Web lists-archives.com

Re: How could I install ecryptfs-utils on Buster

On 4/11/19 6:51 AM, Pierre Fourès wrote:
Le jeu. 11 avr. 2019 à 02:52, David Christensen
<dpchrist@xxxxxxxxxxxxxxxx> a écrit :
How about enfs, gocryptfs, and/or libpam-mount?

2019-04-10 17:48:09 dpchrist@po ~
$ apt-cache search fuse encrypt
afflib-tools - Advanced Forensics Format Library (utilities)
camo - SSL/TLS image proxy to prevent mixed-content warnings
encfs - encrypted virtual filesystem
gocryptfs - Encrypted overlay filesystem written in Go.
libpam-mount - PAM module that can mount volumes for a user session

Thanks David for the pointers.

I gave a look at them and this open viables alternatives to ecryptfs,
would I require to go away from it doesn't get reintegrated in Debian.
This drove me to gave a look to see if ecryptfs is still actively
maintained and it seems to be the case as the last commit dates from
2019-02-16 [1]. The package is also announced in [2] as heavily used
in Ubuntu, ChromeOS and several NAS products, so I hope the bug will
get fixed. If it doesn't, to what I saw in [3], gocryptfs seems really
promising, however I find it still a little young for this kind of
subject (2015 for it first release). As I plan to configure dm-crypt
for our servers, I will first dig deeper on the libpam-mount
opportunity. This could make a good fit to satisfy all my use-cases
while only using the same base ciphering tool. So for now, I will keep
ecryptfs running on the desktops in the next following months and will
first start to setup full disk encryption on the servers, then will I
look back to what to do with the desktops.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs.git/log/fs/ecryptfs?h=next
[2] http://ecryptfs.org/about.html
[3] https://nuetzlich.net/gocryptfs/comparison/

Understand that each encryption solution -- dm-crypt, encfs, etc. -- provides protection against some limited threat; I have not found one that works for all use-cases.

dm-crypt is designed to protect encrypted discs when they are at rest (cold) -- e.g. the computer is stolen while powered down, the encrypted disc has been removed from a computer, etc.. Once a dm-crypt disc is decrypted and operating, the system sees a mapped device node (which will typically contain a plaintext file system). Traditional Unix permissions apply -- e.g. root can see everything, other users can see whatever their UID's/GID's allow per file and directory ownership, mode, extended attributes, etc..

If I remember encfs correctly, encfs is designed to provide exclusive access to the user who mounts an encrypted folder -- no other user, including root, can see the plaintext.