mjhjmtu

I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:

1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)

2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.

3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.

4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.

5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.

All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.

What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.

See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.

All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.

On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home, or I think there's a flag to adduser or similar commands too.

If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.

Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.

See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.