will be created on fixed drive D:
  This drive has a capacity of 75.2 MB and is labelled `Accounting'
  Are you sure you want to encrypt this volume [y/n]

If the indicated volume really is the one you want to convert, enter 'Y' to
proceed with the creation of the SFS volume, or 'N' to abort the operation.

It is vitally important that you check the information printed by mksfs before
you give a `yes' response.  Due to the vast array of unusual disk systems,
networked drives, compressed disks, device drivers, and other strangeness, it
could be that mksfs and DOS disagree on which volume is to be encrypted.  In
addition it is very easy to specify the wrong drive accidentally when running
mksfs.  For this reason it is a good idea to stop for a second and make
absolutely certain that the volume mksfs is about to encrypt is the one you
actually want encrypted.  Treat mksfs the same way you would treat the DOS
`format' command.

For a floppy drive the information is slightly different:

  Volume `Secure backup' will be created on the 1.44MB disk in drive B:

No yes/no prompt is given for removable disks since they contain far less
information than fixed disk volumes, and will typically be freshly-formatted,
blank diskettes.  This allows you to quickly encrypt quantities of diskettes
without having to answer the same question for each disk.  If necessary you can
abort the encryption operation at the password-entry stage.

mksfs will now check the volume to be encrypted for bad sectors.  Most newer
fixed disks will automatically map out bad sectors (if there are any) and use
sectors from spare space on the disk instead (all this is invisible to the
system software and is done internally by the drive itself).  However older
drives may still explicitly report bad sectors.  The presence of bad sectors on
a disk may also indicate a virus infection, or may be used by certain kinds of
(hopefully extinct) copy-protection schemes.  If mksfs finds any of these, it
will print an advisory message:

  Warning: This disk contains bad sectors which won't be encrypted by SFS.

If the disk you are encrypting is a floppy disk, mksfs will print a message
recommending that you use another disk instead.  If the data is valuable enough
to need encryption, then you should really store it on another, error-free disk
rather than risking losing it due to a defective floppy disk:

  Warning: This disk contains bad sectors.  Use of damaged disks is not
           recommended as recovery of encrypted data could be difficult if
           further bad sectors develop.  Are you sure you want to encrypt
           this disk [y/n]

At this point you can enter 'Y' to continue or 'N' to exit the program.  SFS
will encrypt the disk, but will skip any sectors marked as being defective.  A
similar message will be printed if any bad sectors are found during the
encryption process.  Note that if further bad sectors develop on the floppy
disk, recovery of the data stored in the bad sectors will be difficult.  It is
strongly recommended that you only use error-free floppy disks with SFS[5].

Once the disk checks have been completed, mksfs will ask you for a password to
use when encrypting the volume.  The password can range in length from 10 to
100 characters, and should be made up of a complete phrase or sentence rather
than just a single word (mksfs will complain if it thinks the password is of an
insecure form and request that you use a different one).  You can find more
details on choosing a password in the section "The Care and Feeding of
Passwords" below.

When asking for the password, mksfs will prompt:

  Please enter password (10...100 characters), [ESC] to quit:

You should now enter the password, which for security reasons is not echoed to
the screen.  You can correct any typing errors with the backspace key, and use
the Esc key to quit.  The software will check for a password longer than the
maximum of 100 characters or an attempt to backspace past the start of the
password, and beep a warning when either of these conditions occur.

Once you have entered the password, mksfs will again prompt:

  Please reenter password to confirm, [ESC] to quit:

This confirmation is necessary to eliminate any problems with hitting an
incorrect key when you enter the password the first time.  Note that every
single letter, space, and punctuation mark in the password is critical.  Making
a single mistake (getting a letter mixed up, typing a letter in upper case
instead of lower case, or missing a punctuation mark) will completely change
the encryption key.  For this reason, mksfs performs a double-check on the
password to ensure it really is the correct one.

Once you have finished entering the password, there is a brief delay while
mksfs performs the complex processing needed to turn it into a key suitable for
the encryption system.  When this has been completed, mksfs will begin
converting the disk.  As it processes the volume, it prints a progress bar
going from 0% complete to 100% complete.  The conversion process will take a
few minutes on most disks, and is somewhat slower than a standard disk
formatting procedure which only writes a very small amount of data to the start
of the disk and scans for bad sectors, whereas mksfs has to read, encrypt, and
write the entire disk volume.

As the conversion progresses, the progress bar will gradually fill up until it
shows that the conversion is complete.  Once this has finished, if the volume
is created on a removable disk, mksfs will print:

  The encrypted volume has been created.  You can now mount it with the
  `mountsfs' command.

  Do you wish to encrypt another disk [y/n]

At this point you can enter 'Y' to continue or 'N' to exit the program.  If you
choose the `yes' response, mksfs will prompt:

  Please insert a new disk in the drive and press a key when ready

and then repeat the disk encryption cycle.

If the volume is created on a fixed disk, DOS will still think the volume it
was created on is a DOS one rather than an encrypted SFS one.  It is strongly
recommended that you reboot your machine at this point to clear any memories of
the old volume from the system, as any attempt by DOS to access the encrypted
volume as a normal DOS volume will cause it to become very confused.  As a
reminder, mksfs will display the message:

  The encrypted volume has been created.  You can now mount it with the
  `mountsfs' command, or mount it at system startup with the option
  `MOUNT=<mount id>' in the CONFIG.SYS entry for the SFS driver.

  You may wish to reboot your machine to update the status of the SFS volume,
  which is now inaccessible from DOS.

The `<mount id>' will be the ID needed to mount the encrypted volume when the
machine is booted.  You can find more details on mounting encrypted volumes
using the mount ID in the section "Advanced SFS Driver Options" below.

Footnote [1]: One program which does this is FIPS, currently at version 1.2 and
              available as fips12.zip from either sunsite.unc.edu in the
              directory /pub/Linux/system/Install, tsx-11.mit.edu in the
              directory /pub/linux/dos_utils, garbo.uwasa.fi and all mirror
              sites in the directory /pc/diskutil, or oak.oakland.edu and all
              mirror sites in the directory simtel/msdos/diskutil.

Footnote [2]: Another partition-reorganizing program is Partition Resizer,
              currently at version 1.10 and available as presz110.zip from
              oak.oakland.edu and all mirror sites in the directory
              simtel/msdos/diskutil.  Partition Resizer will resize partitions,
              change them from 12 to 16-bit FAT and vice versa, move partitions
              around on the drive, grow a partition to fill unusued disk space,
              split partitions, and combine partitions.  It also includes a
              built-in recovery mechanism which allows it to recover from
              system crashes or a power loss while it is running.  Partition
              Resizer can take awhile to resize partitions, especially on
              larger drives.

Footnote [3]: Certain boot sector viruses also change the information needed by
              mksfs, so mksfs printing this message may be an indication of a
              viral infection.  See `Using SFS for Virus Protection' in the
              "Applications" section below.

Footnote [4]: Among them the OS/2 and Windows NT boot managers.

Footnote [5]: Although SFS has been written so that if any data does become
              corrupted, only the corrupted sector and no others will be lost,
              if data which is important to the operating system (such as a
              directory or a file allocation table) is lost, the damage may
              (just as it would for a normal non-encrypted disk) be more
              significant.  In this case any standard disk-recovery program can
              be used to make repairs, just as with a normal DOS disk.


Mounting an SFS Volume
----------------------

When the operating system first starts, it finds all disk volumes it can
recognise and automatically makes them available as different logical drive
letters.  However it can't do anything with encrypted SFS volumes, and so they
are effectively invisible to it.  In order to make them visible, you need to
mount them using the mountsfs program.  Operating systems such as Unix mount
filesystems in this manner (in fact the general feel of mountsfs is vaguely
like the Unix filesystem mount utility).

When the operating system mounts a disk volume, it uses the rather primitive
mechanism of assigning a letter of the alphabet to it and referring to the
drive by that letter.  SFS, on the other hand, refers to the volume by the name
given when the volume is created with mksfs rather than some arbitrary letter
(although volumes in removable drives can optionally be referred to by the
driver letter).  Therefore if the encrypted volume was named "Secure disk
volume", mountsfs would mount "Secure disk volume" rather than, say, "E:".  A
fixed disk can contain multiple encrypted volumes, mountsfs will choose the
appropriate one based on the volume name.  When searching for volumes to mount,
all fixed disks are checked before any removable disks are checked, so that a
volume with a given name on a fixed disk would take precedence over a volume of
the same name on a floppy disk.

Once the volume is mounted, DOS will still refer to it by a drive letter as
usual (there's only so much the SFS software can do), so that "Secure disk
volume" will, after being mounted with SFS, appear as just another DOS drive,
for example E:.  If necessary you can swap the drive letter which SFS uses with
the JSWAP utility which comes as part of the JAM disk compression software.
The use of JSWAP for manipulating drive letters rather than the DOS commands
ASSIGN, SUBST, and JOIN, or other third-party utilities such as the one
provided with Stacker are recommended, as JSWAP provides the safest means of
swapping drive letters.  The JAM software also contains the JDRIVE utility,
which allows you to assign specific drive letters to SFS mount points, so that,
for example, you could force the SFS drive to be E: rather than the drive
letter DOS would normally assign to it.  The JAM disk compression software is
discussed in more detail in the section "Creating Compressed SFS Volumes"
below.

You may prefer to refer to volumes on removable disks by the drive they are in
rather than via the volume name, in which case you should specify the drive
using the usual letters A: or B:, and the volume name will be ignored.  As
before, once the disk is mounted with SFS, the volume will appear as another
DOS drive, for example E:.  If the disk is accessed as E:, the SFS driver will
encrypt and decrypt data being written to it and read from it.  If the disk is
accessed as A: or B:, DOS will either display garbage or report a general
failure error as it doesn't understand the contents of the encrypted disk.  You
can still use the A: or B: drive letters to read normal DOS disks, but in order
to prevent accidental overwriting of data on different disks, the SFS driver
will automatically unmount a volume if it detects that a disk change has
occurred since the last time it accessed the drive.

The mountsfs program is run in the following manner:

  mountsfs [+r] [+rw] [status] [unmount] [info] [information]
           [hotkey=<Ctrl>-<Alt>-<LeftShift>-<RightShift>-<letter> or none]
           [timeout=<timeout>] [cardcontrol=<action>] [user=<username>]
           [userfile=<user file>] [mountdrive=<drive unit>]
           [volume=<volume name>] [<drive letter>]

Since all arguments are named, you can give them in any order.  The order shown
here is merely an example.  In addition, you can abbreviate all commands, so
that for example you can give the `volume=' command as `volume=', `vol=', or
even just `v='.  The full commands are given in the documentation for
completeness.  Some of the options shown above are not covereed here but will
be explained in the next section, "Unmounting an SFS Volume".

When mountsfs starts, it first performs a number of checks on the internal
status of the SFS driver.  If it requires the driver to be present for the
operation to be performed but can't find it, it will exit with the error
message:

    Error: Cannot find SFS driver

This problem is due to the driver not being loaded, either because you have't
specified it in the CONFIG.SYS file, or because there was some error when it
was loaded and it de-installed itself.  More information on this is given in
the section "Loading the SFS Driver" above.

If the driver reports a general internal consistency check failure or a
consistency check failure for a particular drive unit (in this case drive F:),
mountsfs will exit with the error message:

    Error: SFS driver internal consistency check failed

or:

    Error: SFS driver consistency check failed for unit F:

A driver check failure is generally due to some other program or system
software corrupting the driver's internal state.  You can find possible
solutions to this problem in the section "Troubleshooting" below.

In general you can specify the SFS volume to use by giving the volume's name
with the `volume=' option.  For example if the name was "Secure disk volume"
then the command would be:

  mountsfs volume=secure

You can give the name in upper or lower case and don't have to specify the full
name, as mountsfs will match whatever part of the name you supply to the names
of any SFS volumes it finds until it finds a match.  The SFS volumes are
checked in the same order as they are displayed with the `mountsfs info' or
`mountsfs information' command.

Alternatively, if the SFS volume to be accessed is on a removable disk, you can
specify it using its drive letter instead of its volume name.  For example if
the disk drive the volume was in was A: then the command would be:

  mountsfs a:

mountsfs will not mount volumes using the mount identifier, as this is reserved
for use with volumes mounted when the SFS driver is loaded.  More information
on this is given in the section "Advanced SFS Driver Options" below.

You can use the `info' option to find all available SFS volumes.  This will by
default search the system for available volumes and print a list of the volume
names, creation dates, sizes, and whether the volumes are currently mounted or
not.  For example on a system with two SFS volumes the output from `mountsfs
info' might be:

    Date     Size   Type Mount status  Volume Name
  -------- -------- ---- ------------- ----------------------------------------
  01/11/93  Floppy  DOS    Unmounted   Data backup
  06/09/93  10.0 MB DOS  Mounted as E: Personal financial records
  12/04/93  42.5 MB DOS    Unmounted   Encrypted data disk

This shows three SFS volumes, an unmounted volume in a floppy drive containing
backup data, a smaller one on a fixed disk containing personal financial
records which is currently mounted as drive E:, and a larger one containing
general encrypted data which is currently unmounted.  Note that removable media
is treated in a special manner and the exact disk size is indeterminate as the
media may change at any time.  The volume creation date is formatted according
to the country setting on the machine being used, so that the datestamp is
day/month/year in Europe and related countries, month/day/year in the US and
related countries, and year/month/day in Japan.  Both volumes shown here are
DOS volumes, but future versions of SFS may support other volume types such as
OS/2 HPFS, Windows NTFS, and Linux Unix ones.

If you need more information than the `info' command provides, you can use the
longer "information" form of the command, which will display extra details such
as the volume serial number, the mount identifier (see the section "Advanced
SFS Driver Options" below for more information), the volume filesystem type,
whether multiuser volume access is possible, what type of disk access mode is
used for the volume, the volume name character set, the default auto-unmount
timeout value (which can be overridden when the volume is mounted if required),
and whether access to the volume is controlled via a smart card and what
actions are associated with the smart card, as well as the other information
displayed by the usual `mountsfs info' command.  If, in the previous example,
you had used `mountsfs information' instead of `mountsfs info' the output might
have been:

  Volume name  : Data backup
  Volume date  : 01/11/93, 10:13:01 Volume serial number: 3276713527
  Volume size  : Removable media    Volume filesys type : DOS
  Mount status : Unmounted          No mount at system startup possible
  Multiuser access : Disabled       Disk access mode    : Default
  Vol.name char.set: ISO 646/ASCII  Current access mode : Default
  Unmount timeout  : None set       Smart card access   : Yes, basic mem.card
  Card removal action : Make volume readonly

  Volume name  : Personal financial records
  Volume date  : 06/09/93, 11:22:19 Volume serial number: 177545
  Volume size  : 10.0 MB            Volume filesys type : DOS
  Mount status : Mounted as E:      Mount ID            : 03A12F7B
  Multiuser access : Disabled       Disk access mode    : Default
  Vol.name char.set: ISO 646/ASCII  Current access mode : Default
  Unmount timeout  : 30 minutes     Smart card access   : No
  Card removal action : -

  Volume name  : Encrypted data disk
  Volume date  : 12/04/93, 22:17:00 Volume serial number: 69231461
  Volume size  : 42.5 MB            Volume filesys type : DOS
  Mount status : Unmounted          Mount ID            : 42DD2536
  Multiuser access : Enabled        Disk access mode    : IDE direct
  Vol.name char.set: ISO 646/ASCII  Current access mode : IDE direct
  Unmount timeout  : 10 minutes     Smart card access   : No
  Card removal action : -

By default these two commands will display information on all available
volumes.  If you require information on an individual volume then you can give
the volume's name or drive letter in addition to the `info' or `information'
option.  To change the previous use of the `info' command to apply only to the
volume named "Data backup", the command might be:

  mountsfs info volume=backup

and the output would be as follows:

    Date     Size   Type Mount status  Volume Name
  -------- -------- ---- ------------- ----------------------------------------
  01/11/93  Floppy  DOS    Unmounted   Data backup

You can use the `status' option to check whether any volumes are currently
mounted.  As with the `info' and `informaton' options, by default information
on all mounted SFS volumes is displayed.  If you require information on an
individual volume then you can give the volume's name or drive letter in
addition to the `status' option.  Thus the command:

  mountsfs status

will return the status of the volumes on all mount points, as well as an
indication of the current setting of the quick-unmount hotkey and the
auto-unmount timeout settings for any mounted volumes (the latter are explained
in more detail below), whereas the command:

  mountsfs status f:

will return the above status information only on the volume currently mounted
as F:.  An example of the output of the `status' command when run on the setup
shown in the `info' command examples with a total of two mount points available
might be:

  SFS volume `Personal financial records' is mounted as drive E:,
          and will time out in 18 minutes.
  Drive F: has no volume mounted

  The quick-unmount hotkey is set to `LeftShift-RightShift'.

If you had mounted the `Data backup' volume instead of the `Personal financial
records' one, the output would be:

  SFS volume `Data backup' is mounted as drive E:,
         This volume will become readonly if the smart card is removed.
  Drive F: has no volume mounted

  The quick-unmount hotkey is set to `LeftShift-RightShift'.

You can use the `+r' and `+rw' options to specify read and write access to the
encrypted volume.  `+r' allows read-only access and `+rw' allows read and write
access.  The default is to allow read/write access.  Note that although
mounting an SFS volume read-only will stop all standard software from writing
to it, it may not stop some malicious programs such as viruses which have been
specially written to attack the SFS driver itself, or which are created
specifically to destroy disk data by bypassing the operating system and
accessing the disk hardware or firmware directly[1].  The read-only option is
provided mainly to stop any accidental overwriting of valuable data on
encrypted volumes.

You can also specify the use of read-only access when an SFS volume is mounted
at the time the SFS driver is loaded.  More details on this and on mounting
volumes at system startup are given in the section "Advanced SFS Driver
Options" below.

You can change the read/write status of one or more volumes once you have
mounted them by running mountsfs with the '+r' or '+rw' option.  This will
change the read/write status of the specified volume or all volumes as
appropriate.  For example to allow read/write access to the volume mounted as
F: the command would be:

  mountsfs +rw f:

If the volume allows multiuser access, only the volume administrator can
directly mount it in the manner described above.  Normal volume users must
specify their user name with the `user=<username>' command in addition to the
usual mount parameters in order to mount the volume[2].  The user name is the
name under which access is granted by the system administrator.  Like the
volume name, you can specify any portion of the user name and mountsfs will
match whatever part of the name is given to any user names until it finds a
match.  You can also specify the name of the file to search for user access
information using the `userfile=<user file>' command.

For example if the volume in the previous example allowed multiuser access and
one of the users who had been granted access to the volume was "Henry Akely",
he could mount it with the command:

  mountsfs volume=secure user=henry

If you try to mount a volume with no multiuser access capabilities in this
manner, mountsfs will exit with the error message:

  Error: This volume has multi-user access disabled

If mountsfs cannot find any access information for the given user in the user
access file or files, it will exit with an error message:

  Error: Cannot find access information for user `henry'

An individual user's access rights to the volume, as set by the volume
administrator, may override certain options specified in mountsfs.  You can
find more details on this, and on the operation of shared SFS volumes as a
whole, in the section "Sharing SFS Volumes Between Multiple Users" below.

When you use mountsfs to mount a volume, it will first check to see whether
there is room to mount it.  If all available mount points are already occupied,
it will print:

  Error: All available drives are allocated - unmount an existing volume first

and exit.  In this case you should either unmount an existing volume to free up
a mount point and allow the new volume to be mounted, or increase the number of
mount points with the `UNITS=n' command when the SFS driver is loaded.  You can
find more information on how to do this in the section "Loading the SFS Driver"
above.

By default, mountsfs will choose the first available mount point to mount the
new volume.  However, you can tell it which mount point to use with the
`mountdrive=' option, which lets you specify the drive letter you want the
volume mounted as.  You can only specify drive letters which are controlled by
the SFS driver, so that if the driver displayed the message:

  Encrypted volumes will be mounted as drives F: - H:

on startup then you could specify that a volume be mounted as either F:, G:, or
H:.  For example to mount the volume "Secure disk volume" from the previous
example as drive G: the command would be:

  mountsfs mountdrive=g: volume=secure

If this drive letter already has a volume mounted, mountsfs will display:

  Drive G: already has a volume mounted.  You should either specify a different
  drive, or let mountsfs choose a drive for you.

You can either use a different drive, or let mountsfs choose the drive for you,
or even unmount the volume currently mounted as G: to make room for the new
volume.

When mountsfs mounts a volume, it will search all available disks for the named
volume (if the volume is accessed by name), or check the removable disk for the
volume (if the volume is accessed by disk drive letter).  If the volume is
already mounted, mountsfs will print:

  Error: Encrypted volume is already mounted

and exit.  Otherwise, it will print a summary of the volume giving the
read/write status, the drive type and drive letter, and the volume name and
date if one exists, for example:

  Volume will be mounted as fixed drive E:.
  Encrypted volume is `Personal correspondence', created 12/08/93

If the volume is controlled by a smart card, it will also print:

  Access to this volume is controlled by a smart card key.

and ask for the appropriate card to be inserted if it is not already present in
the reader.

Then it will prompt you for the encryption password, either:

  Please enter password (10...100 characters), [ESC] to quit:

or:

  Please enter smart card password (10...100 characters), [ESC] to quit:

depending on whether access to the volume is controlled by a smart card or not.

You can now enter the password, which for security reasons is not echoed to the
screen.  You can correct any typing errors with the backspace key, and use the
Esc key to quit.  The software will check for a password longer than the
maximum of 100 characters or an attempt to backspace past the start of the
password, and beep a warning when either of these conditions occur.

Once you have entered the password, mountsfs will process it and reprogram the
SFS device driver to reflect the change in status.  If you are using a smart
card and the card is configured so that removing it from the reader will
unmount the volume then the reader LED will be set to red to indicate that the
card is currently being used by the driver.

If the disk you are mounting is a removable one, mountsfs will check that the
drive being used supports disk change checking.  This is necessary to ensure
that the wrong disk isn't accidentally accessed by the driver.  If the disk is
changed without first being unmounted, the SFS driver will automatically
unmount it the next time you try to access it[3].  However if the drive doesn't
support the disk change check (generally only rather old drives have this
problem), this automatic unmount won't be possible, and mountsfs will warn:

  Warning: The floppy drive this volume is mounted on does not support disk
           change checking.  You should make sure you unmount the existing
           volume using either the mountsfs or WinSFS programs or the
           quick-unmount hotkey when you change disks.

If you get this warning then it is essential that you unmount the volume before
you change the disk in the drive.  The easiest way to unmount a volume is
through the quick-unmount hotkey, which is explained in more detail below.

Finally, if all is OK, mountsfs will print a short summary message about the
action it has performed.  For example if you told it to mount a volume, the
summary would be:

  Encrypted volume successfully mounted.

Footnote [1]: Viruses capable of doing this are generally called tunneling
              viruses.  Most of them only tunnel down to the the DOS int 21h
              level (which won't affect SFS), but several tunnel down to the
              BIOS int 13h level.  The DIR II virus tunnels down to the block
              device driver request level (which again won't affect SFS).  In
              addition there is a report of a virus which will access an IDE
              hard drive directly through the drive controller ports (which,
              has the side-effect of crashing Windows when using 32-bit disk
              access).  No viruses capable of accessing SCSI drives through the
              ASPI or CAM drivers are known.  In any case an SFS volume creates
              a rather bad target for DOS viruses since the DOS drive it
              corresponds to is only an illusion created by the SFS driver, and
              the underlying data on disk is invisible to DOS and most viruses.

Footnote [2]: Some versions of SFS will automatically know the user's name when
              a volume is mounted.  Unfortunately the DOS version isn't one of
              these.

Footnote [3]: The driver checks for a disk change when a disk read or write
              attempt is made rather than whenever DOS performs a general disk
              check, as DOS may perform up to half a dozen consecutive disk
              checks before doing anything, which leads to a significant loss
              in performance.


Unmounting an SFS Volume
------------------------

Once a volume has been mounted, you may wish to unmount it again, perhaps to
remove access to it after you have completed the work which requires it, or to
free up a mount point to allow you to mount a new volume.  In addition, if a
particular SFS volume is contained on a removable disk, it is a good idea to
unmount the volume if the disk in the drive is changed, although mounting a new
volume will automatically unmount the old volume.  You can perform the unmount
operation with the `mountsfs unmount' command, with the "Unmount" option of the
SFS Control Panel item, by using a quick-unmount hotkey which the SFS driver
checks for (see below), by setting an inactivity timeout value after which the
volume is automatically unmounted, or by removing the smart card from the
reader if you are using a smart card and the card is configured to unmount
volumes when it is removed.

Like the `mountsfs status' and `mountsfs information' commands, the `mountsfs
unmount' command can either apply to individual mounted volumes which are
specified by their drive letter, or to all volumes if no drive letter is given.
Unmounting a volume also signals the SFS driver software to write all data
still held in system buffers to disk and to erase any information it still
holds in memory.  It is therefore good practice to always unmount volumes as
soon as you no longer need them in order to destroy any sensitive information
which may still be held by the SFS driver or in a system buffer.  For example
to unmount all currently mounted volumes the command would be:

  mountsfs unmount

To unmount the volume currently mounted as F: the command would be:

  mountsfs unmount f:

A faster way to unmount all volumes is to use the quick-unmount hotkey which
the SFS driver checks for and accepts in place of the standard unmount command.
You can use this both as a convenience to quickly and easily unmount all SFS
volumes, or as a safety feature to allow encrypted volumes to be instantly
unmounted if there is a danger of the data on them being compromised.

When you mount a volume with mountsfs and don't explicitly specify the
`hotkey=none' option, or when you mount one or more volumes when the SFS driver
is loaded and don't explicitly specify the `HOTKEY=NONE' option, the driver or
mountsfs will install a default quick-unmount hotkey which is a combination of
the left and right shift keys under DOS and either of the two shift keys and
the control key under Windows[1].  On most keyboards these keys are fairly
large and easy to reach during normal typing. When both shift keys (DOS) or
either shift key and the control key (Windows) are pressed and released, all
mounted SFS volumes will be unmounted as if you had issued a normal unmount
command via mountsfs, and a single beep will sound to indicate that the unmount
was successful.

Occasionally this default hotkey combination may clash with other software, or
you may want to use another hotkey combination.  You can do this with the
`hotkey=' option, which can be used to specify any combination of the left
shift key, right shift key, control key, alt key, and a letter key[2].  The
keys are specified in the following manner:

    Alt key        = `alt'          Control key     = `ctrl'
    Left shift key = `leftShift'    Right shift key = `rightShift'
    Letter key     = `a'...`z'

You should separate key combinations with hyphens, `-'.  The key names are not
case sensitive and can be given in upper or lower case, or a mixture of both.
If you use an unknown key name or don't seperate the key names with hyphens,
mountsfs will complain:

  Error: Bad quick-unmount hotkey format

For example, to specify the use of the left shift and right shift keys as the
quick-unmount hotkey (the usual default setting) when a volume matching the
name `secure' is mounted, the command would be:

  mountsfs hotkey=LeftShift-RightShift volume=secure

To use the Control, Alt, and Z keys as the quick-unmount hotkey the command
would be:

  mountsfs hotkey=ctrl-alt-Z volume=secure

You can also alter the hotkey value without mounting any volumes, which will
merely update the current hotkey without making any other changes.  For example
to set the right Shift, Control, and I keys as the quick-unmount hotkey (a
rather unwieldy combination), the command would be:

  mountsfs hotkey=rightshift-CTRL-I

You can disable the hotkey unmount by specifying `hotkey=none' when mountsfs is
run, either as part of a normal mount operation or by simply running mountsfs
with only the hotkey option, which will clear the unmount hotkey without making
any other changes.

Finally, you can also specify the quick-unmount hotkey value when the SFS
driver is loaded.  More details on this are given in the section "Advanced SFS
Driver Options" below.

If you perform a hotkey unmount while the driver is accessing a volume, the
disk access will complete before the volume is unmounted.

The SFS driver can automatically unmount volumes if you not accessed them for a
certain amount of time.  This feature is useful if there is a chance that an
interruption may call you away from a system with mounted SFS volumes which
would allow others access to the encrypted data, or you can simply use it as a
general safety precaution to automatically unmount the volumes after a sizeable
period of inactivity.  However, you should take care to allow a large enough
safety margin for the timeout, as having a volume take itself offline five
seconds before you want to save your work to it can be annoying.

The easiest way to set an auto-unmount timeout is to associate a timeout value
with the volume when it is created with mksfs, although you can add this
setting or modify an existing setting at a later point with the chsfs program
(this is explained in more detail in the section "Changing the Characteristics
of an SFS Volume" below).  When the volume is mounted, the setting of the
timeout is automatically taken care of by the SFS software.  If the volume has
no timeout associated with it then by default mountsfs will not set an
auto-unmount timer.

You can display the current timeout setting for a volume or volumes using the
`mountsfs information' command.

However you may want to override the preset timeout value using the `timeout='
option, which is used to specify the delay in minutes until the unmount takes
place.  For example, using the previous mount command but to have the volume
automatically unmounted after 15 minutes of inactivity the command would be:

  mountsfs timeout=15 volume=secure

The timeout period must be between 1 and 30,000 minutes (this means that the
upper timeout limit is around three weeks).  If you specify a timeout value of
less than 1 minute or greater than three weeks, mountsfs will exit with the
error message:

  Error: Timeout value must be between 1 and 30,000 minutes

If no accesses are made to a volume within the given time period, it will be
automatically unmounted.  Like the case when a hotkey unmount is made, a single
beep will sound to indicate that the unmount has taken place.  Each volume has
its own timer, allowing you to give different volumes different lengths of time
before they unmount, or to have no auto-unmount time at all.  This is useful
when, for example, one volume containing highly sensitive information needs to
have a very short timeout, while another volume containing less secret
information can have a much longer timeout.  An example might be a series of
three SFS volumes:

  mountsfs timeout=10 volume=Topsecret
  mountsfs timeout=30 volume=Secret
  mountsfs timeout=60 volume=Confidential

in which the "Topsecret" volume is given the shortest timeout of only 10
minutes, the "Secret" volume is given a timeout of 30 minutes, and the
"Confidential" volume is given the longest timeout of a full hour.

You can disable the timed unmount by specifying `timeout=none' when you run
mountsfs, either as part of a normal mount operation which will affect only the
current volume, or by running mountsfs with only the timeout option, which will
clear the timeout for all volumes without making any other changes.

If a timed unmount occurs while the driver is accessing a volume, the disk
access will complete before the volume is unmounted.

Another way to control the mount status of volumes is possible if you are using
a smart card to access to them.  Depending on how the card was set up with the
sfscard or chsfs programs, removing it will either unmount all volumes, unmount
the volumes controlled by the card, set the volumes controlled by the card to
read-only, or have no effect.  If the volume has no card removal action
associated with it then by default nothing will happen when the card is
removed, unless at least one other mounted volume has an "unmount all volumes"
action, which takes precedence over all other actions.

You can find the exact settings for a volume with the `mountsfs information'
command, which is explained in the section "Mounting an SFS Volume" above.

If required you can override the default settings for a volume when you mount
it by using the `cardcontrol=' option to specify the action to take when the
card is removed.  The possible card control actions are `none', which does
nothing, `readonly', which makes the volume readonly, and `unmount' and
`unmountall', which unmount the given volume or all volumes.  For example, to
mount the "Topsecret" volume with the condition that it be unmounted when the
card is removed from the reader, the command would be:

  cardsfs cardcontrol=unmount volume=topsecret

The volume will now be unmounted if the smart card used to mount it is removed
from the card reader.

If the SFS driver is using the card currently inserted in the reader, the
reader LED will be set to red.  Removing the card in this case will result in
the reader LED being set to green and the unmount action which is set for the
card taking place.

Finally, if all is OK, mountsfs will print a short summary message about the
action it has performed.  If for example there were two volumes F: and G: of
which only F: was currently mounted and you told it to unmount all volumes, the
summary would be:

  Volume in drive F: has been unmounted
  Drive G: is already unmounted

Footnote [1]: Windows treats the left and right shift keys as the same key, so
              there is no way to recognise the left shift and right shift key
              combination.  The shift and control key combination is therefore
              used in its place.

Footnote [2]: The letter key is based on the US keyboard since the SFS driver
              must check for keyboard scan codes rather than actual character
              codes, which can differ slightly for some keyboards.
