Le ven. 5 avr. 2019 à 22:08, David Christensen
<dpchr...@holgerdanske.com> a écrit :
>
> AFAIK dm-crypt is the canonical disc encryption technology on Linux (see
> crypttab(5) and cryptsetup(8)).  I like the fact that it operates at the
> device level, so everything on an encrypted disc or partition is
> automatically and inescapably encrypted.  File system level encryption,
> such as ecryptfs(7), might make sense for cloud directories or
> sneaker-net media.  I use ccrypt(1) for individual files, but vim(1) has
> an encrypted mode that is very appealing for certain use-cases.
>
Indeed, I've planned to give a serious look at it, especially to
encrypt the disks of the servers we rent in remote data-centers, but I
haven't took the time yet for it. And when occurred the requirement to
crypt the virtual machines, I found ecryptfs an easier thing to set
up.

I also found ecryptfs a better fit for my requirements.

Indeed, I like the fact that I, as an administrator, am not able to
access the files of "my" users. I encrypt their home folder then set
the requirement to change the password on their first login (with
'chage -d 0 $user'), might it be their physical desktops or their
virtual instances. Thus I'm sure I won't ever be able to look into
their files without them allowing me. This is known of everybody. This
is a double edged sword. They have to take full responsibility to
backup somewhere their files as I can't help them if anything goes
wrong (and if anything goes wrong I just provide them a new physical
or virtual instance and wipe the problematic one), and at the same
time it is relieving me from the possibility to be able to see
everything everywhere. In a previous company, as not being the system
administrator, I never liked this fact that somebody could access all
files behind all user's backs. I recall one who did that to an user to
look into their personal files (which shouldn't had be there in the
first place, admittedly) and I really disliked the « God mode »
situation offered to system administrators. Now that I administer the
desktops, I went really concerned to lower, by design, my scope of
abilities. I didn't want to rely on my will power and my word of mouth
about this situation. I wanted it to be established by design.
Ciphering user's space with ecryptfs allows me to lock me out very
nicely and easily from this possibility. I haven't found this to be
possible with dm-crypt in an easy and user-friendly way.

Nonetheless, if it's possible to achieve such objective with dm-crypt,
I would really appreciate some pointers about how to do it.

Regards,
Pierre.

Reply via email to