Re: How could I install ecryptfs-utils on Buster
- Date: Thu, 11 Apr 2019 20:56:04 -0700
- From: David Christensen <dpchrist@xxxxxxxxxxxxxxxx>
- Subject: Re: How could I install ecryptfs-utils on Buster
On 4/11/19 6:51 AM, Pierre Fourès wrote:
Le jeu. 11 avr. 2019 à 02:52, David Christensen
<dpchrist@xxxxxxxxxxxxxxxx> a écrit :
How about enfs, gocryptfs, and/or libpam-mount?
2019-04-10 17:48:09 dpchrist@po ~
$ apt-cache search fuse encrypt
afflib-tools - Advanced Forensics Format Library (utilities)
camo - SSL/TLS image proxy to prevent mixed-content warnings
encfs - encrypted virtual filesystem
gocryptfs - Encrypted overlay filesystem written in Go.
libpam-mount - PAM module that can mount volumes for a user session
Thanks David for the pointers.
I gave a look at them and this open viables alternatives to ecryptfs,
would I require to go away from it doesn't get reintegrated in Debian.
This drove me to gave a look to see if ecryptfs is still actively
maintained and it seems to be the case as the last commit dates from
2019-02-16 . The package is also announced in  as heavily used
in Ubuntu, ChromeOS and several NAS products, so I hope the bug will
get fixed. If it doesn't, to what I saw in , gocryptfs seems really
promising, however I find it still a little young for this kind of
subject (2015 for it first release). As I plan to configure dm-crypt
for our servers, I will first dig deeper on the libpam-mount
opportunity. This could make a good fit to satisfy all my use-cases
while only using the same base ciphering tool. So for now, I will keep
ecryptfs running on the desktops in the next following months and will
first start to setup full disk encryption on the servers, then will I
look back to what to do with the desktops.
Understand that each encryption solution -- dm-crypt, encfs, etc. --
provides protection against some limited threat; I have not found one
that works for all use-cases.
dm-crypt is designed to protect encrypted discs when they are at rest
(cold) -- e.g. the computer is stolen while powered down, the encrypted
disc has been removed from a computer, etc.. Once a dm-crypt disc is
decrypted and operating, the system sees a mapped device node (which
will typically contain a plaintext file system). Traditional Unix
permissions apply -- e.g. root can see everything, other users can see
whatever their UID's/GID's allow per file and directory ownership, mode,
extended attributes, etc..
If I remember encfs correctly, encfs is designed to provide exclusive
access to the user who mounts an encrypted folder -- no other user,
including root, can see the plaintext.