Encrypt file while you are using it

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Encrypt file while you are using it

Carlos Carrero Gutierrez-2
Hi, i would like to maintain encrypt an archive in all moment, so i
would like to know what software can be this.

Now i am using Truecrypt, but when i mount the encrypted directory it's
vulnerable. I want to mount the file and that the file can remains
encrypt.

Somebody can help me?

Thank you very much, I appreciate your help.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Bas Steendijk
if you mount a truecrypt volume, the volume itself remains encrypted.
the truecrypt driver decrypts and encrypts access in real time. you
cannot "mount" an encrypted volume and not expose it at the file system
level while its mounted, by definition. look at the possibility of a
write only mount but i can't help you with this.
alternatively, use passworded archives instead of a filesystem solution.

Manuel Gomez wrote:

> Hi, i would like to maintain encrypt an archive in all moment, so i
> would like to know what software can be this.
>
> Now i am using Truecrypt, but when i mount the encrypted directory it's
> vulnerable. I want to mount the file and that the file can remains
> encrypt.
>
> Somebody can help me?
>
> Thank you very much, I appreciate your help.
>
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Johannes Wiedersich
In reply to this post by Carlos Carrero Gutierrez-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Manuel Gomez wrote:
> Hi, i would like to maintain encrypt an archive in all moment, so i

If it is to remain encrypted in any moment in time, you should just use
a very complicated password and forget it immediately. Your data should
remain encrypted forever....

> would like to know what software can be this.
>
> Now i am using Truecrypt, but when i mount the encrypted directory it's
> vulnerable. I want to mount the file and that the file can remains
> encrypt.

If I understand you correctly, you would like to read the file, while it
still is encrypted? How should this possibly work?

> Somebody can help me?

If you would like to access your encrypted files one by one (instead of
mounting an encrypted archive) you could encrypt each file separately.
'gpg' (package: gnupg) is one program that could be used for this.

If you use 'cryptsetup', your whole partition (including the file
system) will be encrypted (and remain encrypted all the time). After
issuing the password, all data will be decrypted/encrypted on the fly.

- From what you wrote, it's not fully clear to me, what exactly you try to
achieve.

HTH anyway,

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkq1rYACgkQC1NzPRl9qEUkkwCbBqxHVp+tOni34V+C6d5UB4v6
yNYAn2p9Esr67Hksvi+m5UNTAxEf2WOu
=PFLQ
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

graziano-4
On Mon, Nov 24, 2008 at 05:30:46PM +0100, Johannes Wiedersich wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Manuel Gomez wrote:
> > Hi, i would like to maintain encrypt an archive in all moment, so i
>
> If it is to remain encrypted in any moment in time, you should just use
> a very complicated password and forget it immediately. Your data should
> remain encrypted forever....
>
> > would like to know what software can be this.
> >
> > Now i am using Truecrypt, but when i mount the encrypted directory it's
> > vulnerable. I want to mount the file and that the file can remains
> > encrypt.
>
> If I understand you correctly, you would like to read the file, while it
> still is encrypted? How should this possibly work?

Hello,

I think that cfs and encfs does what you are asking for.

cheers
graziano

>
> > Somebody can help me?
>
> If you would like to access your encrypted files one by one (instead of
> mounting an encrypted archive) you could encrypt each file separately.
> 'gpg' (package: gnupg) is one program that could be used for this.
>
> If you use 'cryptsetup', your whole partition (including the file
> system) will be encrypted (and remain encrypted all the time). After
> issuing the password, all data will be decrypted/encrypted on the fly.
>
> - From what you wrote, it's not fully clear to me, what exactly you try to
> achieve.
>
> HTH anyway,
>
> Johannes
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkq1rYACgkQC1NzPRl9qEUkkwCbBqxHVp+tOni34V+C6d5UB4v6
> yNYAn2p9Esr67Hksvi+m5UNTAxEf2WOu
> =PFLQ
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>
>

--
+-----------------------+--------------------------+
| Graziano Obertelli    | CS Dept. Rm 5112         |
| [hidden email]  | University of California |
| (805) 893-5212        | Santa Barbara, CA 93106  |
+-----------------------+--------------------------+


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Lupe Christoph
In reply to this post by Carlos Carrero Gutierrez-2
On Monday, 2008-11-24 at 16:12:56 +0100, Manuel Gomez wrote:
> Hi, i would like to maintain encrypt an archive in all moment, so i
> would like to know what software can be this.

> Now i am using Truecrypt, but when i mount the encrypted directory it's
> vulnerable. I want to mount the file and that the file can remains
> encrypt.

Whenever you are able to read a file, it has to exist in unencrypted
form. Let's say you have an editor or viewer that has builtin-in
decryption. It will read the encrypted file, and decrypt it. to be able
to work on it, the program has to keep the decrypted form. It also
has to send it to some device for you to be able to work on it. The
decrypted form will be readable from /dev/mem or /proc/<pid>/mem. by
the superuser and (procfs only) your user. It will also be possible
for at least the superuser to intercept what is going to the device.
There is nothing you can do to prevent these kinds of attacks.

So, storing your files in an encrypted filesystem with permissions set
so that only your user (and the superuser) can read the files is no less
secure than storing the files individually encrypted.

HTH,
Lupe Christoph
--
| There is no substitute for bad design except worse design.             |
| /me                                                                    |


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Johannes Wiedersich-3
In reply to this post by graziano-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Obi wrote:
> On Mon, Nov 24, 2008 at 05:30:46PM +0100, Johannes Wiedersich wrote:
> Manuel Gomez wrote:
>>>> Now i am using Truecrypt, but when i mount the encrypted directory it's
>>>> vulnerable. I want to mount the file and that the file can remains
>>>> encrypt.
> If I understand you correctly, you would like to read the file, while it
> still is encrypted? How should this possibly work?
>
>> I think that cfs and encfs does what you are asking for.

How is encfs different to Truecrypt in the way that files that are read
are (temporarily) decrypted?

Just curious,

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkrMg0ACgkQC1NzPRl9qEWcdQCeJTJPFR8vvdJWgl957RQh1dZV
6V4An1C9sABdmxVnTGo2izOJKZwmbz5C
=UI3o
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Mark Allums
In reply to this post by Bas Steendijk
Bas Steendijk wrote:

> Manuel Gomez wrote:
>> Hi, i would like to maintain encrypt an archive in all moment, so i
>> would like to know what software can be this.
>>
>> Now i am using Truecrypt, but when i mount the encrypted directory it's
>> vulnerable. I want to mount the file and that the file can remains
>> encrypt.
>>
>> Somebody can help me?
>>
>> Thank you very much, I appreciate your help.
>>

It cannot be encrypted in memory.  Oh, a whole file can be, if the whole
file is loaded at once, but the buffer holding the info currently being
used can't be, so there will always be a point of vulnerability.  Invent
a good way to obscure every byte 100% of the time, and you will be rich,
rich, rich!

There are a few things that can almost do what I think you are asking,
but the need to do so seems a little extreme.

Uh, some things encrypt the whole disk, but so far, disk-based
encryption hasn't been too satisfactory.  Some partition-level
encryption is available.  This may be a bit vulnerable when errors
occur, meaning if the wrong bits get flipped, all your data goes
bye-bye.  (That is true of some file systems, and a lot of compression
methods, as well.)

Uh, cryptsetup  cryptmount.  Maybe the ecryptfs file system?


Mark Allums


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Bernd Eckenfels
In article <[hidden email]> you wrote:
> Uh, some things encrypt the whole disk, but so far, disk-based
> encryption hasn't been too satisfactory.  Some partition-level
> encryption is available.

Where do you see the difference? dm-crypt or truecrypt - they all work on
block device level, with or without partitions.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

graziano-4
In reply to this post by Johannes Wiedersich-3
On Tue, Nov 25, 2008 at 12:00:45AM +0100, Johannes Wiedersich wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Obi wrote:
> > On Mon, Nov 24, 2008 at 05:30:46PM +0100, Johannes Wiedersich wrote:
> > Manuel Gomez wrote:
> >>>> Now i am using Truecrypt, but when i mount the encrypted directory it's
> >>>> vulnerable. I want to mount the file and that the file can remains
> >>>> encrypt.
> > If I understand you correctly, you would like to read the file, while it
> > still is encrypted? How should this possibly work?
> >
> >> I think that cfs and encfs does what you are asking for.
>
> How is encfs different to Truecrypt in the way that files that are read
> are (temporarily) decrypted?
>
> Just curious,

My apologies: I think I failed read and comprehension 101. I misread the
original question.

graziano

>
> Johannes
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkrMg0ACgkQC1NzPRl9qEWcdQCeJTJPFR8vvdJWgl957RQh1dZV
> 6V4An1C9sABdmxVnTGo2izOJKZwmbz5C
> =UI3o
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>
>

--
+-----------------------+--------------------------+
| Graziano Obertelli    | CS Dept. Rm 5112         |
| [hidden email]  | University of California |
| (805) 893-5212        | Santa Barbara, CA 93106  |
+-----------------------+--------------------------+


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Mark Allums
In reply to this post by Bernd Eckenfels
Bernd Eckenfels wrote:

> In article <[hidden email]> you wrote:
>> Uh, some things encrypt the whole disk, but so far, disk-based
>> encryption hasn't been too satisfactory.  Some partition-level
>> encryption is available.
>
> Where do you see the difference? dm-crypt or truecrypt - they all work on
> block device level, with or without partitions.
>
> Gruss
> Bernd
>
>

Well, maybe it is just a point of view.  You are correct.

Mark Allums


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Mark Allums
In reply to this post by Bernd Eckenfels
Bernd Eckenfels wrote:

> In article <[hidden email]> you wrote:
>> Uh, some things encrypt the whole disk, but so far, disk-based
>> encryption hasn't been too satisfactory.  Some partition-level
>> encryption is available.
>
> Where do you see the difference? dm-crypt or truecrypt - they all work on
> block device level, with or without partitions.
>
> Gruss
> Bernd
>
>

Actually, I was referring to hardware-based encryption, but I realize
now that that is beyond the scope of the subject, and probably not worth
mentioning.  So, you are correct, of course.

Mark Allums


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Mark Allums
In reply to this post by Bernd Eckenfels
Bernd Eckenfels wrote:

> In article <[hidden email]> you wrote:
>> Uh, some things encrypt the whole disk, but so far, disk-based
>> encryption hasn't been too satisfactory.  Some partition-level
>> encryption is available.
>
> Where do you see the difference? dm-crypt or truecrypt - they all work on
> block device level, with or without partitions.
>
> Gruss
> Bernd
>
>

Another, hopefully last, thought:  The distinction I was thinking of was
between whole-partition and per-folder or per-file, not between
encrypted disk and encrypted partition.  I must not have got this across.

Mark Allums


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Rolf Kutz-2
In reply to this post by Lupe Christoph
On 24/11/08 22:40 +0100, Lupe Christoph wrote:

>On Monday, 2008-11-24 at 16:12:56 +0100, Manuel Gomez wrote:
>> Hi, i would like to maintain encrypt an archive in all moment, so i
>> would like to know what software can be this.
>
>> Now i am using Truecrypt, but when i mount the encrypted directory it's
>> vulnerable. I want to mount the file and that the file can remains
>> encrypt.
>
>Whenever you are able to read a file, it has to exist in unencrypted
>form. Let's say you have an editor or viewer that has builtin-in
>decryption. It will read the encrypted file, and decrypt it. to be able
>to work on it, the program has to keep the decrypted form. It also
>has to send it to some device for you to be able to work on it. The
>decrypted form will be readable from /dev/mem or /proc/<pid>/mem. by
>the superuser and (procfs only) your user. It will also be possible
>for at least the superuser to intercept what is going to the device.
>There is nothing you can do to prevent these kinds of attacks.
You could use SELinux to prevent these kind of
attacks.

>So, storing your files in an encrypted filesystem with permissions set
>so that only your user (and the superuser) can read the files is no less
>secure than storing the files individually encrypted.

This depends on the attack vector. Using partition
level encryption protects you from giving away
your filenames and (to some degree) your atime,
mtime and filesize when the partition is not
mounted.

regards, Rolf

--
... Expediency asks the question, 'Is it politic?' ...

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Russell Coker
On Tuesday 25 November 2008 16:53, Rolf Kutz <[hidden email]> wrote:

> >Whenever you are able to read a file, it has to exist in unencrypted
> >form. Let's say you have an editor or viewer that has builtin-in
> >decryption. It will read the encrypted file, and decrypt it. to be able
> >to work on it, the program has to keep the decrypted form. It also
> >has to send it to some device for you to be able to work on it. The
> >decrypted form will be readable from /dev/mem or /proc/<pid>/mem. by
> >the superuser and (procfs only) your user. It will also be possible
> >for at least the superuser to intercept what is going to the device.
> >There is nothing you can do to prevent these kinds of attacks.
>
> You could use SELinux to prevent these kind of
> attacks.

http://etbe.coker.com.au/2008/11/25/se-linux-and-decrypted-data/

SE Linux can improve things, but it doesn't entirely solve the general problem
presented here.  I have addressed this issue with the above blog post.

--
[hidden email]
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt file while you are using it

Zaki Akhmad
In reply to this post by Carlos Carrero Gutierrez-2
On Mon, Nov 24, 2008 at 10:12 PM, Manuel Gomez <[hidden email]> wrote:

> Now i am using Truecrypt, but when i mount the encrypted directory it's
> vulnerable. I want to mount the file and that the file can remains
> encrypt.

I want ask a little bit about Truecrypt.
Is it true that truecrypt must be run as a root? And so on when I try
to read and write the crypted partition with Truecrypt.

--
Zaki Akhmad


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]