EFS replacement on Ubuntu

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:



1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)



2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.



3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.



4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.



5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.



All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.



What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.







share|improve this question
















  • 1




    Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example, gpg.
    – AlexP
    Nov 6 '17 at 11:33














up vote
0
down vote

favorite












I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:



1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)



2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.



3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.



4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.



5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.



All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.



What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.







share|improve this question
















  • 1




    Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example, gpg.
    – AlexP
    Nov 6 '17 at 11:33












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:



1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)



2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.



3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.



4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.



5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.



All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.



What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.







share|improve this question












I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:



1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)



2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.



3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.



4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.



5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.



All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.



What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.









share|improve this question











share|improve this question




share|improve this question










asked Nov 6 '17 at 9:16









Dmitry Gusarov

1012




1012







  • 1




    Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example, gpg.
    – AlexP
    Nov 6 '17 at 11:33












  • 1




    Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example, gpg.
    – AlexP
    Nov 6 '17 at 11:33







1




1




Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example, gpg.
– AlexP
Nov 6 '17 at 11:33




Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example, gpg.
– AlexP
Nov 6 '17 at 11:33










1 Answer
1






active

oldest

votes

















up vote
1
down vote













See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.



All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.



On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home, or I think there's a flag to adduser or similar commands too.



If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.



Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.




See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f402794%2fefs-replacement-on-ubuntu%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.



    All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.



    On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home, or I think there's a flag to adduser or similar commands too.



    If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.



    Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.




    See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.






    share|improve this answer
























      up vote
      1
      down vote













      See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.



      All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.



      On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home, or I think there's a flag to adduser or similar commands too.



      If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.



      Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.




      See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.






      share|improve this answer






















        up vote
        1
        down vote










        up vote
        1
        down vote









        See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.



        All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.



        On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home, or I think there's a flag to adduser or similar commands too.



        If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.



        Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.




        See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.






        share|improve this answer












        See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.



        All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.



        On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home, or I think there's a flag to adduser or similar commands too.



        If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.



        Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.




        See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 10 '17 at 7:01









        Xen2050

        1,032711




        1,032711



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f402794%2fefs-replacement-on-ubuntu%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?