Encrypting directories - Suse

This is a discussion on Encrypting directories - Suse ; I made a 10.3 "newbie-installation" to a friend. So I'm able to ssh in and maintain the system. The system logs the only user in automatically. Now, he's using the machine together with his sambo and he asked if it's ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 29

Thread: Encrypting directories

  1. Encrypting directories

    I made a 10.3 "newbie-installation" to a friend. So I'm able to ssh in and
    maintain the system. The system logs the only user in automatically.

    Now, he's using the machine together with his sambo and he asked if it's
    possible to put some directories behind a password.
    I think I know why. I told him the girl will discover there's a
    hidden place on that machine and there's going to be inquisition

    He still wants there to be just this one single user with automatic
    login to K.I.S. so this needs to be taken care of by encrypting.

    I have no experience of making encrypted directories (or partitions to that
    matter)

    Can a directory be both encrypted and hidden? (start with a dot)
    How should I proceed by ssh/YaST?

    Vahis
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  2. Re: Encrypting directories

    Vahis wrote:
    > I made a 10.3 "newbie-installation" to a friend. So I'm able to ssh in and
    > maintain the system. The system logs the only user in automatically.
    >
    > Now, he's using the machine together with his sambo and he asked if it's
    > possible to put some directories behind a password.


    Truecrypt.

    > Can a directory be both encrypted and hidden? (start with a dot)
    > How should I proceed by ssh/YaST?


    Truecrypt. It can have that and much more.
    http://www.truecrypt.org/docs/?s=hidden-volume for some very interesting
    ideas on how secure it can be.

    http://www.truecrypt.org/docs/?s=linux-manpage
    Creating a hidden volume without risking data corruption:
    1) Create an outer volume:
    truecrypt --type normal --size 100M -c volume.tc
    2) Create a hidden volume:
    truecrypt --type hidden --size 50M -c volume.tc
    3) Mount the outer volume with the hidden volume protected:
    truecrypt -P volume.tc /mnt/tc
    4) Copy files to the outer volume:
    cp outer_volume_file.txt /mnt/tc
    5) Dismount the outer volume:
    truecrypt -d volume.tc
    6) If a warning message has been displayed in 5), start again from 1).
    Either a larger outer volume should be created in 1), or less data
    should be copied to the outer volume in 4).

    Now obviously you can put that file volume.tc anywhere you desire with
    any size or name. e.g. ~/LinuxDistro/openSUSE10.4.iso with a size of
    640MB and a hidden one with 100MB for the real hardcore stuff.
    Obviously you could name it after a DVD as well. :-D

    And mounting can be done on any existing directory, recgardless of the
    content of that directory, thus making it harder to detect what has been
    going on

    ~/Documents/Pictures

    Perhaps a very valid directory with all the family screenshots. Now
    mount the hidden porn on that directory and you can see the content of
    ~/LinuxDistro/openSUSE10.4.iso which actualy is a TC partition.

    I believe it is not even possible for root to read the directory when
    logged in.

    houghi
    --



    This space left blank intentionaly

  3. Re: Encrypting directories

    houghi wrote:
    >> Can a directory be both encrypted and hidden? (start with a dot)
    >> How should I proceed by ssh/YaST?

    >
    > Truecrypt. It can have that and much more.
    > http://www.truecrypt.org/docs/?s=hidden-volume for some very interesting
    > ideas on how secure it can be.


    Did not answer the second one. Via ssh, you can just do `lynx
    http://www.truecrypt.org/downloads.php` download and unpack the 10.3
    version and install the RPM.

    Or you can go to
    http://software.opensuse.org/search?...penSUSE%3A10.3
    and do the 1 click install, which will also give you the correct
    repository to use.

    houghi
    --



    This space left blank intentionaly

  4. Re: Encrypting directories

    On 2008-01-04, houghi wrote:
    > Vahis wrote:
    >> I made a 10.3 "newbie-installation" to a friend. So I'm able to ssh in and
    >> maintain the system. The system logs the only user in automatically.
    >>
    >> Now, he's using the machine together with his sambo and he asked if it's
    >> possible to put some directories behind a password.

    >
    > Truecrypt.




    >
    > I believe it is not even possible for root to read the directory when
    > logged in.


    Thank you very much.

    Seriously. This computer is a laptop. He is afraid of it getting into
    wrong hands, he's an entrepreneur with his company stuff there.

    He still wants to use it also as a normal home computer.
    Not everybody wants more and more computers and servers and stuff like
    some that I only hear stories of

    I will start practising in my "lab" over LAN when I get home,

    thx again,


    Vahis
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  5. Re: Encrypting directories

    houghi wrote:
    > houghi wrote:
    >>> Can a directory be both encrypted and hidden? (start with a dot)
    >>> How should I proceed by ssh/YaST?

    >>
    >> Truecrypt. It can have that and much more.
    >> http://www.truecrypt.org/docs/?s=hidden-volume for some very interesting
    >> ideas on how secure it can be.

    >
    > Did not answer the second one. Via ssh, you can just do `lynx
    > http://www.truecrypt.org/downloads.php` download and unpack the 10.3
    > version and install the RPM.
    >
    > Or you can go to
    > http://software.opensuse.org/search?...penSUSE%3A10.3
    > and do the 1 click install, which will also give you the correct
    > repository to use.


    Oh and obviously you can encrypt anything you desire, like USB keys. As
    it is possible tio use under Windows as well, that might be nice.

    Mmm. Something you could add in a script as well. :-D That way when you
    loose your backup USB, you do not loose your data.

    houghi
    --



    This space left blank intentionaly

  6. Re: Encrypting directories

    Vahis skrev:
    > I made a 10.3 "newbie-installation" to a friend. So I'm able to ssh in and
    > maintain the system. The system logs the only user in automatically.
    >
    > Now, he's using the machine together with his sambo and he asked if it's
    > possible to put some directories behind a password.
    > I think I know why. I told him the girl will discover there's a
    > hidden place on that machine and there's going to be inquisition
    >
    > He still wants there to be just this one single user with automatic
    > login to K.I.S. so this needs to be taken care of by encrypting.
    >
    > I have no experience of making encrypted directories (or partitions to that
    > matter)
    >
    > Can a directory be both encrypted and hidden? (start with a dot)
    > How should I proceed by ssh/YaST?
    >
    > Vahis


    Just for encrypting a single directory the encfs package will do the
    job... You have to make sure the 'fuse' module is loaded at the
    computer, but otherwise there is no difficulties.

    You can add 'fuse' to the '/etc/modules' file and install the package...

    You can find further information at:
    http://arg0.net/wiki/encfs

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  7. Re: Encrypting directories

    On 2008-01-04, houghi wrote:
    > houghi wrote:
    >>> Can a directory be both encrypted and hidden? (start with a dot)
    >>> How should I proceed by ssh/YaST?

    >>
    >> Truecrypt. It can have that and much more.
    >> http://www.truecrypt.org/docs/?s=hidden-volume for some very interesting
    >> ideas on how secure it can be.

    >
    > Did not answer the second one. Via ssh, you can just do `lynx
    > http://www.truecrypt.org/downloads.php` download and unpack the 10.3
    > version and install the RPM.


    Normally I have used wget to get single third party rpms.

    BTW I have discovered that all sites need a graphical browser to work well.

    If you are limited to text based approach you're more or less in trouble.

    For this reason I have decided to make all future **** on my own site only
    using CLI, vim and lynx.


    I just wish I had the time...

    >
    > Or you can go to
    > http://software.opensuse.org/search?...penSUSE%3A10.3
    > and do the 1 click install, which will also give you the correct
    > repository to use.



    Thanks

    Vahis
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  8. Re: Encrypting directories

    Jacob Tranholm skrev:
    >
    > You can add 'fuse' to the '/etc/modules' file and install the package...
    >


    Sorry... I was sitting at a kubuntu distribution when I wrote this, and
    didn't think.

    In openSUSE you have to add 'fuse' to your 'MODULES_LOADED_ON_BOOT' in
    the '/etc/sysconfig/kernel' file.

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  9. Re: Encrypting directories

    On 2008-01-04, Jacob Tranholm wrote:
    > Jacob Tranholm skrev:
    >>
    >> You can add 'fuse' to the '/etc/modules' file and install the package...
    >>

    >
    > Sorry... I was sitting at a kubuntu distribution when I wrote this, and
    > didn't think.
    >
    > In openSUSE you have to add 'fuse' to your 'MODULES_LOADED_ON_BOOT' in
    > the '/etc/sysconfig/kernel' file.
    >


    Thanks, Jacob, I'll look at it.

    But I also already like Truecrypt look:

    "There are many situations where you cannot refuse to reveal the password
    (for example, due to extortion). Using a so-called hidden volume allows
    you to solve such situations without revealing the password to your
    volume."

    That should keep my Bra Busters safe...

    Vahis
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  10. Re: Encrypting directories

    Vahis wrote:
    >> Did not answer the second one. Via ssh, you can just do `lynx
    >> http://www.truecrypt.org/downloads.php` download and unpack the 10.3
    >> version and install the RPM.

    >
    > Normally I have used wget to get single third party rpms.


    Me as well, but I was too lazy to look it up what the file was.

    > BTW I have discovered that all sites need a graphical browser to work well.


    Not true. Many sites work great with lynx and other text based browsers.

    > If you are limited to text based approach you're more or less in trouble.


    Nope. I went to the URL above and was able to easily download it. Also
    there is w3m and links that can work better with some sites.

    > For this reason I have decided to make all future **** on my own site only
    > using CLI, vim and lynx.


    I use vim, bluefish and on Windows at work Notepad++
    It is not so much the tool that you use, but how you use it.

    I start the code from scratch in php, use include with everything I see
    and then just add those things that I need for a new page.
    http://houghi.org/making/

    houghi
    --



    This space left blank intentionaly

  11. Re: Encrypting directories

    Vahis skrev:
    > Thanks, Jacob, I'll look at it.
    >
    > But I also already like Truecrypt look:
    >
    > "There are many situations where you cannot refuse to reveal the password
    > (for example, due to extortion). Using a so-called hidden volume allows
    > you to solve such situations without revealing the password to your
    > volume."
    >
    > That should keep my Bra Busters safe...
    >
    > Vahis


    It's your own choice. That's the freedom of linux...

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  12. Re: Encrypting directories

    Vahis wrote:
    > "There are many situations where you cannot refuse to reveal the password
    > (for example, due to extortion). Using a so-called hidden volume allows
    > you to solve such situations without revealing the password to your
    > volume."
    >
    > That should keep my Bra Busters safe...


    The 'standard' hadden files can be some bank account details and other
    personal stuff that you do not want to have other people read as a
    standard.

    Obviously if it isn't realy illegal by law, yet you do not want your
    partner to find out, why have it on your PC at all? Use a USB key. Very
    easy to explain why you have encrypted that and you can still have the
    other files hidden. 4GB are not that expensive anymore.
    I just bought a 1GB Sandisc SD Duo card that can be used both as SD card
    as USB key.

    I have seen 4 in 1 cards that are USB, SD, miniSD and microSD, so they
    can be used in phones as well
    That would be in three parts.
    1 part with the 'normal' data, like music songs and such
    1 part with the 'hidden' data, like bank accounts and other stuff
    1 part with the 'secret' data, like pr0n

    Obviously it depends on your internet speed, but you could also mount
    the data on gmail.
    http://richard.jones.name/google-hac...ilesystem.html

    houghi
    --



    This space left blank intentionaly

  13. Re: Encrypting directories

    On 2008-01-04, Jacob Tranholm wrote:
    > Vahis skrev:
    >> Thanks, Jacob, I'll look at it.
    >>
    >> But I also already like Truecrypt look:
    >>
    >> "There are many situations where you cannot refuse to reveal the password
    >> (for example, due to extortion). Using a so-called hidden volume allows
    >> you to solve such situations without revealing the password to your
    >> volume."
    >>
    >> That should keep my Bra Busters safe...
    >>
    >> Vahis

    >
    > It's your own choice. That's the freedom of linux...


    It just hit me when I saw the text I quoted from there

    "In situations where you cannot refuse to reveal the password (for example,
    due to extortion). Using a so-called hidden volume allows you to solve
    such situations without revealing the password to your volume."

    One could save the standard boobies on the standard TrueCrypt volume and
    the real things (double D and above) on that hidden volume.

    One might get away with that. Just reveal the little ones but the most
    treasurous ones would be safe

    Vahis
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  14. Re: Encrypting directories

    Jacob Tranholm wrote:

    > Vahis skrev:
    >> Thanks, Jacob, I'll look at it.
    >>
    >> But I also already like Truecrypt look:


    I used to be enthusiastic about Truecrypt, until I discovered its one
    weakness: It only functions with the kernel version for which it was
    compiled. I had a whole directory of sensitive information hidden by
    Truecrypt. Whenever I wanted access to that information, I delighted in
    opening that hidden directory. Then, one of the upgrades to SUSE upgraded
    my kernel and I was completely locked out of that directory!!!

    Fortunately, I managed to find a CD with that information that I had burned
    before using Truecrypt. Caveat Emptor, as they say.

    Godzilla

  15. Re: Encrypting directories

    Godzilla skrev:
    >
    > I used to be enthusiastic about Truecrypt, until I discovered its one
    > weakness: It only functions with the kernel version for which it was
    > compiled. I had a whole directory of sensitive information hidden by
    > Truecrypt. Whenever I wanted access to that information, I delighted in
    > opening that hidden directory. Then, one of the upgrades to SUSE upgraded
    > my kernel and I was completely locked out of that directory!!!
    >
    > Fortunately, I managed to find a CD with that information that I had burned
    > before using Truecrypt. Caveat Emptor, as they say.
    >
    > Godzilla


    That's my personal main reason for using 'encfs' instead. It just
    requires the 'fuse' module, which is available at any (newer)
    distribution and live CD/DVD/USB stick.

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  16. Re: Encrypting directories

    On 2008-01-04, Godzilla wrote:
    > Jacob Tranholm wrote:
    >
    >> Vahis skrev:


    Är du kanske min granne?

    >>> Thanks, Jacob, I'll look at it.
    >>>
    >>> But I also already like Truecrypt look:

    >
    > I used to be enthusiastic about Truecrypt, until I discovered its one
    > weakness: It only functions with the kernel version for which it was
    > compiled.


    Can't it be reconfigured (or recompiled) like anything else that
    requires that after kernel change?

    Are you saying that once you've installed TrueCrypt you can't change the
    kernel? This is hard to believe, but in case it's true, it will go.

    I installed it already but haven't configured it yet.

    I'll refrain from doing that for a while...


    > Then, one of the upgrades to SUSE upgraded
    > my kernel and I was completely locked out of that directory!!!
    >


    This is too bad to be true. I can't believe it.

    > Fortunately, I managed to find a CD with that information that I had burned
    > before using Truecrypt. Caveat Emptor, as they say.


    I'm sure there must be another way.

    Vahis
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  17. Re: Encrypting directories

    Vahis wrote:

    > I made a 10.3 "newbie-installation" to a friend. So I'm able to ssh in and
    > maintain the system. The system logs the only user in automatically.
    >
    > Now, he's using the machine together with his sambo and he asked if it's
    > possible to put some directories behind a password.
    > I think I know why. I told him the girl will discover there's a
    > hidden place on that machine and there's going to be inquisition
    >
    > He still wants there to be just this one single user with automatic
    > login to K.I.S. so this needs to be taken care of by encrypting.
    >
    > I have no experience of making encrypted directories (or partitions to
    > that matter)
    >
    > Can a directory be both encrypted and hidden? (start with a dot)
    > How should I proceed by ssh/YaST?
    >
    > Vahis


    Not sure about encrypting directories. But using Yast Partitioner
    (Yast->System->Partitioner) you can create an encrypted file. Then you set
    Yast Partitioner to mount that file. It will appear as a directory after
    you enter the passphrase. To create a encrypted file, use the "Crypt
    File..." button.

    I have successfully used Yast Partitioner to create encrypted files and
    partitions. The coolest thing was that when I partitioned by USB thumbdrive
    to include an encrypted ext3 partition, KDE recognises it! Now I insert the
    thumbdrive and KDE prompts me for the passphrase, no more console loop
    mounting needed now!!!

    --
    Chris

  18. Re: Encrypting directories

    Vahis wrote:
    > Are you saying that once you've installed TrueCrypt you can't change the
    > kernel? This is hard to believe, but in case it's true, it will go.


    I have some kernel updates waiting and will check it out this weekend.

    > I installed it already but haven't configured it yet.


    Configured?
    truecrypt --type normal --size 100M -c volume.tc
    Follow instructions by basicaly clicking on enter most of the time
    That is all there is to it

    > I'll refrain from doing that for a while...


    I see that there is a kernel in the openSUSE thing. However when you
    download the rpm from truecrypt, I do not see anything kernel related.
    For that reason I will test it.

    >> Then, one of the upgrades to SUSE upgraded
    >> my kernel and I was completely locked out of that directory!!!

    >
    > This is too bad to be true. I can't believe it.


    Well, if you are locked out, you are locked out. That is the whole idea.
    :-D

    >> Fortunately, I managed to find a CD with that information that I had burned
    >> before using Truecrypt. Caveat Emptor, as they say.

    >
    > I'm sure there must be another way.


    One could re-install the old kernel. I am still not that happy with
    overwriting the kernel. Better would be to keep copies, but I can see
    the disadvantages for that as well. A bit damned if you do and damned if
    you don't and I understand why they have choosen this option.

    I also do not know truecrypt well enough but will see what happens if
    you try to read something on two different machines.

    houghi
    --



    This space left blank intentionaly

  19. Re: Encrypting directories

    Vahis skrev:
    >
    > Can't it be reconfigured (or recompiled) like anything else that
    > requires that after kernel change?
    >
    > Are you saying that once you've installed TrueCrypt you can't change the
    > kernel? This is hard to believe, but in case it's true, it will go.
    >
    > I installed it already but haven't configured it yet.
    >
    > I'll refrain from doing that for a while...
    >
    >
    >> Then, one of the upgrades to SUSE upgraded
    >> my kernel and I was completely locked out of that directory!!!
    >>

    >
    > This is too bad to be true. I can't believe it.
    >
    >> Fortunately, I managed to find a CD with that information that I had burned
    >> before using Truecrypt. Caveat Emptor, as they say.

    >
    > I'm sure there must be another way.
    >
    > Vahis


    Perhaps truecrypt has been improved... But you need the truecrypt kernel
    module in order to read the files. And the truecrypt module is to my
    knowledge not included in the default kernel.

    In a recovery-situation it should be possible to compile the kernel
    module for your live CD, but it requires some work.

    If I should create a encrypted directory for someone I was helping, I
    would choose 'encfs' as the basis, and then configure either K-EncFS
    (for KDE) or
    Cryptkeeper
    (for
    GNOME) as a graphical frontend for the user.

    But that is my choice, and you are free to make your own...

    --
    Best regards Jacob Tranholm
    Karl R. Popper: Observation statements and statements of experimental
    results are always interpretations of the facts observed.

  20. Re: Encrypting directories

    Chris wrote:
    > I have successfully used Yast Partitioner to create encrypted files and
    > partitions. The coolest thing was that when I partitioned by USB thumbdrive
    > to include an encrypted ext3 partition, KDE recognises it! Now I insert the
    > thumbdrive and KDE prompts me for the passphrase, no more console loop
    > mounting needed now!!!


    Yes, but does it tell you when to backup and does it verify then if the
    correct device is added?

    houghi
    --



    This space left blank intentionaly

+ Reply to Thread
Page 1 of 2 1 2 LastLast