[ale] Encrypting FS by a normal user? to protect from root?

Jeremy T. Bouse Jeremy.Bouse at UnderGrid.net
Fri Mar 16 16:41:44 EDT 2007


	Have you thought about using LUKS to create an encrypted file that
could be mounted through loopback? You could generate it locally as root
and then copy it off-site. Even if they were root off-site they still
would not be able to get to the data held within unless they had the
proper key to decrypt the FS.

	I use this for my USB key fob that holds my GPG and SSH keys. I have 2
identical drives both with separate decryption keys, one holds my GPG
primary keys and is stored in my safe the other holds my GPG sub-keys
and SSH identity keys that I keep with me. I particularly like that LUKS
allows for multiple decryption keys so when I'm accessing the drive I'm
not always using the same key to access it.

	Regards,
	Jeremy

Greg Freemyer wrote:
> All,
> 
> I want to start sending data offsite as a backup (3rd copy for DR,
> already have live and onsite nightly copy).
> 
> I'm considering the Dreamhost because they seem by far cheapest I've
> seen.  The trouble is I would have SSH access, but not root access.
> 
> I would really like to create an encrypted FS that I could access but
> that root would not be able to access.  I'm hoping that their is a
> FUSE FS that might allow this.
> 
> The next issue is keeping root from doing a su and becoming me to access the FS.
> 
> Anyone know any solutions?
> 
> Greg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature




More information about the Ale mailing list