On Monday, 10 December 2018 09:25:58 GMT Neil Bothwick wrote: > On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote: > > Well, I thought it may be simpler. Since I've never tried encryption > > before, I don't know first hand how it works or what it takes to use the > > files. I've read where people password protect their mobo, bootloader > > and their entire storage system. Basically, without the proper > > passwords, you can't boot the system or access it from another system > > either. That is overkill for me for sure. If anything, I'm on the > > other end of the scale. I just want a directory, which could be a mount > > point, that is encrypted. Knowing what tool is best may help be figure > > out whether it is a mount point, a regular directory or what. I've read > > where some whole file systems can be encrypted or it can be done on a > > directory level. I'm not sure what works the best tho. > > It sounds like ecryptfs would suit your needs best. As it works on > directories, you don't need separate mount points for each encrypted > directory. ISTR there is a PAM module to unlock your ecryptfs directories > when you log into your desktop (it needs a password login not > auto-login). > > As already mentioned you can backup the encrypted files so your backups > are automatically secure. One point about ecryptfs is increases the size > of each file by a fixed amount. This doesn't matter with larger files but > if you have a directory full of smaller files, like a mail client cache, > there may be a noticeable increase in disk usage. > > Encrypting the whole filesystem may be more convenient as it means you > don't have to worry about what is encrypted and what is not, but you > would need to back up to an encrypted drive. > > Neither method will protect you from remote access while you are logged > in as the encrypted files will be unlocked.
Another thing to mention is filesystem encryption. I don't know if ext4 encryption is mature enough for production implementations, but this was added to the kernel a few years now. sys-fs/e2fsprogs includes e4crypt which can be used to encrypt directories and files, each one secured with a different encryption key, and each encryption key protected (encrypted) with a master key in your keyring. So even if one file's encryption key is cracked, the rest of the encrypted files should be secure. BTW, if we're talking about a few files which are not being accessed frequently, it may be worth considering the use of symmetric encryption using a passphrase (gpg, or openssl). This would require no additional configuration, overlay fs, keyrings, etc., thus making it simpler to use and transport. However, the file names themselves won't be encrypted using this method, which may or may not be important depending on your use case. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.

