Disk encryption

Khannie

I have a question about on-the-fly disk encryption. What I want is this:

There are two users:
Khannie
and
boldperson

Both have sudo access on the box. I want to be able to encrypt my home area in such a way that even when I'm logged in, boldperson can't view my home area (doesn't have to be my home area, but that would be best), despite having sudo on the box. Is such a thing possible?

croo

Did you try this?
http://help.ubuntu.com/community/EncryptedHome

The caveats section makes some interesting suggestions too!

Khannie

I did. The problem with it is that if I'm logged in, the decrypted home is available at /home/khannie to anyone with root on the box. I'm not sure if there's a way around it tbh. In my head it seems theoretically possible to have the key stored in memory (yes, I know the root user has access to the system RAM too, but I'll take my chances there) and have the khannie user use that on the fly, with the boldperson user unable to see the mounted filesystem. That is in my head though.

croo

maybe you might put your /home/khannie on a separate encrypted partition that is not loaded by default in fstab - but only when khannie logs in!? Then you'd have to enter the passphrase? I've not tried it - I'm just speculating!

PrzemoF

Maybe a separate partition as croo is suggesting and LUKS?

http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption

I never tried it - please report back the results if you do it

Khannie

Thanks folks. Both of those methods work in a similar way unfortunately (the ecryptfs home area one is actually preferable IMO as when you log out it removes the ability to see the encrypted data, not so with a LUKS mounted partition unless you manually umount it).

Grudaire

I was going to suggest removing read/write access to the relevant folder for the one user, but obviously as he has admin rights that is only a barrier to sidestep.

The only thing I could suggest is encryption where the decryption is done by the program accessing it (eg password protected document in LibreOffice)

syklops

What exactly are you trying to protect, if you dont mind me asking?

Khannie

syklops wrote: »

What exactly are you trying to protect, if you dont mind me asking?

My privacy. Not trying to be smart.

Grudaire

Yeah the obvious solution is internet streaming and then 'shred' internet history is the true solution ;-)


:pac:

syklops

Khannie wrote: »

My privacy. Not trying to be smart.

I meant are there specific files or folders you are trying to protect. If specific files you could use the GPG vim-plugin to encrypt them with. That way even if the filesystem the files reside on is mounted and readable by the other guy, there is nothing he can do.

Khannie

Oooh! Well, I wanted to cover for example pictures (not the filthy variety ), IM chat history, that kind of thing.

syklops

Did you look at ecryptfs?

Create a directory within you home directory which is encrypted, and store all your sensitive stuff in that directory. Have a script which when you log in which decrypts the directory.

d31b0y

syklops wrote: »

Did you look at ecryptfs?

Create a directory within you home directory which is encrypted, and store all your sensitive stuff in that directory. Have a script which when you log in which decrypts the directory.

The problem being once he logs in, it gets decrypted so if he stays logged in, then root has access (I assume).

How powerful is the box? The only way that comes to mind is setup a virtual machine that is just for you. But then when you log in would someone still be able to read the virtual HDD...

croo

Khannie wrote: »

Thanks folks. Both of those methods work in a similar way unfortunately (the ecryptfs home area one is actually preferable IMO as when you log out it removes the ability to see the encrypted data, not so with a LUKS mounted partition unless you manually umount it).

It seems SELinux (centos for example) can restrict root's access using Role Based Access Control (RBAC). It seems with SELinux first unix permissions are checked and then the RBAC permissions and only if both pass does the user (any user) get access. This is not encryption but root's access is restricted which is the goal rather than having it encrypted!? I guess you could apply both rbacs and encryption - do let us know what worked!

Khannie

croo wrote: »

This is not encryption but root's access is restricted which is the goal rather than having it encrypted!? I guess you could apply both rbacs and encryption - do let us know what worked!

Beautiful. This could be just the ticket. I'm on ubuntu so its equivalent is AppArmor. I'll see if it can provide that functionality.

Hmmm. Now that I think about it, it would allow the root user to alter the RBAC for my home directory.

d31b0y wrote: »

How powerful is the box? The only way that comes to mind is setup a virtual machine that is just for you. But then when you log in would someone still be able to read the virtual HDD...

The box is powerful enough to run a small VM alright. I'd rather avoid it, but it's probably the only secure solution. If the virtual HDD is encrypted, that would effectively prevent anyone from looking at it.

croo

Khannie wrote: »

Hmmm. Now that I think about it, it would allow the root user to alter the RBAC for my home directory.

It wouldn't seem like much a security enhancement if it did!

I have to say I used SElinux on Centos for a bit and it caused me a lot of headaches. It was a development box so maybe that was part of the issue. But when I had problems with DB or web servers it invariably came back to the SELinux so eventually I just disabled it!

KAGY

Hi Khannie,
have you looked at TrueCrypt? http://www.truecrypt.org/. It decrypts on the fly. From their docs page:

Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted

I'm just researching this at the moment as I'm having trouble trying to encrypt an (non-sudo) existing home directory with eCryptfs so looking at other options. Haven't tried it yet, but this thread came up in my search while doing the initial look-see and though it might be of interest to you.

Johnboy1951

This one might be of interest

https://code.google.com/p/zulucrypt/

Khannie

KAGY wrote: »

Hi Khannie,
have you looked at TrueCrypt? http://www.truecrypt.org/. It decrypts on the fly.

Thanks. Yep, I have done and do use it. It's a nice piece of kit alright, but it doesn't overcome the problem of the mount being visible to anyone with root while you're looking at your files.

madhatter76

try permissions on the encrypted folder

chmod -R 700 folder

However usually root has still access to all files so use then chattr:
man chattr

You can protect a file even from root (not deliberate action, but accidental, anyway) by using

chattr +i filename.ext
That is "change attributes add immutable". To remove the protection:

chattr -i filename.ext

have a look at man chattr for more info

djmarkus

The only possible theoretical solution is a filesystem that is tied to your TTY, which is harder for another user to get access to, but not impossible.

humbert

Some outside the box thinking here; how about pushing the 'bold person' down a flight of stairs?

d31b0y

humbert wrote: »

Some outside the box thinking here; how about pushing the 'bold person' down a flight of stairs?

I guarantee that khannie is only trying to hide his porn stash.

Khannie

d31b0y wrote: »

I guarantee that khannie is only trying to hide his porn stash.

<.<

>.>

Khannie

djmarkus wrote: »

The only possible theoretical solution is a filesystem that is tied to your TTY, which is harder for another user to get access to, but not impossible.

I'm intrigued. How would you tie a filesystem to your TTY?

Johnboy1951

Khannie wrote: »

I'm intrigued. How would you tie a filesystem to your TTY?

Shoelaces?

bonzodog2

Maybe something like this might be of interest
http://www.techrepublic.com/blog/opensource/create-encrypted-loopback-filesystems-on-linux/67

gctest50

BSD jails might help to do what you want ?