On Sat, Oct 03, 2015 at 11:20:34PM +0100, steve-ALUG@hst.me.uk wrote:
On 03/10/15 19:09, Chris Green wrote:
Are there any alternatives? File system encryption doesn't really help as the machine in question is turned on all the time with the desktop open so it would spend its whole time with the file system decrypted. It's not a laptop so it doesn't have a big risk of being stolen or lost.
Alternatives: I don't know.
No, I don't think there isn't anythin much 'mainstream' out there.
Simplifying: Well you say you have to remember how to decrypt the directory tree so just put it into a script that prompts for a password. That's simpler.
Yes, though it would expose it *slightly* more to an attacker by making it immediately clear how it was encrypted.
I think the first question is what you're trying to protect and from whom. If the machine's on, does it have a screensaver with a password on it or do you leave it logged in unprotected?
I'm not worried about physical access so much, we're in a fairly remote location with very little crime and the house is occupied all the time. So, no, there's no screen lock. However I do have (well protected) remote ssh access so, if anything, I'm protecting against remote break-in. A screen lock won't help at all in this case - and I do need to keep it accessible to me as that's how I read my E-Mail, Usenet, etc. The ssh is pretty secure, only allows access from two specific IPs where I have ssh access so I need two passwords to get in. An intruder would either need to know two passwords or have an account on one of the intermediate hosts and guess my home password from there.
Having broken in (ssh or some other sort of exploit, the only other port open is SMTP) the attacker would then have to break the encrytion on my (vi encrypted) password etc. files or the encfs encrypted file system.
More likely is loss of laptop where I do have the encrypted password files as well. Not much use having them at home if I happen not to have internet access and/or I need the passwords to connect! :-)
Files containing Passwords? You could put them into a password protecting app like LastPass perhaps.
How secure are these (there are quite a few password utilities) compared with encfs or even vi's crypt?
My argument for using vi's weak encryption is that you can't brute force it in any way without having some significant part of the encrypted data 'in clear'. It's not like brute forcing /etc/passwd where you *do* have the 'result'. All you have to do is guess passwords and encrypt them until you get a match for the encrypted string in /etc/shadow.