Re: [gentoo-user] Encryption questions
I use encfs (see github.com/vgough/encfs) It's in the portage tree. Here is my private Readme # Neither .Secret nor Secret should contain data before creation !!! # CREATION (only once) e.g. encfs -i 10 --ondemand --extpass=x11-ssh-askpass `pwd`/.Secret `pwd`/Secret or more simply in an XTerm encfs `pwd`/.Secret `pwd`/Secret # USAGE encfs [-i idle[minutes]] [--ondemand] --extpass=x11-ssh-askpass FS> e.g. encfs -i 10 --ondemand --extpass=x11-ssh-askpass ~/.Secret ~/Secret or more simply in an XTerm : (>>> always use the full path of both folders) encfs ~/.Secret ~/Secret = After Usage = fusermount -u ~/Secret If you shut down the machine you don't need to do fusermount -u. BackUP : ~/.Secret and remember password (e.g. using app-admin/keepassxc) Important Note : ENCFS does not hide the length and modification date/time of a file If that matter you can archive several file in a tar-file before encryption.
Re: [gentoo-user] Encryption questions
Dale wrote: > > I may get on youtube and see if I can find some videos on this so I can > see it actually working. Maybe find a couple different setups. I'm > sure someone has done at least one. lol > > OK. I found a video. It explains it pretty well. I learned a lot. Here is a linky. https://www.youtube.com/watch?v=823k8Qk47T0 One thing I like, I can understand the guy and he doesn't have some silly music playing that makes it hard to hear. Some people just make things to fancy to the point it is useless. Anyway. I got a general idea of it. Basically, I'd have to encrypt it on the puter itself but also make sure any backups are encrypted as well. I also see that it does its thing 'on the fly' as some call it. It doesn't require you to tell it to decrypt something, wait a while for it to do it, then be able to use it. It does it as you access it. When done, close it and it's secure again. That muddy water clears up a bit. ;-) I plan to watch a few more, when I find some I can hear well and understand. lol Oh, I also found this: app-crypt/veracrypt It seems to be a GUI interface for this. May find a video on that too. Still, I'd like to have both command line and GUI tho. One never knows about these things. Dale :-) :-)
Re: [gentoo-user] Encryption questions
On Mon, 10 Dec 2018 09:21:38 -0700, Grant Taylor wrote: > > It sounds like ecryptfs would suit your needs best. As it works on > > directories, you don't need separate mount points for each encrypted > > directory. > > The last time I looked at eCryptFS it /did/ need mount points for > accessing the unencrypted contents. But you don't need to dedicate an > entire file system to the encryption. Sorry, poor choice of words. I really meant separate filesystems. Of course each mounted ecrypts directory needs a mount point! -- Neil Bothwick deja vous - the act of forgetting someone's name /again/ despite being introduced to them several times. pgpcgTlO613TJ.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Encryption questions
On 12/10/2018 02:25 AM, Neil Bothwick wrote: It sounds like ecryptfs would suit your needs best. As it works on directories, you don't need separate mount points for each encrypted directory. The last time I looked at eCryptFS it /did/ need mount points for accessing the unencrypted contents. But you don't need to dedicate an entire file system to the encryption. I.e. /home/user/.precious is mounted on /home/user/precious So /home/user/precious is a mount point, but is not backed by an independent file system per say. Contents in /home/user/precious will be clear text while the contents of /home/user/.precious will be encrypted. -- Grant. . . . unix || die
Re: [gentoo-user] Encryption questions
On Monday, 10 December 2018 09:25:58 GMT Neil Bothwick wrote: > On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote: > > Well, I thought it may be simpler. Since I've never tried encryption > > before, I don't know first hand how it works or what it takes to use the > > files. I've read where people password protect their mobo, bootloader > > and their entire storage system. Basically, without the proper > > passwords, you can't boot the system or access it from another system > > either. That is overkill for me for sure. If anything, I'm on the > > other end of the scale. I just want a directory, which could be a mount > > point, that is encrypted. Knowing what tool is best may help be figure > > out whether it is a mount point, a regular directory or what. I've read > > where some whole file systems can be encrypted or it can be done on a > > directory level. I'm not sure what works the best tho. > > It sounds like ecryptfs would suit your needs best. As it works on > directories, you don't need separate mount points for each encrypted > directory. ISTR there is a PAM module to unlock your ecryptfs directories > when you log into your desktop (it needs a password login not > auto-login). > > As already mentioned you can backup the encrypted files so your backups > are automatically secure. One point about ecryptfs is increases the size > of each file by a fixed amount. This doesn't matter with larger files but > if you have a directory full of smaller files, like a mail client cache, > there may be a noticeable increase in disk usage. > > Encrypting the whole filesystem may be more convenient as it means you > don't have to worry about what is encrypted and what is not, but you > would need to back up to an encrypted drive. > > Neither method will protect you from remote access while you are logged > in as the encrypted files will be unlocked. Another thing to mention is filesystem encryption. I don't know if ext4 encryption is mature enough for production implementations, but this was added to the kernel a few years now. sys-fs/e2fsprogs includes e4crypt which can be used to encrypt directories and files, each one secured with a different encryption key, and each encryption key protected (encrypted) with a master key in your keyring. So even if one file's encryption key is cracked, the rest of the encrypted files should be secure. BTW, if we're talking about a few files which are not being accessed frequently, it may be worth considering the use of symmetric encryption using a passphrase (gpg, or openssl). This would require no additional configuration, overlay fs, keyrings, etc., thus making it simpler to use and transport. However, the file names themselves won't be encrypted using this method, which may or may not be important depending on your use case. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encryption questions
On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote: > Well, I thought it may be simpler. Since I've never tried encryption > before, I don't know first hand how it works or what it takes to use the > files. I've read where people password protect their mobo, bootloader > and their entire storage system. Basically, without the proper > passwords, you can't boot the system or access it from another system > either. That is overkill for me for sure. If anything, I'm on the > other end of the scale. I just want a directory, which could be a mount > point, that is encrypted. Knowing what tool is best may help be figure > out whether it is a mount point, a regular directory or what. I've read > where some whole file systems can be encrypted or it can be done on a > directory level. I'm not sure what works the best tho. It sounds like ecryptfs would suit your needs best. As it works on directories, you don't need separate mount points for each encrypted directory. ISTR there is a PAM module to unlock your ecryptfs directories when you log into your desktop (it needs a password login not auto-login). As already mentioned you can backup the encrypted files so your backups are automatically secure. One point about ecryptfs is increases the size of each file by a fixed amount. This doesn't matter with larger files but if you have a directory full of smaller files, like a mail client cache, there may be a noticeable increase in disk usage. Encrypting the whole filesystem may be more convenient as it means you don't have to worry about what is encrypted and what is not, but you would need to back up to an encrypted drive. Neither method will protect you from remote access while you are logged in as the encrypted files will be unlocked. -- Neil Bothwick If a man is standing in the middle of the forest speaking and there is no woman around to hear him - Is he still wrong? pgpm7OUdUYKbP.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Encryption questions
On Monday, December 10, 2018 12:46:07 AM CET Dale wrote: > Howdy, > > As some may know, I'm making some changes and upgrades to my puter. One > thing I'm considering, encryption of a select directory/mount point/file > system. One thought I have, create a mount point named say "Encrypted" > and put anything I don't want widely seen or hacked in that directory. > That would likely be on it's own partition or LVM setup. I would likely > keep other things open. Example, I may have /home on a partition of > it's own but then have the encrypted directory mounted on > /home/dale/Desktop/Encrypted. I could even let that be my Documents > directory as well. I'm not to worried about browser history etc. Plus, > I could log into KDE and not have to access the encrypted stuff if it is > not needed. I don't need encryption to check the weather. lol > > How I do that isn't a big deal really. My main question is this. If I > go to the trouble of doing this, would I be *really* protected? Is > there a easily used encryption tool that isn't easily hacked? Also, > when I login, I'd like to be able to type in password etc and it be > available from that point on, unless I do something to lock it up > again. Reason, I may even put some of my videos on that. I watch TV > from that a lot. > > Also, how hard would it be to do the same to my backups, since having a > open set of backups would render the encrypted part just available > elsewhere? > > While I get some of how encryption works, I don't keep up with it on a > weekly or even monthly basis. I just see the occasional articles on > it. I'd rather ask and get input from someone who uses and/or is more > familiar with this. In other words, if it is worthless and someone > knows it is, then let me know. If one tool is better/easier/etc than > another, I'd like to know that as well. I have not read the full thread, but missed mention of a few things, so here is my take on the whole thing: - Full disk encryption is only necessary if the machine runs the risk of being stolen. (physical access) - Encryption will not protect against remote hacks as the OS can access the files when the storage is decrypted - When using encryption, ensure swap is encrypted as well as there is always a risk the encryption keys can be stored on swap Personally, I don't encrypt my desktop as the physical security of my house is adequate. My laptop uses full disk encryption, only the boot-partition is not encrypted. The decryption key is password-encrypted and stored inside the kernel image. For clarity, my disk layout on laptop is as follows: physical disk - partition - LUKS-encryption - LVM - . (The rest is the same as what you have) -- Joost
Re: [gentoo-user] Encryption questions
On 12/9/18 10:15 PM, Dale wrote: Well, I don't really think I need to encrypt the entire /home mount point. To me, that would be overkill. Of course, that may be easier. I would like to have certain directories that I can store things in that is encrypted. For example, I have some financial and medical stuff that I wouldn't want just anyone to get a hold of if for example my puter was stolen or hacked. Fair enough. Well, I thought it may be simpler. Since I've never tried encryption before, I don't know first hand how it works or what it takes to use the files. I've read where people password protect their mobo, bootloader and their entire storage system. Basically, without the proper passwords, you can't boot the system or access it from another system either. That is overkill for me for sure. If anything, I'm on the other end of the scale. I just want a directory, which could be a mount point, that is encrypted. Knowing what tool is best may help be figure out whether it is a mount point, a regular directory or what. I've read where some whole file systems can be encrypted or it can be done on a directory level. I'm not sure what works the best tho. I'm starting to think that something like eCryptFS would be a good candidate for you. I have /boot and / on their own partition. Everything else is on LVM. I did that because it is easier to boot. While I have a init thingy, it's just enough to mount /usr. That's it. I don't like having a init thingy at all tho. I've had trouble with them in the past that left me with a unbootable system and no way to fix it since I don't really get them. It's one of those things that hasn't hit me yet, even after years of it. ACK True but I don't want it to get in my way to much. I'd like to be able to login into KDE without worrying if the password works or not. Once inside KDE and I need to access something encrypted, then I can deal with the password. ACK Let's say I encrypt the directory or mount point that contains both video and some financial/medical info in it. When I click to access it, it asks for a password. Once it does that, I'd like to be able to use that until I either logout of KDE or I tell it to lock it back up. That way I can watch TV for hours without interruption to type in a password. However, if I need to run to town, I can logout of the encrypted part and leave knowing it's secure. Make sense?? Yes. Interesting. I've read that twice. May read that a couple more times. Letting that soak in a bit. That sounds like something I could use tho. It seems it would do just what I want. :-) Question. Let's say I encrypt /home entirely as a partition of LVM group. When I login to KDE for example, how does that work? I already have to type in a password to login into KDE. Would that work for both or would it ask for a second password? Or would it ask even earlier than that? I don't know what KDE has built in support for. I think that modern desktop environments do have some integral support for some encryption. I've just never used it and don't know about it. I may get on youtube and see if I can find some videos on this so I can see it actually working. Maybe find a couple different setups. I'm sure someone has done at least one. lol That's probably not a bad idea. Just be careful and review multiple sources as well as getting a reasonable understanding of what they are doing. Keep in mind, my backups are a simple rsync to a external USB drive. I don't use fancy software. Usually I backup my videos and such once a day depending on what I've done that day. I may switch to a external SATA drive at some point which may make it even easier. Right now I use a script, if it even deserves to be called that, to do the backups. That sounds like it would be best used in conjunction with eCryptFS. You would rsync the underlay directory like normal (it will show files and directories with encrypted names). You would just want to exclude the overlay directory from the backup as that's the unencrypted view. Mostly a common crook who just may have some puter skills. Wouldn't mind grinning at the likes of a NSA twerp with far to much nose. :-D Fair enough. It sounds like you want reasonable protection for your files. But you won't loose any sleep if you make the three letter agencies actually have to work a bit to get to your files, even if it just delays what may be possible. (I don't know. But it would at least slow them down.)
Re: [gentoo-user] Encryption questions
Grant Taylor wrote: > On 12/9/18 4:46 PM, Dale wrote: >> Howdy, > > Hi, > >> As some may know, I'm making some changes and upgrades to my puter. >> One thing I'm considering, encryption of a select directory/mount >> point/file system. > > Please elaborate on a hypothetical setup that you would like. > > It might be worth starting with your current directory tree and > calling out things you would like to see encrypted. Well, I don't really think I need to encrypt the entire /home mount point. To me, that would be overkill. Of course, that may be easier. I would like to have certain directories that I can store things in that is encrypted. For example, I have some financial and medical stuff that I wouldn't want just anyone to get a hold of if for example my puter was stolen or hacked. > >> One thought I have, create a mount point named say "Encrypted" and >> put anything I don't want widely seen or hacked in that directory. > > I understand why you are doing it. But I feel like having "Encrypted" > in the name is like painting a target on it. True. I used that as a example mostly. > >> That would likely be on it's own partition or LVM setup. > > Depending on how you do things, it might be possible to have your > encryption in the same LVM configuration. Or possibly a separate LVM > configuration that has multiple logical volumes in it used by > different mount points. > >> I would likely keep other things open. > > What is your reason for keeping other things open? > > Or, asked another way, why not use full disk encryption? Or at least > encrypt the entire volume group? That way you don't need to worry > about what is and is not encrypted. Well, I thought it may be simpler. Since I've never tried encryption before, I don't know first hand how it works or what it takes to use the files. I've read where people password protect their mobo, bootloader and their entire storage system. Basically, without the proper passwords, you can't boot the system or access it from another system either. That is overkill for me for sure. If anything, I'm on the other end of the scale. I just want a directory, which could be a mount point, that is encrypted. Knowing what tool is best may help be figure out whether it is a mount point, a regular directory or what. I've read where some whole file systems can be encrypted or it can be done on a directory level. I'm not sure what works the best tho. > >> Example, I may have /home on a partition of it's own but then have >> the encrypted directory mounted on /home/dale/Desktop/Encrypted. I >> could even let that be my Documents directory as well. I'm not to >> worried about browser history etc. Plus, I could log into KDE and >> not have to access the encrypted stuff if it is not needed. I don't >> need encryption to check the weather. lol > > Since we're talking about LVM, please clarify if /home is it's own > partition outside of LVM or if /home is it's own Logical Volume inside > of LVM. It makes a difference. I have /boot and / on their own partition. Everything else is on LVM. I did that because it is easier to boot. While I have a init thingy, it's just enough to mount /usr. That's it. I don't like having a init thingy at all tho. I've had trouble with them in the past that left me with a unbootable system and no way to fix it since I don't really get them. It's one of those things that hasn't hit me yet, even after years of it. > > I strongly believe that you should not feel like you have to change > your use case to use technology, encryption in this case. Rather the > computer should change what it does so that what you have been doing > and will continue to do is now encrypted. True but I don't want it to get in my way to much. I'd like to be able to login into KDE without worrying if the password works or not. Once inside KDE and I need to access something encrypted, then I can deal with the password. > >> How I do that isn't a big deal really. My main question is this. If >> I go to the trouble of doing this, would I be *really* protected? > > It depends. > >> Is there a easily used encryption tool that isn't easily hacked? > > I believe so. > >> Also, when I login, I'd like to be able to type in password etc and >> it be available from that point on, unless I do something to lock it >> up again. > > Are you implying that you want the encryption system to remember the > password and unlock files as necessary? Or are you wanting to enter > the password into something that uses it then and there to unlock > things until you lock them back up? > > That's an important distinction. Let's say I encrypt the directory or mount point that contains both video and some financial/medical info in it. When I click to access it, it asks for a password. Once it does that, I'd like to be able to use that until I either logout of KDE or I tell it to lock it back up. That way I can watch TV for hours without interruption to
Re: [gentoo-user] Encryption questions
On 12/9/18 4:46 PM, Dale wrote: Howdy, Hi, As some may know, I'm making some changes and upgrades to my puter. One thing I'm considering, encryption of a select directory/mount point/file system. Please elaborate on a hypothetical setup that you would like. It might be worth starting with your current directory tree and calling out things you would like to see encrypted. One thought I have, create a mount point named say "Encrypted" and put anything I don't want widely seen or hacked in that directory. I understand why you are doing it. But I feel like having "Encrypted" in the name is like painting a target on it. That would likely be on it's own partition or LVM setup. Depending on how you do things, it might be possible to have your encryption in the same LVM configuration. Or possibly a separate LVM configuration that has multiple logical volumes in it used by different mount points. I would likely keep other things open. What is your reason for keeping other things open? Or, asked another way, why not use full disk encryption? Or at least encrypt the entire volume group? That way you don't need to worry about what is and is not encrypted. Example, I may have /home on a partition of it's own but then have the encrypted directory mounted on /home/dale/Desktop/Encrypted. I could even let that be my Documents directory as well. I'm not to worried about browser history etc. Plus, I could log into KDE and not have to access the encrypted stuff if it is not needed. I don't need encryption to check the weather. lol Since we're talking about LVM, please clarify if /home is it's own partition outside of LVM or if /home is it's own Logical Volume inside of LVM. It makes a difference. I strongly believe that you should not feel like you have to change your use case to use technology, encryption in this case. Rather the computer should change what it does so that what you have been doing and will continue to do is now encrypted. How I do that isn't a big deal really. My main question is this. If I go to the trouble of doing this, would I be *really* protected? It depends. Is there a easily used encryption tool that isn't easily hacked? I believe so. Also, when I login, I'd like to be able to type in password etc and it be available from that point on, unless I do something to lock it up again. Are you implying that you want the encryption system to remember the password and unlock files as necessary? Or are you wanting to enter the password into something that uses it then and there to unlock things until you lock them back up? That's an important distinction. I have done a fair bit with LUKS, also LUKS and LVM. LUKS works by unlocking the encrypted block device and creating another virtual block device that is the unencrypted interface. It's trivial to put a file system on top of a LUKS device. So, my use case was to unlock a LUKS device and mount the file system that sits on top of it. Then anything on the system (with proper file system permissions) could access the files therein. Then when I was done, I would unmount the file system and lock (close) the encrypted device. I have also dabbled with eCryptFS, which applies encryption as an overlay. So when you access encrypted files through the overlay, they would be read from the unencrypted on the fly. Writing to the files to the unencrypted overlay would encrypt the files and write them to the underlay. Depending on the configuration, it's not possible to see the names of the files (or directories), much less actually read them from the encrypted underlay. Reason, I may even put some of my videos on that. I watch TV from that a lot. Okay. Also, how hard would it be to do the same to my backups, since having a open set of backups would render the encrypted part just available elsewhere? Backups are another thing entirely. Things like LUKS will usually not translate to encryption with backups, because the backups see the mounted file system. Things like eCryptFS can work with encrypted backups, because they can work with the underlay file system that holds the encrypted files while ignoring the unencrypted overlay. There are also other possibilities of encrypting backups that are completely independent of the files that are being backed up. Sort of like a big encrypted tape drive or backing up files to a LUKS file system that is subsequently unmounted & locked. While I get some of how encryption works, I don't keep up with it on a weekly or even monthly basis. I just see the occasional articles on it. I'd rather ask and get input from someone who uses and/or is more familiar with this. In other words, if it is worthless and someone knows it is, then let me know. If one tool is better/easier/etc than another, I'd like to know that as well. I don't think encryption is worthless. I encrypt many of my emails and sign most
[gentoo-user] Encryption questions
Howdy, As some may know, I'm making some changes and upgrades to my puter. One thing I'm considering, encryption of a select directory/mount point/file system. One thought I have, create a mount point named say "Encrypted" and put anything I don't want widely seen or hacked in that directory. That would likely be on it's own partition or LVM setup. I would likely keep other things open. Example, I may have /home on a partition of it's own but then have the encrypted directory mounted on /home/dale/Desktop/Encrypted. I could even let that be my Documents directory as well. I'm not to worried about browser history etc. Plus, I could log into KDE and not have to access the encrypted stuff if it is not needed. I don't need encryption to check the weather. lol How I do that isn't a big deal really. My main question is this. If I go to the trouble of doing this, would I be *really* protected? Is there a easily used encryption tool that isn't easily hacked? Also, when I login, I'd like to be able to type in password etc and it be available from that point on, unless I do something to lock it up again. Reason, I may even put some of my videos on that. I watch TV from that a lot. Also, how hard would it be to do the same to my backups, since having a open set of backups would render the encrypted part just available elsewhere? While I get some of how encryption works, I don't keep up with it on a weekly or even monthly basis. I just see the occasional articles on it. I'd rather ask and get input from someone who uses and/or is more familiar with this. In other words, if it is worthless and someone knows it is, then let me know. If one tool is better/easier/etc than another, I'd like to know that as well. Thanks. Dale :-) :-)
