| 1 |
On Monday, 10 December 2018 09:25:58 GMT Neil Bothwick wrote: |
| 2 |
> On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote: |
| 3 |
> > Well, I thought it may be simpler. Since I've never tried encryption |
| 4 |
> > before, I don't know first hand how it works or what it takes to use the |
| 5 |
> > files. I've read where people password protect their mobo, bootloader |
| 6 |
> > and their entire storage system. Basically, without the proper |
| 7 |
> > passwords, you can't boot the system or access it from another system |
| 8 |
> > either. That is overkill for me for sure. If anything, I'm on the |
| 9 |
> > other end of the scale. I just want a directory, which could be a mount |
| 10 |
> > point, that is encrypted. Knowing what tool is best may help be figure |
| 11 |
> > out whether it is a mount point, a regular directory or what. I've read |
| 12 |
> > where some whole file systems can be encrypted or it can be done on a |
| 13 |
> > directory level. I'm not sure what works the best tho. |
| 14 |
> |
| 15 |
> It sounds like ecryptfs would suit your needs best. As it works on |
| 16 |
> directories, you don't need separate mount points for each encrypted |
| 17 |
> directory. ISTR there is a PAM module to unlock your ecryptfs directories |
| 18 |
> when you log into your desktop (it needs a password login not |
| 19 |
> auto-login). |
| 20 |
> |
| 21 |
> As already mentioned you can backup the encrypted files so your backups |
| 22 |
> are automatically secure. One point about ecryptfs is increases the size |
| 23 |
> of each file by a fixed amount. This doesn't matter with larger files but |
| 24 |
> if you have a directory full of smaller files, like a mail client cache, |
| 25 |
> there may be a noticeable increase in disk usage. |
| 26 |
> |
| 27 |
> Encrypting the whole filesystem may be more convenient as it means you |
| 28 |
> don't have to worry about what is encrypted and what is not, but you |
| 29 |
> would need to back up to an encrypted drive. |
| 30 |
> |
| 31 |
> Neither method will protect you from remote access while you are logged |
| 32 |
> in as the encrypted files will be unlocked. |
| 33 |
|
| 34 |
Another thing to mention is filesystem encryption. I don't know if ext4 |
| 35 |
encryption is mature enough for production implementations, but this was added |
| 36 |
to the kernel a few years now. sys-fs/e2fsprogs includes e4crypt which can be |
| 37 |
used to encrypt directories and files, each one secured with a different |
| 38 |
encryption key, and each encryption key protected (encrypted) with a master |
| 39 |
key in your keyring. So even if one file's encryption key is cracked, the |
| 40 |
rest of the encrypted files should be secure. |
| 41 |
|
| 42 |
BTW, if we're talking about a few files which are not being accessed |
| 43 |
frequently, it may be worth considering the use of symmetric encryption using |
| 44 |
a passphrase (gpg, or openssl). This would require no additional |
| 45 |
configuration, overlay fs, keyrings, etc., thus making it simpler to use and |
| 46 |
transport. However, the file names themselves won't be encrypted using this |
| 47 |
method, which may or may not be important depending on your use case. |
| 48 |
|
| 49 |
-- |
| 50 |
Regards, |
| 51 |
Mick |
Archives