On 4/11/19 6:51 AM, Pierre Fourès wrote:
Le jeu. 11 avr. 2019 à 02:52, David Christensen
<dpchr...@holgerdanske.com> a écrit :
How about enfs, gocryptfs, and/or libpam-mount?
2019-04-10 17:48:09 dpchrist@po ~
$ apt-cache search fuse encrypt
afflib-tools - Advanced Forensics Format Library (utilities)
camo - SSL/TLS image proxy to prevent mixed-content warnings
encfs - encrypted virtual filesystem
gocryptfs - Encrypted overlay filesystem written in Go.
libpam-mount - PAM module that can mount volumes for a user session
Thanks David for the pointers.
I gave a look at them and this open viables alternatives to ecryptfs,
would I require to go away from it doesn't get reintegrated in Debian.
This drove me to gave a look to see if ecryptfs is still actively
maintained and it seems to be the case as the last commit dates from
2019-02-16 [1]. The package is also announced in [2] as heavily used
in Ubuntu, ChromeOS and several NAS products, so I hope the bug will
get fixed. If it doesn't, to what I saw in [3], gocryptfs seems really
promising, however I find it still a little young for this kind of
subject (2015 for it first release). As I plan to configure dm-crypt
for our servers, I will first dig deeper on the libpam-mount
opportunity. This could make a good fit to satisfy all my use-cases
while only using the same base ciphering tool. So for now, I will keep
ecryptfs running on the desktops in the next following months and will
first start to setup full disk encryption on the servers, then will I
look back to what to do with the desktops.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs.git/log/fs/ecryptfs?h=next
[2] http://ecryptfs.org/about.html
[3] https://nuetzlich.net/gocryptfs/comparison/
Understand that each encryption solution -- dm-crypt, encfs, etc. --
provides protection against some limited threat; I have not found one
that works for all use-cases.
dm-crypt is designed to protect encrypted discs when they are at rest
(cold) -- e.g. the computer is stolen while powered down, the encrypted
disc has been removed from a computer, etc.. Once a dm-crypt disc is
decrypted and operating, the system sees a mapped device node (which
will typically contain a plaintext file system). Traditional Unix
permissions apply -- e.g. root can see everything, other users can see
whatever their UID's/GID's allow per file and directory ownership, mode,
extended attributes, etc..
If I remember encfs correctly, encfs is designed to provide exclusive
access to the user who mounts an encrypted folder -- no other user,
including root, can see the plaintext.
David
