Le jeu. 11 avr. 2019 à 02:52, David Christensen <dpchr...@holgerdanske.com> a écrit : > > On 4/10/19 1:32 AM, Pierre Fourès wrote: > > Le ven. 5 avr. 2019 à 22:08, David Christensen > > <dpchr...@holgerdanske.com> a écrit : > >> > >> AFAIK dm-crypt is the canonical disc encryption technology on Linux (see > >> crypttab(5) and cryptsetup(8)). I like the fact that it operates at the > >> device level, so everything on an encrypted disc or partition is > >> automatically and inescapably encrypted. File system level encryption, > >> such as ecryptfs(7), might make sense for cloud directories or > >> sneaker-net media. I use ccrypt(1) for individual files, but vim(1) has > >> an encrypted mode that is very appealing for certain use-cases. > >> > > > > Indeed, I've planned to give a serious look at it, especially to > > encrypt the disks of the servers we rent in remote data-centers, but I > > haven't took the time yet for it. And when occurred the requirement to > > crypt the virtual machines, I found ecryptfs an easier thing to set > > up. > > > > I also found ecryptfs a better fit for my requirements. > > > > Indeed, I like the fact that I, as an administrator, am not able to > > access the files of "my" users. I encrypt their home folder then set > > the requirement to change the password on their first login (with > > 'chage -d 0 $user'), might it be their physical desktops or their > > virtual instances. Thus I'm sure I won't ever be able to look into > > their files without them allowing me. This is known of everybody. This > > is a double edged sword. They have to take full responsibility to > > backup somewhere their files as I can't help them if anything goes > > wrong (and if anything goes wrong I just provide them a new physical > > or virtual instance and wipe the problematic one), and at the same > > time it is relieving me from the possibility to be able to see > > everything everywhere. In a previous company, as not being the system > > administrator, I never liked this fact that somebody could access all > > files behind all user's backs. I recall one who did that to an user to > > look into their personal files (which shouldn't had be there in the > > first place, admittedly) and I really disliked the « God mode » > > situation offered to system administrators. Now that I administer the > > desktops, I went really concerned to lower, by design, my scope of > > abilities. I didn't want to rely on my will power and my word of mouth > > about this situation. I wanted it to be established by design. > > Ciphering user's space with ecryptfs allows me to lock me out very > > nicely and easily from this possibility. I haven't found this to be > > possible with dm-crypt in an easy and user-friendly way. > > > > Nonetheless, if it's possible to achieve such objective with dm-crypt, > > I would really appreciate some pointers about how to do it. > > How about enfs, gocryptfs, and/or libpam-mount? > > 2019-04-10 17:48:09 dpchrist@po ~ > $ apt-cache search fuse encrypt > afflib-tools - Advanced Forensics Format Library (utilities) > camo - SSL/TLS image proxy to prevent mixed-content warnings > encfs - encrypted virtual filesystem > gocryptfs - Encrypted overlay filesystem written in Go. > libpam-mount - PAM module that can mount volumes for a user session > > > David >
Thanks David for the pointers. I gave a look at them and this open viables alternatives to ecryptfs, would I require to go away from it doesn't get reintegrated in Debian. This drove me to gave a look to see if ecryptfs is still actively maintained and it seems to be the case as the last commit dates from 2019-02-16 [1]. The package is also announced in [2] as heavily used in Ubuntu, ChromeOS and several NAS products, so I hope the bug will get fixed. If it doesn't, to what I saw in [3], gocryptfs seems really promising, however I find it still a little young for this kind of subject (2015 for it first release). As I plan to configure dm-crypt for our servers, I will first dig deeper on the libpam-mount opportunity. This could make a good fit to satisfy all my use-cases while only using the same base ciphering tool. So for now, I will keep ecryptfs running on the desktops in the next following months and will first start to setup full disk encryption on the servers, then will I look back to what to do with the desktops. [1] https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs.git/log/fs/ecryptfs?h=next [2] http://ecryptfs.org/about.html [3] https://nuetzlich.net/gocryptfs/comparison/ Regards, Pierre.
