On 04/10/15 09:57, Chris Green wrote:
On Sat, Oct 03, 2015 at 11:20:34PM +0100, steve-ALUG@hst.me.uk wrote:
On 03/10/15 19:09, Chris Green wrote:
{}
No, I don't think there isn't anythin much 'mainstream' out there. Simplifying: Well you say you have to remember how to decrypt the directory tree so just put it into a script that prompts for a password. That's simpler.
Yes, though it would expose it *slightly* more to an attacker by making it immediately clear how it was encrypted.
If and only if they found the script to unencrypt. You could make the same argument against the unencrypting your password files script.
I think the first question is what you're trying to protect and from whom. If the machine's on, does it have a screensaver with a password on it or do you leave it logged in unprotected?
I'm not worried about physical access so much, we're in a fairly remote location with very little crime and the house is occupied all the time. So, no, there's no screen lock. However I do have (well protected) remote ssh access so, if anything, I'm protecting against remote break-in. A screen lock won't help at all in this case - and I do need to keep it accessible to me as that's how I read my E-Mail, Usenet, etc. The ssh is pretty secure, only allows access from two specific IPs where I have ssh access so I need two passwords to get in. An intruder would either need to know two passwords or have an account on one of the intermediate hosts and guess my home password from there.
Have you considered adding denyhosts or fail2ban? Failed ssh login attempts result in the source IP address being blocked for a while.
Having broken in (ssh or some other sort of exploit, the only other port open is SMTP) the attacker would then have to break the encrytion on my (vi encrypted) password etc. files or the encfs encrypted file system.
More likely is loss of laptop where I do have the encrypted password files as well. Not much use having them at home if I happen not to have internet access and/or I need the passwords to connect! :-)
Files containing Passwords? You could put them into a password protecting app like LastPass perhaps.
How secure are these (there are quite a few password utilities) compared with encfs or even vi's crypt?
I think they're pretty secure, but it may be someone else's proprietary system out of your control. It is another possible source of attack. Possibly more secure than Vi though.
My argument for using vi's weak encryption is that you can't brute force it in any way without having some significant part of the encrypted data 'in clear'. It's not like brute forcing /etc/passwd where you *do* have the 'result'. All you have to do is guess passwords and encrypt them until you get a match for the encrypted string in /etc/shadow.
Sounds like you're basically happy and you just want to simplify. Simply put a script somewhere e.g. one of the bin directories, var, usr, ~/documents or somewhere like that. Just don't call it unencrypt.sh!