ronnih
Posts: 32
Joined: Wed Nov 29, 2017 8:59 am
Location: Matrix Network
Contact: Website

[solved] Encrypt directory on NFS partition?

Fri Mar 13, 2020 11:33 am

Hello,

is there a easy solution to encrypt a directory on my NFS(NetworkFileSystem) partition? I have a Raspberry that works as NFS-Server and I mount my NFS partition on an other Raspberry which I use as my desktop computer. All my Pi´s use Raspbian Buster.

My Idea is that I login on my Desktop Pi with my User and password and automatically my encrypted directory on the NFS Partition will be decrypted only for this User. Is this possible? :?



greetings
ronnih
Last edited by ronnih on Fri May 01, 2020 1:03 pm, edited 1 time in total.
https://techguru.lima-city.de

ejolson
Posts: 6044
Joined: Tue Mar 18, 2014 11:47 am

Re: Encrypt directory on NFS partition?

Fri Mar 13, 2020 4:50 pm

ronnih wrote:
Fri Mar 13, 2020 11:33 am
Hello,

is there a easy solution to encrypt a directory on my NFS(NetworkFileSystem) partition? I have a Raspberry that works as NFS-Server and I mount my NFS partition on an other Raspberry which I use as my desktop computer. All my Pi´s use Raspbian Buster.

My Idea is that I login on my Desktop Pi with my User and password and automatically my encrypted directory on the NFS Partition will be decrypted only for this User. Is this possible? :?



greetings
ronnih
One solution is encfs. Each user stores their encrypted files on the NFS server and mounts the unencrypted versions of the files locally using encfs on their client machines. In theory the administrator of NFS server has no way to decrypt what the user is storing. In practice, there is significant metadata leaked which indicates directory structure and file size but not the names of the files. Note also that root on the server has access to snapshots of the encrypted files over time, which may allow for cryptographic attacks that are within reach of well funded criminals and governments.

Another idea, with the disadvantage that it doesn't allow simultaneous mounts of the same files on multiple machines, would be to store a single encrypted disk image on the NFS server and mount it using dmcrypt over loopback on the client machine. This has the advantage of not leaking the metadata on file size and directory structure but the same crytographic attack based on observing the state of the encrypted disk image over time may still work.

If you want the encrypted mounts on the client machine to happen automatically when the user logs in, use PAM mount.

ronnih
Posts: 32
Joined: Wed Nov 29, 2017 8:59 am
Location: Matrix Network
Contact: Website

Re: Encrypt directory on NFS partition?

Sat Mar 14, 2020 8:50 pm

Thx ejolson,

I had already considered encfs, since it is already available everywhere under Linux.
...which may allow for cryptographic attacks that are within reach of well funded criminals and governments.
I need no high security it is only for my local Network ;) And I'm the only admin on this Server. Its important for me that nobody can read the directory if my user is logged out.
If you want the encrypted mounts on the client machine to happen automatically when the user logs in, use PAM mount
That sounds interesting and I'll take a closer look at it :)

Has someone realized so a configuration? And can share this information with me? ;)
https://techguru.lima-city.de

ronnih
Posts: 32
Joined: Wed Nov 29, 2017 8:59 am
Location: Matrix Network
Contact: Website

Re: Encrypt directory on NFS partition?

Fri May 01, 2020 1:02 pm

Hello back again, now with my solution. Had configuered the solution with libpam-mount and it works perfect :) After this configuration you can mount an encrypted directory from your NFS-Server and decrypt it with you login on your Raspbian desktop. One important point is: You need the same password on your encrypted directory and your login user.

first install libpam-mount

Code: Select all

apt install libpam-mount
edit /etc/fuse.conf and uncomment the line

Code: Select all

user_allow_other
edit /etc/security/pam_mount.conf.xml and add your specific line:

Code: Select all

<volume user="penguin" fstype="fuse" path="encfs#/media/NFS/.documents" mountpoint="/home/penguin/Documents" options="nonempty" />
Optional look with the command line tool pam-auth-update that the line Mount volumes for user is active

Code: Select all

sudo pam-auth-update
have fun ;)
ronnih
https://techguru.lima-city.de

Return to “Raspberry Pi OS”