Hi,
First, sorry for bugging you guys with questions. I am rather new, and I hope I can contribute later on with more experience.
Is there anyway to encrypt parts of a drive? For example: I need to encrypt a specific home directory /home/confidentialuser/ but not the rest of the drive, is that possible?
Best regards,
Peter Lauri
http://www.dwsasia.com/ www.dwsasia.com - company web site
http://www.lauri.se/ www.lauri.se - personal web site
http://www.carbonfree.org.uk/ www.carbonfree.org.uk - become Carbon Free
On Monday 26 February 2007, Peter Lauri wrote:
Is there anyway to encrypt parts of a drive? For example: I need to encrypt a specific home directory /home/confidentialuser/ but not the rest of the drive, is that possible?
Have you looked at permissions yet?
setting the file permissions like this chmod 700 will make the file available only to the owner and no one else
linuxmaillists@charter.net wrote:
On Monday 26 February 2007, Peter Lauri wrote:
Is there anyway to encrypt parts of a drive? For example: I need to encrypt a specific home directory /home/confidentialuser/ but not the rest of the drive, is that possible?
Have you looked at permissions yet?
setting the file permissions like this chmod 700 will make the file available only to the owner and no one else
That doesn't help you at all if your drive gets stolen. Anyone with physical access can easily circumvent permissions in many ways. It's not that permissions are useless, just that they don't solve the same problems that encrypted drives/partitions/containers (attempt to) solve.
That would not give me what I want. This because the machine should still be functional with correct permisttions etc. I have confidential information that my customer owns, and due to my customers policy I cannot take out the working machine from their premises unless I encrypt everything that has to do with the work I am doing for them.
Best regards, Peter Lauri
www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free
-----Original Message----- From: fedora-list-bounces@redhat.com [mailto:fedora-list-bounces@redhat.com] On Behalf Of linuxmaillists@charter.net Sent: Tuesday, February 27, 2007 12:48 AM To: For users of Fedora Subject: Re: Encrypt parts of drive?
On Monday 26 February 2007, Peter Lauri wrote:
Is there anyway to encrypt parts of a drive? For example: I need to encrypt a specific home directory /home/confidentialuser/ but not the rest of the drive, is that possible?
Have you looked at permissions yet?
setting the file permissions like this chmod 700 will make the file available only to the owner and no one else
Peter Lauri wrote:
First, sorry for bugging you guys with questions. I am rather new, and I hope I can contribute later on with more experience.
Promise? :)
Is there anyway to encrypt parts of a drive? For example: I need to encrypt a specific home directory /home/confidentialuser/ but not the rest of the drive, is that possible?
One way to do this is via fuse-encfs (yum install fuse-encfs).
See the examples in the man page.
There are other ways as well, using dm-crypt to create an encrypted container. It's been a while since I played with any of them, so hopefully others can chime in with the pros and cons of various methods.
Hi,
How would this affect speed? I would only have customers data encrypted as well as my own working directory where I keep all cvs etc. System parts would be without encryption.
Best regards, Peter Lauri
www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free
-----Original Message----- From: fedora-list-bounces@redhat.com [mailto:fedora-list-bounces@redhat.com] On Behalf Of Todd Zullinger Sent: Tuesday, February 27, 2007 12:59 AM To: fedora-list@redhat.com Subject: Re: Encrypt parts of drive?
Peter Lauri wrote:
First, sorry for bugging you guys with questions. I am rather new, and I hope I can contribute later on with more experience.
Promise? :)
Is there anyway to encrypt parts of a drive? For example: I need to encrypt a specific home directory /home/confidentialuser/ but not the rest of the drive, is that possible?
One way to do this is via fuse-encfs (yum install fuse-encfs).
See the examples in the man page.
There are other ways as well, using dm-crypt to create an encrypted container. It's been a while since I played with any of them, so hopefully others can chime in with the pros and cons of various methods.
On 2/27/07, Peter Lauri lists@dwsasia.com wrote:
How would this affect speed? I would only have customers data encrypted as well as my own working directory where I keep all cvs etc. System parts would be without encryption.
The access delay, if any, is hardly noticable. I use fuse-encfs to store my financial data and revelation database and have not noticed any access speed issues. If you are encrypting your entire home directory using fuse-encfs, you will have to unlock before you login. I would recomment creating a secure folder within your home which you keep encrypted. Note that you have to lock/unlock your secure directory manually.
So if I forget to lock it and the computer is stolen then it is not encrypted? Is the lock/unlock part just for the system to be able to read from it?
Best regards, Peter Lauri
www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free
-----Original Message----- From: fedora-list-bounces@redhat.com [mailto:fedora-list-bounces@redhat.com] On Behalf Of Vivek J. Patankar Sent: Tuesday, February 27, 2007 6:43 AM To: For users of Fedora Subject: Re: Encrypt parts of drive?
On 2/27/07, Peter Lauri lists@dwsasia.com wrote:
How would this affect speed? I would only have customers data encrypted as well as my own working directory where I keep all cvs etc. System parts would be without encryption.
The access delay, if any, is hardly noticable. I use fuse-encfs to store my financial data and revelation database and have not noticed any access speed issues. If you are encrypting your entire home directory using fuse-encfs, you will have to unlock before you login. I would recomment creating a secure folder within your home which you keep encrypted. Note that you have to lock/unlock your secure directory manually.
Peter Lauri wrote:
So if I forget to lock it and the computer is stolen then it is not encrypted? Is the lock/unlock part just for the system to be able to read from it?
If the laptop is shutdown, the encrypted filesystem is automatically unmounted. I have made it a habit to unmount it manually as I don't /shutdown/ my laptop, I hibernate it.
A howto by Todd Warner is a good resource to read before starting with fuse-encfs. It'll clear the basics. http://www.dma.org/~tw/howtos/howto-fuse-encfs-the-web.html
Peter Lauri wrote:
How would this affect speed? I would only have customers data encrypted as well as my own working directory where I keep all cvs etc.
On most halfway decent/recent systems you won't notice much difference at all, but that's just my opinion. I'd say install encfs and give it a quick try to see if it seems reasonable to you. It's a fairly quick and simple thing to setup. :)
System parts would be without encryption.
You may consider encrypting your swap (or disabling swap entirely if you have lots of RAM. That way no confidential data should reach the disk in any usable form.
There was an article in a recent Red Hat magazine issue on disk encryption that may prove interesting to you:
http://www.redhatmagazine.com/2007/01/18/disk-encryption-in-fedora-past-pres...
HTH,
Thanks. I will read the article and go thru all parts with my manager so he can approve me taking out the laptop.
Best regards, Peter Lauri
www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free
-----Original Message----- From: fedora-list-bounces@redhat.com [mailto:fedora-list-bounces@redhat.com] On Behalf Of Todd Zullinger Sent: Tuesday, February 27, 2007 7:01 AM To: fedora-list@redhat.com Subject: Re: Encrypt parts of drive?
Peter Lauri wrote:
How would this affect speed? I would only have customers data encrypted as well as my own working directory where I keep all cvs etc.
On most halfway decent/recent systems you won't notice much difference at all, but that's just my opinion. I'd say install encfs and give it a quick try to see if it seems reasonable to you. It's a fairly quick and simple thing to setup. :)
System parts would be without encryption.
You may consider encrypting your swap (or disabling swap entirely if you have lots of RAM. That way no confidential data should reach the disk in any usable form.
There was an article in a recent Red Hat magazine issue on disk encryption that may prove interesting to you:
http://www.redhatmagazine.com/2007/01/18/disk-encryption-in-fedora-past-pres ent-and-future/
HTH,
On Tue, 2007-02-27 at 07:08 +0200, Peter Lauri wrote:
Thanks. I will read the article and go thru all parts with my manager so he can approve me taking out the laptop.
Best regards, Peter Lauri
You don't happen to work for the V.A.? <g> Ric
On Tue, 2007-02-27 at 00:00 -0500, Todd Zullinger wrote:
You may consider encrypting your swap (or disabling swap entirely if you have lots of RAM. That way no confidential data should reach the disk in any usable form.
I imagine you'd also want to change how you use /tmp, as well. Perhaps using tmpfs (which'll use RAM instead of disc space).
Tim wrote:
On Tue, 2007-02-27 at 00:00 -0500, Todd Zullinger wrote:
You may consider encrypting your swap (or disabling swap entirely if you have lots of RAM. That way no confidential data should reach the disk in any usable form.
I imagine you'd also want to change how you use /tmp, as well. Perhaps using tmpfs (which'll use RAM instead of disc space).
Good point. (In theory you could also set TMPDIR to somewhere that's secured, but then you'd get burned by any apps that are hardwired to use /tmp. So tmpfs is a better option.)
Tim:
I imagine you'd also want to change how you use /tmp, as well. Perhaps using tmpfs (which'll use RAM instead of disc space).
Todd Zullinger:
Good point. (In theory you could also set TMPDIR to somewhere that's secured, but then you'd get burned by any apps that are hardwired to use /tmp. So tmpfs is a better option.)
Though that has it's own problems. I notice that Nautilus wants to use /tmp to create disc burning image files, you'd have to wade through gconf to point that elsewhere, unless you had enough RAM to do that off-disc. I don't know about other programs that make large temporary files.
There's also a /var/tmp/ directory, but I've not seen anything make use of it. Though, again, you could mount it using tmpfs.
Tim wrote:
Tim:
I imagine you'd also want to change how you use /tmp, as well. Perhaps using tmpfs (which'll use RAM instead of disc space).
Todd Zullinger:
Good point. (In theory you could also set TMPDIR to somewhere that's secured, but then you'd get burned by any apps that are hardwired to use /tmp. So tmpfs is a better option.)
Though that has it's own problems. I notice that Nautilus wants to use /tmp to create disc burning image files, you'd have to wade through gconf to point that elsewhere, unless you had enough RAM to do that off-disc. I don't know about other programs that make large temporary files.
There's also a /var/tmp/ directory, but I've not seen anything make use of it. Though, again, you could mount it using tmpfs.
There is a /usr/tmp that is a link to /var/tmp. I am not sure if it gets used ether.
You can also set TMP to someplace useful. I am not sure how many programs pay attention to it. I know that with Mandriva, TMP pointed to a directory in the user's home directory, and most programs appeared to used it. A bunch of my scripts also check for TMP, and use it if it is set, or default to /tmp if it is not.
Mikkel