I have been investigating security a lot recently. You might think that this is primarily because of the revelations regarding the NSA hoovering up everyone’s data, but I was looking into this before Mr. Snowden broke his story.
There are a couple of things that I have been working on. The first one was securing a server. One of the research groups here is working on sensitive material. However, they are not working on it alone, and in fact are doing collaborative research with groups in a couple of other European countries.
The issue is that they need to be able to share their data, to be able to write and read the data and have it secured.
Now if it was a single person, or even a single group working in a single location then I would seriously consider the use of something like Truecrypt. Putting the data in an encrypted ‘vault’ which you can open and close as required, and which users can co-operate on managing. But this only works well for simple usage. How do you manage co-operative opening/closing/modifying of data stored in a Truecrypt vault. This is before you also consider the fact that it would also require sharing of the passphrase across the groups.
After much head scratching and reading of various pages I reached the conclusion that the best approach was to store everything within an ecryptfs file system. ecryptfs is part of the Linux kernel, and it provides an encryption/decryption layer at the file level.
The process of enabling it is quite simple. On the Linux machine that holds the data you need to install the ‘ecryptfs-utils’. On a suitable Ubuntu/Mint/Debian system this is achieved using the command:
sudo aptitude install ecryptfs-utils
Once the installation is complete then the following steps are required:
- Create the ‘Folder’ which will contain the encrypted data
- Create the ‘Folder’ which will ‘contain’ the unencrypted data
- mount the encrypted folder pointing to the unencrypted version using the ‘encryptfs’ mount type.
The command is: sudo mount -t ecryptfs ‘secure_folder’ ‘readable_folder’
When issuing the mount command (which needs to be done as sudo) then a number of settings have to be selected. These are:
- Passphrase for the encryption (equivalent to the password)
- Encryption type
- Key bytes
- Enabling plaintext passthrough
- Enabling filename encryption
Care should be taken when setting these values the first time as they will define the settings for the content. If, on subsequent attempts to mount the encrypted content any setting is different from the ‘original’ settings then a warning will be issued, and you will be asked if you want to continue mounting. At this point I would suggest cancelling the mount process and re-mounting. This minimizes the probability of overwriting content and damaging it!
Once the process is complete then the ‘plain’ folder can be written to without any special commands. The file appears in the plain folder, but an encrypted version of the file is stored in the encrypted folder. If the option to encrypt the filename has been selected then the filename itself is encrypted.
There are a few things I like about this approach to securing data. Although it appears that the content is unencrypted, the ‘plain’ version is a live file, which disappears when the folder is unmounted. This means that if a bad guy were to steal the device (good luck, the server is bloomin’ huge!) then they would need the passphrase to remount the content, and it is therefore safe… Also, the encryption is on a file level, so you don’t have to earmark a certain size of ‘vault’ as you would in Truecrypt, you can just write files in the normal way and they will be encrypted. The ‘plain’ folder can be shared as a Samba share in the normal way, multiple users can connect and use the content, and they don’t need to be able to manage complex encryption software, or share a passphrase.
One other thing that is excellent about using this approach is that it plays so well with Dropbox (and other cloud storage providers). I have created a folder on all of my Linux machines which have the Dropbox client installed. The folder is then used to mount a folder within my Dropbox directory using the encryptfs as above. I can then store content in the folder which is then encrypted within Dropbox. No more worrying about ‘Safe Harbour’ policies etc. I haven’t made all of my Dropbox content encrypted though. There are several reasons for this.
- ecryptfs is not supported on any platform other than Linux. I don’t often have to use Windows or Mac, but it does happen, and if I put everything within an encrypted system there is no doubt there would be a time I wanted something from the file system which would be a pain to extract.
- While it is possible to automate the process of mounting the encrypted content it seems nonsensical to do so. Encrypted content which auto-unencrypts without intervention is functionally equivalent to unencrypted content, and isn’t in any real way secure.
- One of the tweaks I have made to my Emacs start-up files is to store them in the my Dropbox. I need these to be available when I log in so that the Emacs daemon can start, which enables fast start-up for any subsequent usage.
I’m very happy with the functionality, and so far, so are the users.
There is more to be said on the subject of security, but I will save it for another post.