Encrypting and decrypting directories under Linux
Bartek Matosiuk
bartek at thenewline.com
Sun Dec 28 01:23:49 CET 2003
> Dennis Lambe Jr. wrote:
>
> > On Sat, 2003-12-27 at 08:38, Bartek Matosiuk wrote:
> >
> >>I'd like to ask the question: is this possible to encrypt and decrypt
> >>whole directories under linux using GnuPG. I'm right now working on the
> >>idea of securing users home directories using some exisitng encryption
> >>method. PGP keys looks like interesting method for me but I don't know
> >>if my idea can be physicaly performed.
>
>
> > From whom are you trying to secure the directories?
>
> Good question, better advice, but two warnings are in order:
>
> > If you're trying to secure one user's home directory from another, file
> > permissions are the easiest way to go, and work fine if you keep up with
> > security patches.
> Assuming that the other user can not boot the computer from a floppy
> (CD, USB flash 'drive'...).
>
> > If you're trying to secure the entire /home tree from a remote attacker,
> > close all unneccessary ports, install a firewall, and keep up with
> > security patches.
> Assuming you have the necessary confidence that all those steps
> are correct, timely and complete. This is very difficult, even for
> an experienced sysadmin. Practically impossible for an avarage user.
>
> Roger K.
Ok sorry that I didn't make myself clear. I'm preparing the CD bootable
distribution of Linux. Lets not fall in the details but generally speaking
user have possibility to write data to this cd-rw that contains the
distribution. If the users home directory will not be encrypted someone
might moutn the disk under linux and browse the home directory freely!
>If you're trying to secure the entire /home tree from an intruder with
>physical access to the machine room, your best bet (though not foolproof
>if the computer has any physical Human Interface devices) is to use
>Linux's crypto functionality to encrypt the entire volume /home is
>mounted on using a symetric cypher. This will make the hard drive, if
>removed from the machine, useless. On the other hand, it will require
>that you type in a password to mount /home.
Dennis you sugestion with crypt seems fitting my need, thanks a lot. Typing
only password seems to be better choice for user that remembering his
private key :D.
Maybe someone got some other ideas, huh?
Bartek
More information about the Gnupg-users
mailing list