[gentoo-user] [OT crypto] How to encrypt a directory without root?

[gentoo-user] [OT crypto] How to encrypt a directory without root?

[Harry Putnam]

I want to encrypt a directory heirarchy on a remote machine where I
don't have root.  I can use either an openbsd, or gentoo remote.

Re: [gentoo-user] [OT crypto] How to encrypt a directory without root?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 445 bytes --]

On Fri, 01 Jan 2010 12:32:07 -0600, Harry Putnam wrote:

> I want to encrypt a directory heirarchy on a remote machine where I
> don't have root.  I can use either an openbsd, or gentoo remote.

Provided the kernel has ecrypt support and the userspace utilities are
installed, you can use ecrypt to encrypt a directory as an ordinary user.


-- 
Neil Bothwick

Gigabyte: (n.) more than you can comprehend and less than you'll need.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] [OT crypto] How to encrypt a directory without root?

[Dirk Heinrichs]

Am Freitag 01 Januar 2010 19:32:07 schrieb Harry Putnam:

> I want to encrypt a directory heirarchy on a remote machine where I
> don't have root.  I can use either an openbsd, or gentoo remote.

Not having root access usually means no chance to mount something. That in 
turn means that you can only encrypt on a per file basis. The best tool for 
this would be GNU Privacy Guard (GPG).

HTH...

	Dirk

Re: [gentoo-user] [OT crypto] How to encrypt a directory without root?

[Ming-Che Lee]

Hi,

On Friday 01 January 2010 19:32:07 Harry Putnam wrote:
> I want to encrypt a directory heirarchy on a remote machine where
>  I don't have root.  I can use either an openbsd, or gentoo
>  remote.
> 

Maybe of some help:

http://www.linuxjournal.com/article/9880

Regards,

Ming-Che

Re: [gentoo-user] [OT crypto] How to encrypt a directory without root?

[Johannes Kimmel]

Harry Putnam wrote:
> I want to encrypt a directory heirarchy on a remote machine where I
> don't have root.  I can use either an openbsd, or gentoo remote.
>
>
>
>   
Encfs could also be interesting for you.

Johannes

Re: [gentoo-user] [OT crypto] How to encrypt a directory without root?

[felix]

On Fri, Jan 01, 2010 at 10:57:20PM +0100, Ming-Che Lee wrote:

> Maybe of some help:
> 
> http://www.linuxjournal.com/article/9880

Looks good to me -- I use some FUSE encryption setup which looks
similar, but it's been years since I set it up.  It wasn't hard.  It
has one decided quirk which I consider a feature -- root can read the
encrypted volume for backup but *cannot* access the plaintext volume.
Another quirk is that filenames are padded to multiples of some
configurable length before encryption; these are visible to root.  I
suppose root could even manipulate them, but I have never tried it.

I mount and umount it without root, but I think it required initial
root access to load a kernel module.  Now that happens automatically.
This may be a problem if you have no root access at all.

If you need more details, I suppose I can figure out what I did, but
that Linux Journal article looks pretty thorough.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Harry Putnam]

Neil Bothwick <neil@digimed.co.uk> writes:

> On Fri, 01 Jan 2010 12:32:07 -0600, Harry Putnam wrote:
>
>> I want to encrypt a directory heirarchy on a remote machine where I
>> don't have root.  I can use either an openbsd, or gentoo remote.
>
> Provided the kernel has ecrypt support and the userspace utilities are
> installed, you can use ecrypt to encrypt a directory as an ordinary user.

I just discovered the remote where I want to do this has mcrypt on
board so thinking tar first to get around any directory problems and
then mcrypt....  I haven't actually tried it yet but anyone know if
that is a non-starter.

What I'm actually thinking of doing:

I have an encfs encrpted partition on my home machine.. However I want
a back up offsite.   

The encrypted partition would be mounted, the contents tarred/gzipped,
mcrypt'ed on home machine then scp'ed to the remote for offsite
storage once a week or so, overwriting each time.

The remote also has mcrypt so in a pinch I hope to be able to
unencrypt there (on the remote) if need be.. (Home machine becomes
unusable or cannot be accessed for one reason or another)

There is some sensitive stuff in there.   But not black helicopter caliber.

I guess I'm asking; if the remote were hacked for some reason, would my
mcripted tarball be an easy target?

I'm pretty confident the encfs partition on home machine is fairly
safe, even if the host is compromised... (I mean assuming this isn't
CIA operatives ...)  They'd have first to get my user passwd... (root
cannot access the encfs files but I guess with root you could just
reset the user passwd..).  And then the encfs partition password
(which cannot be reset without knowing the current passwd.

Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 647 bytes --]

On Sat, 02 Jan 2010 22:12:29 -0600, Harry Putnam wrote:

> I have an encfs encrpted partition on my home machine.. However I want
> a back up offsite.   
> 
> The encrypted partition would be mounted, the contents tarred/gzipped,
> mcrypt'ed on home machine then scp'ed to the remote for offsite
> storage once a week or so, overwriting each time.

Why not just tar up the underlying encfs partition? The data is already
encrypted, what's the point of decrypting it to encrypt it again? That
way you don't need to rely on any encryption software on the remote
computer.


-- 
Neil Bothwick

Puns are bad, but poetry is verse...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[felix]

On Sun, Jan 03, 2010 at 10:30:03AM +0000, Neil Bothwick wrote:
> On Sat, 02 Jan 2010 22:12:29 -0600, Harry Putnam wrote:
> 
> > I have an encfs encrpted partition on my home machine.. However I want
> > a back up offsite.   
> > 
> > The encrypted partition would be mounted, the contents tarred/gzipped,
> > mcrypt'ed on home machine then scp'ed to the remote for offsite
> > storage once a week or so, overwriting each time.
> 
> Why not just tar up the underlying encfs partition? The data is already
> encrypted, what's the point of decrypting it to encrypt it again? That
> way you don't need to rely on any encryption software on the remote
> computer.

Exactly.  I have recovered files from an encrypted partition, and all
I have is the backup of the encrypted data.  I repeat the normal mount
procedure on the encrypted backup, recover my file, and umount it.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Harry Putnam]

Neil Bothwick <neil@digimed.co.uk> writes:

> On Sat, 02 Jan 2010 22:12:29 -0600, Harry Putnam wrote:
>
>> I have an encfs encrpted partition on my home machine.. However I want
>> a back up offsite.   
>> 
>> The encrypted partition would be mounted, the contents tarred/gzipped,
>> mcrypt'ed on home machine then scp'ed to the remote for offsite
>> storage once a week or so, overwriting each time.
>
> Why not just tar up the underlying encfs partition? The data is already
> encrypted, what's the point of decrypting it to encrypt it again? That
> way you don't need to rely on any encryption software on the remote
> computer.

I wanted the option of decrypting on the remote if need be... that is
if my home machine is not accessible for whatever reason.

For example, if I wanted a forgotten password laying in a text file
but encfs encrypted and on the remote.  When for one or another reason
I cannot get it from the home machine.

In your scenario, I'd need access to both home machine and remote at
the same time to first get the blob of encrypted data off the remote
and then to decrypt it on home.

Or am I missing some easy solution?

I've been having a troublesome freeze up on the home machine and not
making much progress in debugging it.

Of course the remedy is to fix whatever is causing it but for now,
when it happens the machine cannot be accessed from keyboard, or by
ssh.  It requires a full (hard) reboot to get it going again.

If I happen to be away from home when that happened, I'd want access
to a backup on the remote... but it would need to be decrypted to
be of any use.

Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1225 bytes --]

On Tue, 05 Jan 2010 16:09:03 -0600, Harry Putnam wrote:

> > Why not just tar up the underlying encfs partition? The data
> > is already encrypted, what's the point of decrypting it to encrypt it
> > again? That way you don't need to rely on any encryption software on
> > the remote computer.
> 
> I wanted the option of decrypting on the remote if need be... that is
> if my home machine is not accessible for whatever reason.
> 
> For example, if I wanted a forgotten password laying in a text file
> but encfs encrypted and on the remote.  When for one or another reason
> I cannot get it from the home machine.
> 
> In your scenario, I'd need access to both home machine and remote at
> the same time to first get the blob of encrypted data off the remote
> and then to decrypt it on home.

Then use rsync instead of tar, then you can mount the remote filesystem
using sshfs and encfs to read individual files. It's a little slow as you
are layering two FUSE filesystems, but quicker than downloading a
complete tarball just to get at one file. I've used this method with an
online backup service and it works.


-- 
Neil Bothwick

3 things happen as you age: 1) Your memory goes; 2) uh..um

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[felix]

On Tue, Jan 05, 2010 at 04:09:03PM -0600, Harry Putnam wrote:

> For example, if I wanted a forgotten password laying in a text file
> but encfs encrypted and on the remote.  When for one or another reason
> I cannot get it from the home machine.

I hate saying something when I don't know the full circumstances, but
here is how I do mine, and how I have recovered data from the backup.
I mount the plaintext with this command (actual details have been
changed because I do it in a shell script which does other things):

    encfs ~/.encrypted ~/.plaintext

~/.encrypted is the encrypted dir, ~/.plaintest is what I lok at when
I want to see the plaintext.  I have various symlinks elsewhere which
point into ~/.plaintext.

When I backup this data, I only backup ~/.encrypted.  In fact, since
backup is done as a part of root's nightly backup, and root cannot
look into ~/.plaintext, ~/.encrypted is all that can be backupped (did
I just invent a new verb? :-).

Now once I lost a file which I knew existed in the backup.  All I had
to do was

    1.  As root, mount the backup, in this case as /mnt/backup.

    2.  As myself, mount as usual but change the names:

    	encfs /mnt/backup/home/felix/.encrypted ~/tmp/plaintext

    3.  Copy the file as plaintext:

    	cp -p ~/tmp/plaintext/path/to/file ~/.plaintext/path/to/file

Of course, if you backup as yourself, the root step is easily adjusted
to yourself.

It's been so long since I set this up that I do not remember the
details.  There's a kernel module, maybe dm-crypt.  You probably have
to enable something in the kernel config.  But once done, it's easy as
pi and just as tasty, and I really like the fact that root cannot get
access to the plaintext.  For some reason, that just tinkles me pink.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Harry Putnam]

Neil Bothwick <neil@digimed.co.uk> writes:

> On Tue, 05 Jan 2010 16:09:03 -0600, Harry Putnam wrote:
>
>> > Why not just tar up the underlying encfs partition? The data
>> > is already encrypted, what's the point of decrypting it to encrypt it
>> > again? That way you don't need to rely on any encryption software on
>> > the remote computer.
>> 
>> I wanted the option of decrypting on the remote if need be... that is
>> if my home machine is not accessible for whatever reason.
>> 
>> For example, if I wanted a forgotten password laying in a text file
>> but encfs encrypted and on the remote.  When for one or another reason
>> I cannot get it from the home machine.
>> 
>> In your scenario, I'd need access to both home machine and remote at
>> the same time to first get the blob of encrypted data off the remote
>> and then to decrypt it on home.
>
> Then use rsync instead of tar, then you can mount the remote filesystem
> using sshfs and encfs to read individual files. It's a little slow as you
> are layering two FUSE filesystems, but quicker than downloading a
> complete tarball just to get at one file. I've used this method with an
> online backup service and it works.

Neil seems to be thinking the remote has encfs on board... it does
not.  Hence my original quest for a different encryption process,
(mcrypt)

And both Felix' and Neils solutions seem to require access to the home
computer or root on the remote.  Or a least access to a machine with
encfs on board.

Also, understand that the encrypted data is quite small... Not talking
a huge tarball at all.

du -sh ~/myencrypteddata
  7.4M	  myencrypteddata


That is uncompressed

So is it still a bad idea to unencrypt from encfs, recrypt in mcrypt
and ssh or rsync the result to the remote?

With something this size all of that should happen in a few seconds
right?

And this way, I'd be able to decrypt the thing on the remote; find what
I need and delete the unencrypted data leaving only the encrypted.

It does sound like a lot of huffing and puffing so am interested to hear
other ways.

I haven't tried it yet at all.

I guess another part of my question is will an mcrypted file setting
on an internet host (that can be hacked and has been at least once
since I've been involved (5yrs)), be of interest and easy enough to
crack (not the host but the file itself) that it would be likely a
hacker would try?

Once again this is not super secretive stuff, like murder or
such... and even banking info could only lead to a matter of mid 4
digit amounts at most.  Nasty but not life threatening or bankruptcy
material and its unlikely at best that all accounts would be drained
before I caught a sniff of it.

But still, once my trove of passwords and certain banking info was
lost, it would be a real pita to clean up.

-------        ---------       ---=---       ---------      --------  
|   A side note to forestall answers involving the owner of the host 
|   machine being asked to do whatever:
| 
|   That fellow is quite security conscious and far as I know has had
|   only  the one hack on some 8-9 or so online machines over at least
|   10 yrs.  (Not a bad record... since he was at one time a target
|   to unprincipled hackers in linux community, who also had accounts
|   on his hosts... so the attack was from inside so to speak)
| 
|   So there won't be much I can suggest that he either doesn't now
|   about or hasn't already tried.

Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 818 bytes --]

On Wed, 06 Jan 2010 15:27:32 -0600, Harry Putnam wrote:

> > Then use rsync instead of tar, then you can mount the remote
> > filesystem using sshfs and encfs to read individual files. It's a
> > little slow as you are layering two FUSE filesystems, but quicker
> > than downloading a complete tarball just to get at one file. I've
> > used this method with an online backup service and it works.  
> 
> Neil seems to be thinking the remote has encfs on board... it does
> not.  Hence my original quest for a different encryption process,
> (mcrypt)

I wasn't thinking that at all. You use sshfs to mount the remote
directory locally, then mount that with encfs. All the remote host needs
is ssh.


-- 
Neil Bothwick

At any event, the people whose seats are furthest from
the aisle arrive last.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Harry Putnam]

Neil Bothwick <neil@digimed.co.uk> writes:

> On Wed, 06 Jan 2010 15:27:32 -0600, Harry Putnam wrote:
>
>> > Then use rsync instead of tar, then you can mount the remote
>> > filesystem using sshfs and encfs to read individual files. It's a
>> > little slow as you are layering two FUSE filesystems, but quicker
>> > than downloading a complete tarball just to get at one file. I've
>> > used this method with an online backup service and it works.  
>> 
>> Neil seems to be thinking the remote has encfs on board... it does
>> not.  Hence my original quest for a different encryption process,
>> (mcrypt)
>
> I wasn't thinking that at all. You use sshfs to mount the remote
> directory locally, then mount that with encfs. All the remote host needs
> is ssh.

I'm not sure what is going wrong here, if neither of us is listening
to the other or what... but I've stressed that I wanted a solution for
when I could not access my home machine.... Does your solution involve
that?

Expecting to work out encfs and sshfs/fuse etc on a session in the
nearest kinkos, probably on machines running one or another version of
windows, and further with no download or install options on said
machine is not all that nifty of an approach.

Re: [gentoo-user] Re: [OT crypto] How to encrypt a directory without root?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1089 bytes --]

On Thu, 14 Jan 2010 18:19:56 -0600, Harry Putnam wrote:

> > I wasn't thinking that at all. You use sshfs to mount the remote
> > directory locally, then mount that with encfs. All the remote host
> > needs is ssh.  
> 
> I'm not sure what is going wrong here, if neither of us is listening
> to the other or what... but I've stressed that I wanted a solution for
> when I could not access my home machine.... Does your solution involve
> that?

No, I missed that part. Do you means you cannot access the machine or you
cannot load your normal OS because it is broken? In the latter case, a
live C/USB distro will help. If you mean no access to the computer at all
and you're forced to use whatever is available, you have something of a
problem as you can never know what will be available.

I used the method I mentioned, but I have more than one computer, so if
one breaks I can use the other to get at the backups.


-- 
Neil Bothwick

A consultant is a person who borrows your watch, tells you what time it
is, pockets the watch, and sends you a bill for it.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]