Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
On Thu, 14 Jan 2010 18:19:56 -0600, Harry Putnam wrote: > > I wasn't thinking that at all. You use sshfs to mount the remote > > directory locally, then mount that with encfs. All the remote host > > needs is ssh. > > I'm not sure what is going wrong here, if neither of us is listening > to the other or what... but I've stressed that I wanted a solution for > when I could not access my home machine Does your solution involve > that? No, I missed that part. Do you means you cannot access the machine or you cannot load your normal OS because it is broken? In the latter case, a live C/USB distro will help. If you mean no access to the computer at all and you're forced to use whatever is available, you have something of a problem as you can never know what will be available. I used the method I mentioned, but I have more than one computer, so if one breaks I can use the other to get at the backups. -- Neil Bothwick A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it. signature.asc Description: PGP signature
[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
Neil Bothwick writes: > On Wed, 06 Jan 2010 15:27:32 -0600, Harry Putnam wrote: > >> > Then use rsync instead of tar, then you can mount the remote >> > filesystem using sshfs and encfs to read individual files. It's a >> > little slow as you are layering two FUSE filesystems, but quicker >> > than downloading a complete tarball just to get at one file. I've >> > used this method with an online backup service and it works. >> >> Neil seems to be thinking the remote has encfs on board... it does >> not. Hence my original quest for a different encryption process, >> (mcrypt) > > I wasn't thinking that at all. You use sshfs to mount the remote > directory locally, then mount that with encfs. All the remote host needs > is ssh. I'm not sure what is going wrong here, if neither of us is listening to the other or what... but I've stressed that I wanted a solution for when I could not access my home machine Does your solution involve that? Expecting to work out encfs and sshfs/fuse etc on a session in the nearest kinkos, probably on machines running one or another version of windows, and further with no download or install options on said machine is not all that nifty of an approach.
Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
On Wed, 06 Jan 2010 15:27:32 -0600, Harry Putnam wrote: > > Then use rsync instead of tar, then you can mount the remote > > filesystem using sshfs and encfs to read individual files. It's a > > little slow as you are layering two FUSE filesystems, but quicker > > than downloading a complete tarball just to get at one file. I've > > used this method with an online backup service and it works. > > Neil seems to be thinking the remote has encfs on board... it does > not. Hence my original quest for a different encryption process, > (mcrypt) I wasn't thinking that at all. You use sshfs to mount the remote directory locally, then mount that with encfs. All the remote host needs is ssh. -- Neil Bothwick At any event, the people whose seats are furthest from the aisle arrive last. signature.asc Description: PGP signature
[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
Neil Bothwick writes: > On Tue, 05 Jan 2010 16:09:03 -0600, Harry Putnam wrote: > >> > Why not just tar up the underlying encfs partition? The data >> > is already encrypted, what's the point of decrypting it to encrypt it >> > again? That way you don't need to rely on any encryption software on >> > the remote computer. >> >> I wanted the option of decrypting on the remote if need be... that is >> if my home machine is not accessible for whatever reason. >> >> For example, if I wanted a forgotten password laying in a text file >> but encfs encrypted and on the remote. When for one or another reason >> I cannot get it from the home machine. >> >> In your scenario, I'd need access to both home machine and remote at >> the same time to first get the blob of encrypted data off the remote >> and then to decrypt it on home. > > Then use rsync instead of tar, then you can mount the remote filesystem > using sshfs and encfs to read individual files. It's a little slow as you > are layering two FUSE filesystems, but quicker than downloading a > complete tarball just to get at one file. I've used this method with an > online backup service and it works. Neil seems to be thinking the remote has encfs on board... it does not. Hence my original quest for a different encryption process, (mcrypt) And both Felix' and Neils solutions seem to require access to the home computer or root on the remote. Or a least access to a machine with encfs on board. Also, understand that the encrypted data is quite small... Not talking a huge tarball at all. du -sh ~/myencrypteddata 7.4Mmyencrypteddata That is uncompressed So is it still a bad idea to unencrypt from encfs, recrypt in mcrypt and ssh or rsync the result to the remote? With something this size all of that should happen in a few seconds right? And this way, I'd be able to decrypt the thing on the remote; find what I need and delete the unencrypted data leaving only the encrypted. It does sound like a lot of huffing and puffing so am interested to hear other ways. I haven't tried it yet at all. I guess another part of my question is will an mcrypted file setting on an internet host (that can be hacked and has been at least once since I've been involved (5yrs)), be of interest and easy enough to crack (not the host but the file itself) that it would be likely a hacker would try? Once again this is not super secretive stuff, like murder or such... and even banking info could only lead to a matter of mid 4 digit amounts at most. Nasty but not life threatening or bankruptcy material and its unlikely at best that all accounts would be drained before I caught a sniff of it. But still, once my trove of passwords and certain banking info was lost, it would be a real pita to clean up. ---- ---=--- - | A side note to forestall answers involving the owner of the host | machine being asked to do whatever: | | That fellow is quite security conscious and far as I know has had | only the one hack on some 8-9 or so online machines over at least | 10 yrs. (Not a bad record... since he was at one time a target | to unprincipled hackers in linux community, who also had accounts | on his hosts... so the attack was from inside so to speak) | | So there won't be much I can suggest that he either doesn't now | about or hasn't already tried.
Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
On Tue, Jan 05, 2010 at 04:09:03PM -0600, Harry Putnam wrote: > For example, if I wanted a forgotten password laying in a text file > but encfs encrypted and on the remote. When for one or another reason > I cannot get it from the home machine. I hate saying something when I don't know the full circumstances, but here is how I do mine, and how I have recovered data from the backup. I mount the plaintext with this command (actual details have been changed because I do it in a shell script which does other things): encfs ~/.encrypted ~/.plaintext ~/.encrypted is the encrypted dir, ~/.plaintest is what I lok at when I want to see the plaintext. I have various symlinks elsewhere which point into ~/.plaintext. When I backup this data, I only backup ~/.encrypted. In fact, since backup is done as a part of root's nightly backup, and root cannot look into ~/.plaintext, ~/.encrypted is all that can be backupped (did I just invent a new verb? :-). Now once I lost a file which I knew existed in the backup. All I had to do was 1. As root, mount the backup, in this case as /mnt/backup. 2. As myself, mount as usual but change the names: encfs /mnt/backup/home/felix/.encrypted ~/tmp/plaintext 3. Copy the file as plaintext: cp -p ~/tmp/plaintext/path/to/file ~/.plaintext/path/to/file Of course, if you backup as yourself, the root step is easily adjusted to yourself. It's been so long since I set this up that I do not remember the details. There's a kernel module, maybe dm-crypt. You probably have to enable something in the kernel config. But once done, it's easy as pi and just as tasty, and I really like the fact that root cannot get access to the plaintext. For some reason, that just tinkles me pink. -- ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._. Felix Finch: scarecrow repairman & rocket surgeon / fe...@crowfix.com GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933 I've found a solution to Fermat's Last Theorem but I see I've run out of room o
Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
On Tue, 05 Jan 2010 16:09:03 -0600, Harry Putnam wrote: > > Why not just tar up the underlying encfs partition? The data > > is already encrypted, what's the point of decrypting it to encrypt it > > again? That way you don't need to rely on any encryption software on > > the remote computer. > > I wanted the option of decrypting on the remote if need be... that is > if my home machine is not accessible for whatever reason. > > For example, if I wanted a forgotten password laying in a text file > but encfs encrypted and on the remote. When for one or another reason > I cannot get it from the home machine. > > In your scenario, I'd need access to both home machine and remote at > the same time to first get the blob of encrypted data off the remote > and then to decrypt it on home. Then use rsync instead of tar, then you can mount the remote filesystem using sshfs and encfs to read individual files. It's a little slow as you are layering two FUSE filesystems, but quicker than downloading a complete tarball just to get at one file. I've used this method with an online backup service and it works. -- Neil Bothwick 3 things happen as you age: 1) Your memory goes; 2) uh..um signature.asc Description: PGP signature
[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
Neil Bothwick writes: > On Sat, 02 Jan 2010 22:12:29 -0600, Harry Putnam wrote: > >> I have an encfs encrpted partition on my home machine.. However I want >> a back up offsite. >> >> The encrypted partition would be mounted, the contents tarred/gzipped, >> mcrypt'ed on home machine then scp'ed to the remote for offsite >> storage once a week or so, overwriting each time. > > Why not just tar up the underlying encfs partition? The data is already > encrypted, what's the point of decrypting it to encrypt it again? That > way you don't need to rely on any encryption software on the remote > computer. I wanted the option of decrypting on the remote if need be... that is if my home machine is not accessible for whatever reason. For example, if I wanted a forgotten password laying in a text file but encfs encrypted and on the remote. When for one or another reason I cannot get it from the home machine. In your scenario, I'd need access to both home machine and remote at the same time to first get the blob of encrypted data off the remote and then to decrypt it on home. Or am I missing some easy solution? I've been having a troublesome freeze up on the home machine and not making much progress in debugging it. Of course the remedy is to fix whatever is causing it but for now, when it happens the machine cannot be accessed from keyboard, or by ssh. It requires a full (hard) reboot to get it going again. If I happen to be away from home when that happened, I'd want access to a backup on the remote... but it would need to be decrypted to be of any use.
Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
On Sun, Jan 03, 2010 at 10:30:03AM +, Neil Bothwick wrote: > On Sat, 02 Jan 2010 22:12:29 -0600, Harry Putnam wrote: > > > I have an encfs encrpted partition on my home machine.. However I want > > a back up offsite. > > > > The encrypted partition would be mounted, the contents tarred/gzipped, > > mcrypt'ed on home machine then scp'ed to the remote for offsite > > storage once a week or so, overwriting each time. > > Why not just tar up the underlying encfs partition? The data is already > encrypted, what's the point of decrypting it to encrypt it again? That > way you don't need to rely on any encryption software on the remote > computer. Exactly. I have recovered files from an encrypted partition, and all I have is the backup of the encrypted data. I repeat the normal mount procedure on the encrypted backup, recover my file, and umount it. -- ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._. Felix Finch: scarecrow repairman & rocket surgeon / fe...@crowfix.com GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933 I've found a solution to Fermat's Last Theorem but I see I've run out of room o
Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
On Sat, 02 Jan 2010 22:12:29 -0600, Harry Putnam wrote: > I have an encfs encrpted partition on my home machine.. However I want > a back up offsite. > > The encrypted partition would be mounted, the contents tarred/gzipped, > mcrypt'ed on home machine then scp'ed to the remote for offsite > storage once a week or so, overwriting each time. Why not just tar up the underlying encfs partition? The data is already encrypted, what's the point of decrypting it to encrypt it again? That way you don't need to rely on any encryption software on the remote computer. -- Neil Bothwick Puns are bad, but poetry is verse... signature.asc Description: PGP signature
[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?
Neil Bothwick writes: > On Fri, 01 Jan 2010 12:32:07 -0600, Harry Putnam wrote: > >> I want to encrypt a directory heirarchy on a remote machine where I >> don't have root. I can use either an openbsd, or gentoo remote. > > Provided the kernel has ecrypt support and the userspace utilities are > installed, you can use ecrypt to encrypt a directory as an ordinary user. I just discovered the remote where I want to do this has mcrypt on board so thinking tar first to get around any directory problems and then mcrypt I haven't actually tried it yet but anyone know if that is a non-starter. What I'm actually thinking of doing: I have an encfs encrpted partition on my home machine.. However I want a back up offsite. The encrypted partition would be mounted, the contents tarred/gzipped, mcrypt'ed on home machine then scp'ed to the remote for offsite storage once a week or so, overwriting each time. The remote also has mcrypt so in a pinch I hope to be able to unencrypt there (on the remote) if need be.. (Home machine becomes unusable or cannot be accessed for one reason or another) There is some sensitive stuff in there. But not black helicopter caliber. I guess I'm asking; if the remote were hacked for some reason, would my mcripted tarball be an easy target? I'm pretty confident the encfs partition on home machine is fairly safe, even if the host is compromised... (I mean assuming this isn't CIA operatives ...) They'd have first to get my user passwd... (root cannot access the encfs files but I guess with root you could just reset the user passwd..). And then the encfs partition password (which cannot be reset without knowing the current passwd.