Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Disk encryption

  • 25-02-2013 10:52am
    #1
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭


    I have a question about on-the-fly disk encryption. What I want is this:

    There are two users:
    Khannie
    and
    boldperson

    Both have sudo access on the box. I want to be able to encrypt my home area in such a way that even when I'm logged in, boldperson can't view my home area (doesn't have to be my home area, but that would be best), despite having sudo on the box. Is such a thing possible?


Comments

  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    Did you try this?
    http://help.ubuntu.com/community/EncryptedHome

    The caveats section makes some interesting suggestions too!


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I did. The problem with it is that if I'm logged in, the decrypted home is available at /home/khannie to anyone with root on the box. I'm not sure if there's a way around it tbh. In my head it seems theoretically possible to have the key stored in memory (yes, I know the root user has access to the system RAM too, but I'll take my chances there) and have the khannie user use that on the fly, with the boldperson user unable to see the mounted filesystem. That is in my head though. :)


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    maybe you might put your /home/khannie on a separate encrypted partition that is not loaded by default in fstab - but only when khannie logs in!? Then you'd have to enter the passphrase? I've not tried it - I'm just speculating!


  • Registered Users, Registered Users 2 Posts: 1,931 ✭✭✭PrzemoF


    Maybe a separate partition as croo is suggesting and LUKS?

    http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption

    I never tried it - please report back the results if you do it :)


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Thanks folks. Both of those methods work in a similar way unfortunately (the ecryptfs home area one is actually preferable IMO as when you log out it removes the ability to see the encrypted data, not so with a LUKS mounted partition unless you manually umount it).


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3,620 ✭✭✭Grudaire


    I was going to suggest removing read/write access to the relevant folder for the one user, but obviously as he has admin rights that is only a barrier to sidestep.

    The only thing I could suggest is encryption where the decryption is done by the program accessing it (eg password protected document in LibreOffice)


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    What exactly are you trying to protect, if you dont mind me asking?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    syklops wrote: »
    What exactly are you trying to protect, if you dont mind me asking?

    My privacy. Not trying to be smart. :)


  • Registered Users, Registered Users 2 Posts: 3,620 ✭✭✭Grudaire


    Yeah the obvious solution is internet streaming and then 'shred' internet history is the true solution ;-)


    :pac:


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    My privacy. Not trying to be smart. :)

    I meant are there specific files or folders you are trying to protect. If specific files you could use the GPG vim-plugin to encrypt them with. That way even if the filesystem the files reside on is mounted and readable by the other guy, there is nothing he can do.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Oooh! Well, I wanted to cover for example pictures (not the filthy variety :p), IM chat history, that kind of thing.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Did you look at ecryptfs?

    Create a directory within you home directory which is encrypted, and store all your sensitive stuff in that directory. Have a script which when you log in which decrypts the directory.


  • Registered Users, Registered Users 2 Posts: 2,028 ✭✭✭d31b0y


    syklops wrote: »
    Did you look at ecryptfs?

    Create a directory within you home directory which is encrypted, and store all your sensitive stuff in that directory. Have a script which when you log in which decrypts the directory.

    The problem being once he logs in, it gets decrypted so if he stays logged in, then root has access (I assume).

    How powerful is the box? The only way that comes to mind is setup a virtual machine that is just for you. But then when you log in would someone still be able to read the virtual HDD...


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    Khannie wrote: »
    Thanks folks. Both of those methods work in a similar way unfortunately (the ecryptfs home area one is actually preferable IMO as when you log out it removes the ability to see the encrypted data, not so with a LUKS mounted partition unless you manually umount it).
    It seems SELinux (centos for example) can restrict root's access using Role Based Access Control (RBAC). It seems with SELinux first unix permissions are checked and then the RBAC permissions and only if both pass does the user (any user) get access. This is not encryption but root's access is restricted which is the goal rather than having it encrypted!? I guess you could apply both rbacs and encryption - do let us know what worked!


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    croo wrote: »
    This is not encryption but root's access is restricted which is the goal rather than having it encrypted!? I guess you could apply both rbacs and encryption - do let us know what worked!

    Beautiful. This could be just the ticket. I'm on ubuntu so its equivalent is AppArmor. I'll see if it can provide that functionality.

    Hmmm. Now that I think about it, it would allow the root user to alter the RBAC for my home directory.
    d31b0y wrote: »
    How powerful is the box? The only way that comes to mind is setup a virtual machine that is just for you. But then when you log in would someone still be able to read the virtual HDD...

    The box is powerful enough to run a small VM alright. I'd rather avoid it, but it's probably the only secure solution. If the virtual HDD is encrypted, that would effectively prevent anyone from looking at it.


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    Khannie wrote: »
    Hmmm. Now that I think about it, it would allow the root user to alter the RBAC for my home directory.
    It wouldn't seem like much a security enhancement if it did!

    I have to say I used SElinux on Centos for a bit and it caused me a lot of headaches. It was a development box so maybe that was part of the issue. But when I had problems with DB or web servers it invariably came back to the SELinux so eventually I just disabled it! :)


  • Registered Users, Registered Users 2 Posts: 1,093 ✭✭✭KAGY


    Hi Khannie,
    have you looked at TrueCrypt? http://www.truecrypt.org/. It decrypts on the fly. From their docs page:
    Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted

    I'm just researching this at the moment as I'm having trouble trying to encrypt an (non-sudo) existing home directory with eCryptfs so looking at other options. Haven't tried it yet, but this thread came up in my search while doing the initial look-see and though it might be of interest to you.


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    This one might be of interest

    https://code.google.com/p/zulucrypt/


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    KAGY wrote: »
    Hi Khannie,
    have you looked at TrueCrypt? http://www.truecrypt.org/. It decrypts on the fly.

    Thanks. Yep, I have done and do use it. It's a nice piece of kit alright, but it doesn't overcome the problem of the mount being visible to anyone with root while you're looking at your files.


  • Registered Users, Registered Users 2 Posts: 91 ✭✭madhatter76


    try permissions on the encrypted folder

    chmod -R 700 folder

    However usually root has still access to all files so use then chattr:
    man chattr

    You can protect a file even from root (not deliberate action, but accidental, anyway) by using

    chattr +i filename.ext
    That is "change attributes add immutable". To remove the protection:

    chattr -i filename.ext

    have a look at man chattr for more info


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,606 ✭✭✭djmarkus


    The only possible theoretical solution is a filesystem that is tied to your TTY, which is harder for another user to get access to, but not impossible.


  • Registered Users, Registered Users 2 Posts: 5,238 ✭✭✭humbert


    Some outside the box thinking here; how about pushing the 'bold person' down a flight of stairs?


  • Registered Users, Registered Users 2 Posts: 2,028 ✭✭✭d31b0y


    humbert wrote: »
    Some outside the box thinking here; how about pushing the 'bold person' down a flight of stairs?

    I guarantee that khannie is only trying to hide his porn stash.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    d31b0y wrote: »
    I guarantee that khannie is only trying to hide his porn stash.

    <.<

    >.>


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    djmarkus wrote: »
    The only possible theoretical solution is a filesystem that is tied to your TTY, which is harder for another user to get access to, but not impossible.

    I'm intrigued. How would you tie a filesystem to your TTY?


  • Registered Users, Registered Users 2 Posts: 14,048 ✭✭✭✭Johnboy1951


    Khannie wrote: »
    I'm intrigued. How would you tie a filesystem to your TTY?

    Shoelaces?

    :D:D


  • Registered Users, Registered Users 2 Posts: 6,285 ✭✭✭bonzodog2




  • Registered Users, Registered Users 2 Posts: 9,605 ✭✭✭gctest50


    BSD jails might help to do what you want ?


Advertisement