Encrypting and decrypting directories under Linux

Dennis Lambe Jr. malsyned at cif.rochester.edu
Sat Dec 27 12:43:12 CET 2003


On Sat, 2003-12-27 at 08:38, Bartek Matosiuk wrote:
> I'd like to ask the question: is this possible to encrypt and decrypt 
> whole directories under linux using GnuPG. I'm right now working on the 
> idea of securing users home directories  using some exisitng encryption 
> method. PGP keys looks like interesting method for me but I don't know 
> if my idea can be physicaly performed.

From whom are you trying to secure the directories?

If you're trying to secure one user's home directory from another, file
permissions are the easiest way to go, and work fine if you keep up with
security patches.

If you're trying to secure the entire /home tree from a remote attacker,
close all unneccessary ports, install a firewall, and keep up with
security patches.

If you're trying to secure the entire /home tree from an intruder with
physical access to the machine room, your best bet (though not foolproof
if the computer has any physical Human Interface devices) is to use
Linux's crypto functionality to encrypt the entire volume /home is
mounted on using a symetric cypher.  This will make the hard drive, if
removed from the machine, useless.  On the other hand, it will require
that you type in a password to mount /home.

If you're trying to secure users data from someone with superuser
access, then instructing your users to protect their sensitive data with
some symetric cypher (using GPG's symetric encryption capabilities if
you like) will accomplish that.

GPG is a public key encryption program that allows one person to encrypt
data so that another person, and only that person, can decrypt it.  It
is rarely the best solution when a single person wishes to protect his
own data from someone else (except when it is used as a convenient
implementation of popular symetric cyphers with the -c switch).

--D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 279 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20031227/9623f43a/attachment.bin


More information about the Gnupg-users mailing list