 |
HOWTO create a safe directory to store files in a secure way at run- and downtime. |
|
|
Chapter Introduction and Contents |
|
Introduction
I've been working with some programs working at best when the credentials provided
at login, are available. Examples of those programs are:
. mount.cifs (look for details here)
. fusesmb (look for details here)
With a the PAM modules pam_script it's possible to store the password in a file, which will be used
by fusemb and mount.cifs to read the password from. To achieve security, make the user
logging in owner and deny read/write for anybody else. Remove this file when the user ends his/her session.
This is enough, for runtime. But I was wondering, but what if the system crashes, and the file with the credentials
remains on the harddrive? Anybody who is able to mount this harddrive with for example a lifecd, can read this file!
That's why I was looking for a was to encrypt this file. With encfs this is very possible! At run time it gives an interface
to encrypted files and directories, which does only exist at runtime! When the system is not running, there are only encrypted
files, useless when you do not know the key to it. And this key is exactly the password(encrypted)! That's why I've chosen
for a combination of PAM and Encfs.
This construction is intended to give enough security for run- and downtime (after a crash) to store sensitive information,
not for creating a permanent safe directory on your harddrive to store documents.
Contents