Re: How could I install ecryptfs-utils on Buster
- Date: Thu, 11 Apr 2019 15:51:40 +0200
- From: Pierre Fourès <pierre.foures@xxxxxxxxx>
- Subject: Re: How could I install ecryptfs-utils on Buster
Le jeu. 11 avr. 2019 à 02:52, David Christensen
<dpchrist@xxxxxxxxxxxxxxxx> a écrit :
> On 4/10/19 1:32 AM, Pierre Fourès wrote:
> > Le ven. 5 avr. 2019 à 22:08, David Christensen
> > <dpchrist@xxxxxxxxxxxxxxxx> a écrit :
> >> AFAIK dm-crypt is the canonical disc encryption technology on Linux (see
> >> crypttab(5) and cryptsetup(8)). I like the fact that it operates at the
> >> device level, so everything on an encrypted disc or partition is
> >> automatically and inescapably encrypted. File system level encryption,
> >> such as ecryptfs(7), might make sense for cloud directories or
> >> sneaker-net media. I use ccrypt(1) for individual files, but vim(1) has
> >> an encrypted mode that is very appealing for certain use-cases.
> > Indeed, I've planned to give a serious look at it, especially to
> > encrypt the disks of the servers we rent in remote data-centers, but I
> > haven't took the time yet for it. And when occurred the requirement to
> > crypt the virtual machines, I found ecryptfs an easier thing to set
> > up.
> > I also found ecryptfs a better fit for my requirements.
> > Indeed, I like the fact that I, as an administrator, am not able to
> > access the files of "my" users. I encrypt their home folder then set
> > the requirement to change the password on their first login (with
> > 'chage -d 0 $user'), might it be their physical desktops or their
> > virtual instances. Thus I'm sure I won't ever be able to look into
> > their files without them allowing me. This is known of everybody. This
> > is a double edged sword. They have to take full responsibility to
> > backup somewhere their files as I can't help them if anything goes
> > wrong (and if anything goes wrong I just provide them a new physical
> > or virtual instance and wipe the problematic one), and at the same
> > time it is relieving me from the possibility to be able to see
> > everything everywhere. In a previous company, as not being the system
> > administrator, I never liked this fact that somebody could access all
> > files behind all user's backs. I recall one who did that to an user to
> > look into their personal files (which shouldn't had be there in the
> > first place, admittedly) and I really disliked the « God mode »
> > situation offered to system administrators. Now that I administer the
> > desktops, I went really concerned to lower, by design, my scope of
> > abilities. I didn't want to rely on my will power and my word of mouth
> > about this situation. I wanted it to be established by design.
> > Ciphering user's space with ecryptfs allows me to lock me out very
> > nicely and easily from this possibility. I haven't found this to be
> > possible with dm-crypt in an easy and user-friendly way.
> > Nonetheless, if it's possible to achieve such objective with dm-crypt,
> > I would really appreciate some pointers about how to do it.
> How about enfs, gocryptfs, and/or libpam-mount?
> 2019-04-10 17:48:09 dpchrist@po ~
> $ apt-cache search fuse encrypt
> afflib-tools - Advanced Forensics Format Library (utilities)
> camo - SSL/TLS image proxy to prevent mixed-content warnings
> encfs - encrypted virtual filesystem
> gocryptfs - Encrypted overlay filesystem written in Go.
> libpam-mount - PAM module that can mount volumes for a user session
Thanks David for the pointers.
I gave a look at them and this open viables alternatives to ecryptfs,
would I require to go away from it doesn't get reintegrated in Debian.
This drove me to gave a look to see if ecryptfs is still actively
maintained and it seems to be the case as the last commit dates from
2019-02-16 . The package is also announced in  as heavily used
in Ubuntu, ChromeOS and several NAS products, so I hope the bug will
get fixed. If it doesn't, to what I saw in , gocryptfs seems really
promising, however I find it still a little young for this kind of
subject (2015 for it first release). As I plan to configure dm-crypt
for our servers, I will first dig deeper on the libpam-mount
opportunity. This could make a good fit to satisfy all my use-cases
while only using the same base ciphering tool. So for now, I will keep
ecryptfs running on the desktops in the next following months and will
first start to setup full disk encryption on the servers, then will I
look back to what to do with the desktops.