EFS replacement on Ubuntu
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:
1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)
2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.
3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.
4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.
5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.
All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.
What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.
encryption ntfs cryptography
add a comment |Â
up vote
0
down vote
favorite
I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:
1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)
2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.
3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.
4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.
5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.
All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.
What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.
encryption ntfs cryptography
1
Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example,gpg
.
â AlexP
Nov 6 '17 at 11:33
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:
1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)
2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.
3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.
4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.
5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.
All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.
What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.
encryption ntfs cryptography
I'm considering switching from Windows Server to Ubuntu Server. One of feature that I can't figure out is - what should I use instead of NTFS Encryption (EFS). So, basically, what I need:
1) This applies only to some specific files in storage, e.g. wallet.dat & bitcoin.conf files of bitcoin core (not the whole 150Gb blockchain repo)
2) The file stays physically encrypted, if this is cloud server and admins took HDD away - there is nothing they can do to decrypt it.
3) File is symmetrically encrypted (so, even large files have excellent performance) but the key is assigned to one or more users using their public keys. E.g. service account and admin account that assigned to perform configuration for that service. No other admin accounts are capable to read internal data of the file (that contains passwords or keys for the service, e.g.), neither they can override or capture the permissions, just because they can't physically decrypt it. Users enlisted for decryption can assign certificates for other users if they have proper permissions for file.
4) encryption is transparent for the software, so, the services is not aware about encryption at all and text editors (for config files) can transparently modify it, as long as they are running under granted user.
5) certificate container is only decrypted for user (or service account) when he logon using his password. If password is reset by admin - user loosing his cryptographic container for good. And certificate are optionally exportable in case if user have to move HDD to other machine.
All of that I can do in Windows (since Windows 2000) using one checkbox (and optional list of assigned certificates). It even creates certificate automatically in case of first time usage and recommends to back it up in notification area.
What do you guys doing in Linux world for this, any advise? I'm not a big fun of separate containers (that probably are accessible to any user logged-in in a system) and mounting points (but may be this is the only way to go), I do believe there are some solution that extends file system.
encryption ntfs cryptography
asked Nov 6 '17 at 9:16
Dmitry Gusarov
1012
1012
1
Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example,gpg
.
â AlexP
Nov 6 '17 at 11:33
add a comment |Â
1
Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example,gpg
.
â AlexP
Nov 6 '17 at 11:33
1
1
Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example,
gpg
.â AlexP
Nov 6 '17 at 11:33
Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example,
gpg
.â AlexP
Nov 6 '17 at 11:33
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.
All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.
On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home
, or I think there's a flag to adduser
or similar commands too.
If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.
Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.
See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.
All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.
On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home
, or I think there's a flag to adduser
or similar commands too.
If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.
Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.
See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.
add a comment |Â
up vote
1
down vote
See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.
All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.
On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home
, or I think there's a flag to adduser
or similar commands too.
If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.
Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.
See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.
All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.
On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home
, or I think there's a flag to adduser
or similar commands too.
If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.
Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.
See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.
See https://wiki.archlinux.org/index.php/disk_encryption , it's arch-specific but virtually every package is available in Ubuntu too.
All the disk encryption methods are "on-the-fly" so the physical drives remain encrypted at all times (so are the system encryption methods too). None would be very useful if pulling the plug left everything decrypted! But FYI, if it's a virtual server, the "real" admins with physical access could always monitor every bit coming in & out anyway, but that's true for any OS too.
On Ubuntu, eCryptfs sounds closest to what your windows checkbox does, only better (encrypts filenames too, AFAIK windows doesn't). If you're using a GUI there should be a checkbox to encrypt a new user's home, or use ecryptfs-migrate-home
, or I think there's a flag to adduser
or similar commands too.
If a user's logged in, their home is "decrypted" for them, and regular access controls limit who can see what.
Full disk encryption (with LUKS) is another checkbox on install that you might be interested in.
See https://wiki.archlinux.org/index.php/security for general security info, "recommendations and best practices for hardening an Arch Linux system", that apply to virtually all linux including Ubuntu.
answered Nov 10 '17 at 7:01
Xen2050
1,032711
1,032711
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f402794%2fefs-replacement-on-ubuntu%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Basically, you get to choose between EcryptFS (to encrypt a folder) and cryptsetup/LUKS (to encrypt an entire file system, which may sit on a physicald device or on a file). LUKS cannot directly use public key authentication, but you can fake it by using an encrypted key file, decrypted on the fly by, for example,
gpg
.â AlexP
Nov 6 '17 at 11:33