1 |
On Monday, 10 December 2018 09:25:58 GMT Neil Bothwick wrote: |
2 |
> On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote: |
3 |
> > Well, I thought it may be simpler. Since I've never tried encryption |
4 |
> > before, I don't know first hand how it works or what it takes to use the |
5 |
> > files. I've read where people password protect their mobo, bootloader |
6 |
> > and their entire storage system. Basically, without the proper |
7 |
> > passwords, you can't boot the system or access it from another system |
8 |
> > either. That is overkill for me for sure. If anything, I'm on the |
9 |
> > other end of the scale. I just want a directory, which could be a mount |
10 |
> > point, that is encrypted. Knowing what tool is best may help be figure |
11 |
> > out whether it is a mount point, a regular directory or what. I've read |
12 |
> > where some whole file systems can be encrypted or it can be done on a |
13 |
> > directory level. I'm not sure what works the best tho. |
14 |
> |
15 |
> It sounds like ecryptfs would suit your needs best. As it works on |
16 |
> directories, you don't need separate mount points for each encrypted |
17 |
> directory. ISTR there is a PAM module to unlock your ecryptfs directories |
18 |
> when you log into your desktop (it needs a password login not |
19 |
> auto-login). |
20 |
> |
21 |
> As already mentioned you can backup the encrypted files so your backups |
22 |
> are automatically secure. One point about ecryptfs is increases the size |
23 |
> of each file by a fixed amount. This doesn't matter with larger files but |
24 |
> if you have a directory full of smaller files, like a mail client cache, |
25 |
> there may be a noticeable increase in disk usage. |
26 |
> |
27 |
> Encrypting the whole filesystem may be more convenient as it means you |
28 |
> don't have to worry about what is encrypted and what is not, but you |
29 |
> would need to back up to an encrypted drive. |
30 |
> |
31 |
> Neither method will protect you from remote access while you are logged |
32 |
> in as the encrypted files will be unlocked. |
33 |
|
34 |
Another thing to mention is filesystem encryption. I don't know if ext4 |
35 |
encryption is mature enough for production implementations, but this was added |
36 |
to the kernel a few years now. sys-fs/e2fsprogs includes e4crypt which can be |
37 |
used to encrypt directories and files, each one secured with a different |
38 |
encryption key, and each encryption key protected (encrypted) with a master |
39 |
key in your keyring. So even if one file's encryption key is cracked, the |
40 |
rest of the encrypted files should be secure. |
41 |
|
42 |
BTW, if we're talking about a few files which are not being accessed |
43 |
frequently, it may be worth considering the use of symmetric encryption using |
44 |
a passphrase (gpg, or openssl). This would require no additional |
45 |
configuration, overlay fs, keyrings, etc., thus making it simpler to use and |
46 |
transport. However, the file names themselves won't be encrypted using this |
47 |
method, which may or may not be important depending on your use case. |
48 |
|
49 |
-- |
50 |
Regards, |
51 |
Mick |