On 12/9/18 4:46 PM, Dale wrote:
Howdy,
Hi,
As some may know, I'm making some changes and upgrades to my puter.
One thing I'm considering, encryption of a select directory/mount
point/file system.
Please elaborate on a hypothetical setup that you would like.
It might be worth starting with your current directory tree and calling
out things you would like to see encrypted.
One thought I have, create a mount point named say "Encrypted" and put
anything I don't want widely seen or hacked in that directory.
I understand why you are doing it. But I feel like having "Encrypted"
in the name is like painting a target on it.
That would likely be on it's own partition or LVM setup.
Depending on how you do things, it might be possible to have your
encryption in the same LVM configuration. Or possibly a separate LVM
configuration that has multiple logical volumes in it used by different
mount points.
I would likely keep other things open.
What is your reason for keeping other things open?
Or, asked another way, why not use full disk encryption? Or at least
encrypt the entire volume group? That way you don't need to worry about
what is and is not encrypted.
Example, I may have /home on a partition of it's own but then have the
encrypted directory mounted on /home/dale/Desktop/Encrypted. I could
even let that be my Documents directory as well. I'm not to worried
about browser history etc. Plus, I could log into KDE and not have to
access the encrypted stuff if it is not needed. I don't need encryption
to check the weather. lol
Since we're talking about LVM, please clarify if /home is it's own
partition outside of LVM or if /home is it's own Logical Volume inside
of LVM. It makes a difference.
I strongly believe that you should not feel like you have to change your
use case to use technology, encryption in this case. Rather the
computer should change what it does so that what you have been doing and
will continue to do is now encrypted.
How I do that isn't a big deal really. My main question is this. If I
go to the trouble of doing this, would I be *really* protected?
It depends.
Is there a easily used encryption tool that isn't easily hacked?
I believe so.
Also, when I login, I'd like to be able to type in password etc and it be
available from that point on, unless I do something to lock it up again.
Are you implying that you want the encryption system to remember the
password and unlock files as necessary? Or are you wanting to enter the
password into something that uses it then and there to unlock things
until you lock them back up?
That's an important distinction.
I have done a fair bit with LUKS, also LUKS and LVM.
LUKS works by unlocking the encrypted block device and creating another
virtual block device that is the unencrypted interface. It's trivial to
put a file system on top of a LUKS device.
So, my use case was to unlock a LUKS device and mount the file system
that sits on top of it. Then anything on the system (with proper file
system permissions) could access the files therein. Then when I was
done, I would unmount the file system and lock (close) the encrypted device.
I have also dabbled with eCryptFS, which applies encryption as an
overlay. So when you access encrypted files through the overlay, they
would be read from the unencrypted on the fly. Writing to the files to
the unencrypted overlay would encrypt the files and write them to the
underlay.
Depending on the configuration, it's not possible to see the names of
the files (or directories), much less actually read them from the
encrypted underlay.
Reason, I may even put some of my videos on that. I watch TV from that
a lot.
Okay.
Also, how hard would it be to do the same to my backups, since having
a open set of backups would render the encrypted part just available
elsewhere?
Backups are another thing entirely. Things like LUKS will usually not
translate to encryption with backups, because the backups see the
mounted file system. Things like eCryptFS can work with encrypted
backups, because they can work with the underlay file system that holds
the encrypted files while ignoring the unencrypted overlay.
There are also other possibilities of encrypting backups that are
completely independent of the files that are being backed up. Sort of
like a big encrypted tape drive or backing up files to a LUKS file
system that is subsequently unmounted & locked.
While I get some of how encryption works, I don't keep up with it on a
weekly or even monthly basis. I just see the occasional articles on it.
I'd rather ask and get input from someone who uses and/or is more familiar
with this. In other words, if it is worthless and someone knows it is,
then let me know. If one tool is better/easier/etc than another, I'd
like to know that as well.
I don't think encryption is worthless. I encrypt many of my emails and
sign most others. I also have a LUKS encrypted file system on my VPS.
It really depends on what your goal is and what you're trying to protect
from / against.
--
Grant. . . .
unix || die