Domain: arg0.net
Stories and comments across the archive that link to arg0.net.
Comments · 19
-
Re:Even more work for spies!
Note that encfs is perfect for this:
- encrypts using AES-256
- easy to use
- works on linux :-)
- and there's at least one app for Android that is compatible with the encryption protocol
- each file still is stored as a single file so:
-- no issues with losing all your data at once :-)
-- replication can still be file by file
- works through Fuse, doesn't need admin rights, kernel drivers and stuff :-) -
Amazon Glacier for cheap offsite.
Amazon Glacier has really changed my backup strategy since this time last year - I now push all my own, generated content (ie: pictures, documents, things I could never get back if I lost everything) up to Glacier using the free Windows client, Fast Glacier. In February I was charged $0.13 by Amazon for storing ~8Gb of data. I tend to push new content up as and when I create it (for example, after I process holiday snaps, or get back from a day out).
Day to day file changes are now handled by Windows 8's File History feature where my changes are pushed to a small NAS (Dlink DNS-320) in my shed (technically off site?) over a Homeplug AV ethernet link. For added security I use the legacy Windows Backup application (still present in Windows 8) to create ~ monthly snapshots of the system which I store on a 320Gb external HDD. This drive is one of two which go back and forth between my parents house each time I got and visit. These disks are encrypted using Microsoft Bitlocker drive encryption.
I should get around to properly encrypting my NAS in the shed, I've been looking at encfs.
-
There are several options here
The first, and most interesting, is Tahoe LAFS. It does come with a FUSE driver, so it can be mounted like a regular filesystem. It is cloud-based and redundant to a degree you choose yourself. All copies stored are encrypted, so the only person who can read them is you. I'm not sure though if fetching from more nodes than you strictly need to reconstruct your original file actually buys you anything with that system, but I think it does.
You could also use something like a mountable version of Google Drive and then layer fuse-encfs on top of it. That's not quite as secure as encrypting at the block layer. The overall shape of your directory hierarchy is available, even if the individual file names and their contents are obscured. That should probably be good enough for most purposes.
-
Re:TrueCrypt
A better solution for encrypting Dropbox content is using BoxCryptor (Win) + EncFS (Linux + Mac). Those are file-by-file-encryption tools which encrypt each file individually. No network overhead, simultaneous access is still possible and you can use features like file versioning or undeletion.
http://www.boxcryptor.com/ [boxcryptor.com]
http://www.arg0.net/encfs [arg0.net] -
Re:Use Truecrypt
A better solution for encrypting Dropbox content is using BoxCryptor (Win) + EncFS (Linux + Mac). Those are file-by-file-encryption tools which encrypt each file individually. No network overhead and you can still use features like file versioning or undeletion.
http://www.boxcryptor.com
http://www.arg0.net/encfs -
Re:TrueCrypt
Volume encryption?
Why is it needed? Unless you have a requirement that dictates this, there are more ways for volume encryption to fail.
I am surprised no one has mentioned encfs. You could run it in userspace over whatever precious checksumming system your heart desired.
Advantages of pass-thru system vs an encrypted block device
- Size: an empty EncFS filesystem consists of a couple dozen bytes and can grow to any size without needing to be reformatted. With a loopback encrypted filesystem, you allocate a filesystem ahead of time with the size you want. Depending on the filesystem, there may be ways of resizing it later, but that requires user intervention.
- Automated Backups: An EncFS filesystem can be backed-up on a file-by-file basis. A backup program can detect which files have changed, even though it wonâ(TM)t be able to decipher the files. This way backups can be made without needing to mount the encrypted filesystem.
- Layering / Separation of Trust: EncFS can be layered on top of other filesystems in order to add encryption to unencrypted filesystems. This also allows you to store data on filesystems you trust for storage but not for security. For example, EncFS could be used on top of a CD, or a remote NFS filesystem, Samba share, or perhaps even GMail storage using GMailFS.
Disadvantages
- Meta-data: Meta-data remains visible to anyone with access to your encrypted files. This means that Encfs does not encrypt or otherwise hide the following information:
- The number of files you have encrypted
- The permissions on the files (readable, writable, executable)
- The size of each file
- The approximate size of each filename (to within 16 bytes using AES, or 8 bytes using Blowfish)
-
encfs
The trick is encrypt everything you sync in Dropbox. This can be done transparently. I use encfs and I only sync the encrypted directory to dropbox. I use this solution in my linux, windows and OSX machines. http://www.arg0.net/encfs http://wiki.dropbox.com/TipsAndTricks/IncreasePrivacyAndSafety -- blue
-
Re:It is not impossible
Better to use some file level encryption like e. g. encfs.
-
Re:Whoa - Big Fucking Limitation
Maybe you should, you know, verify that fact before you vent your spleen. EncFS supports xattr, even on OS X. Apparently some people have trouble building the MacPorts version with xattr enabled.
-
Re:Sounds Good.
Better:
More likely that they'll be able to analyze it, but also more likely to be decently efficient. I suppose we'll have to see how it's actually implemented...
-
Re:Security
Let's hope it's implemented as FUSE, for portability...
If it's actually exposed as a local filesystem, then it should be trivial to encrypt the files using something like encfs.
-
encfs
encfs does the same thing, but also encrypts filenames. It isn't "Enterprise-class" though, so I guess if you are a PHB you probably shouldn't use it.
-
Re:UselessWipe the flash. Force a reload on the firmware etc etc etc etc. You can not secure a device when the theif has physical access to it. Anyone that has worked with ATM's knows this. I think an encrypted filesystem is what the parent was talking about. Such as this: http://arg0.net/encfs
-
EncFS
I use EncFS http://arg0.net/encfs on Linux every day and love it. Even root can't snoop a mounted directory (but could delete the encrypted source directory). How is TrueCrypt better?
-
Re:It's a tough job.
under Linux, assuming no malicious programs were running when the OS was under your control, just things like, you're going to be worried about things in
/tmp, /var, /home, etc, and your swap partition/file. So, really, the only sane thing to do is encrypt everything-- if you're that worried. But then you have a performance hit, it's less convenient, etc.Encrypting $HOME is easy and convenient with EncFS and pam_encfs. The main problems with pam_encfs are 1) a readable hash of your encryption key resides in
/etc/shadow and 2) each file is encrypted separately, so an attacker can obtain basic size/usage patterns. For more sensitive documents, you should use a separate container, whether a TrueCrypt file, an EncFS directory with a different passphrase, or something else.Encrypting
/tmp and using tmpfs for encrypted swap is easy. /var -- most of what queues in /var passes over the network, so unless you're using IPsec extensively or have a local print queue (OK, that's a lot of people), I wouldn't worry too much about /var.The performance hit on modern hardware is negligible, at least for normal "desktop" operations.
-
It is not a pain if you have FUSENo. You should read up on a nifty module (included in the mainline kernel) called FUSE. It lets a you mount various devices/files as private file systems.
The most incredibly useful application of this is sshfs, which basically lets you mount a remote machine as a filesystem without being root (as long as the FUSE kernel module is loaded). This has caused a huge productivity increase for me.
There is also an encrypted file system that runs under FUSE
http://arg0.net/users/vgough/encfs
So, you basically can have a big encrypted file lying around which you mount as a file system when you need it. The keys are encrypted in a separate control file, so there are no unencrypted keys lying around. You need both the pass phrase and the encrypted key file to mount the big file as an FS.
Encrypted filesystems require your boot partition have the encryption keys unencrypted so that they can be read, which sort of mitigates the whole point.
-
Technologies to use...First off, use Linux. If your OS isn't reasonably secure, all bets are off, and Windows is just too difficult to keep secure for a casual user. With a good linux distro you're much better off so long as you keep it updated.
Secondly use encrypted filesystems for data you want to keep private. I can recomend encfs for Linux http://arg0.net/wiki/encfs... it's easy to use and can be installed with yum in Fedora. It uses file-level encryption which makes possible incremental backups which retain the encryption.
If you want protection from being forced by a court to give up your key, take a look at http://www.truecrypt.org/ . This is a filesystem that lets you keep multiple levels of data encrypted with different keys, and if you give up one key noone can know that there's more data hidden with another key.
For web browsing use Tor, http://tor.eff.or/. Tor is still under development and may not be secure against a focused attack on you specifically, but at least your ISP won't be able to easily spy on you and your IPSs logs (which as we know are being mass-analyzed by the NSA) won't show anything about your activity. Also tor is /very/ easy to install and use, especially with Firefox and the FF tor extension. Also you can use it in combination with privoxy http://www.privoxy.org/ for some protection against malicious cookies and other tricks used by the sites you access.
Plus, here's a good trick for ensuring that your web browser cache, history, etc., can't be easily searched by someone who gets access to your computer... put them on an encrypted filesystem, as follows. Make a script that mounts an encrypted filesystem (asking for the passphrase), sets your HOME env var to the newly mounted fs, then starts Firefox (which now places its cache there because that's HOME), and unmounts the encrypted fs after Firefox exits. You should do this even if your entire home dir is also on an encrypted fs, because your normal home dir is likely to stay mounted for longer periods of time, so this way you separate the risk levels. And it's easy. An additional little-known trick for this: set the LOGNAME env var to something other than your username to let you run a second copy of Firefox on the same X display (so you can have an "insecure" and a "secure" one running at the same time).
Of course use GnuPG for secure email. The Thunderbird Enigmail extension makes it painless.
You should also give money to the EFF and run a Tor server if you can, to help maintain our ability to have some privacy.
Finally, if you are a hardcore libertarian and/or think we should have a truly free Internet, experiment with FreeNet http://freenetproject.org/ and consider donating to its development. This project ran into some dead ends with scalability but the developers have taken a fresh approach and the new 0.7 dev version looks like it might be the start of something that could get big. They have a full-time programmer working on it paid by donations (and he's so dedicated to the ideal that his salary is the bare minimum he needs to live), so consider donating. (Btw., I'm not a libertarian in the political sense, but I think we need a strong counter-balance to the marching forces of fascism, so I donate to the Freenet project.) :j -
Re:and what about the passwords?
Right; This is also what firefox does (when you turn it on) with the "Master Password" for remembering website login passwords.
That's a case that's potentially justified by large numbers of passwords (I have dozens). I also use gaim with about 20 accounts, so it would be a good idea there, too. Most users, however, will probably only have one or two, so trading two passphrases for one may seem like too much hassle for the added security (for some).
I compromise by using encfs to encrypt my ~/.gaim/ directory (among others), but that has its own limitations. Other users (including root) can't read the files, but any app running as my user can, while the fs is mounted. -
FUSE is way cool
Check out FuseFS, for example (see why it's cool). Or encfs (see O'Reilly article).
Linux is starting to go beyond emulating the Unixes of yore, to create a whole new world of computing.