Archives for the month of: October, 2008

I see a lot of folks asking the same question

How do I change the location of my home-folder?

The solution is as simple as it gets! Swap ‘username’ with your username:

/etc # cat passwd | grep username
username:x:1000:1000:My real name,,,:/home/username:/bin/bash

I believe you can simply edit this file as sudo, and change the part about :/home/username: to whatever pleases you 🙂

Advertisements

EncFS is a piece of FOSS that lets you work with a filesystem interface to a created crypted folder. It is thus transparent to the user. For more information, see previous post.

I came over a special option today playing around with EncFS. When issuing the command $ encfs ~/crypted ~/interface , and the directory ~/interface was not empty, I got a warning from FUSE – letting me know that it was not empty. However, it also gave me a solution to the problem! Simply add the option nonempty to the mount command, everything is dandy.

$ encfs -o nonempty ~/crypted ~/interface

The files that already was present in the target ~/interface was no longer there – just the decrypted content from my ~/crypted filesystem. But, to my surprise, when I unmounted the encrypted filesystem, the original files that were in the mount point in the beginning, appeared again!

$ fusermount -u ~/interface

The files were not lost! They simply got hidden!

I see a great application in this feature. Let’s say you have a system with encrypted home folders for each user of the system. When a user login, their encrypted home folder is mounted, and their files are made available to them. They do not even have to know it is encrypted – what do they care!?

Now, let’s say somebody needs to get some information about a fellow student/colleague, i.e. contact information and such. Why not leave a file in their unencrypted, open home folder for everyone to see? The folder is already there – doing nothing – so why not put it to use!

Use case

Let’s say Fred wants to get Maya’s e-mail address. He simply goes to here home-folder and retrieves her contact information

# fred@computer $ cd /home/maya/
# fred@computer $ ls
contact.maya

A well – maybe this has been done before… I just found out 🙂

For other FUSE options

$ encfs -H

In my journey of learning a “bit or byte” in the GNU/Linux world, my focus has recently been on security in form of encryption of data – not malicious malware, adware, virus etc.

How do I maintain the highest level of security for my personal files if, God forbid, my laptop was stolen or an unwanted user got access to my computer? Most of the information I have found, is mostly security issues related to off-line data – how to encrypt your OS/harddrive, filesystem (i.e. folder), or a single file. How to prevent intruders from the outside world is off-topic.

Level 0: Not an issue

The first question one need to ask, is: why would I need an extra level of security? If you are the only user of a desktop computer at home, security may not even be an issue. Why would it be, right? Just image all the people using a no-security-measures-vista/xp-laptops out there. They don’t bother – should you?

Level 1: Permission settings

When you share your personal computer, things may be different. If you and maybe your “significant other” have access, security in form of OS/harddrive security may be overkill! If that other person has her own login, she would not have immediate access to your home-folder. Just make sure your permissions are set correctly to your home-folder.

$ cd /home
$ chmod 700 <myfolder>

Level 2: Simple file encryption

If, for some reason, you share your computer and grant others with root-privileges, they have access to your files, and setting permission is no longer enough! When sharing with your spouse, or you are one of them “I don’t keep anything from my girlfriend/boyfriend”-type – security is still something you are only concerned about when paying bills online. Though, when making a list of potential Christmas-present, file-encryption could come in handy. You don’t want her to ruin the surprise!

Howto encrypt files: bcrypt – encrypt personal files.

This is also useful when you want to send sensitive information by email, or you use some kind of cloud file-sharing. Simply encrypt your file, and make sure the recipient has the password for decrypting the file.

Level 3: Folder encryption

If you share your computer with others, or you have files and folders you just wish to keep private, i.e. maybe you want to encrypt your home-folder to prevent anyone to see your files — then folder encryption or filesystem encryption would be the way to go.

Howto encrypt folders: encfs – encrypted folders/filesystems

When using folder encryption like encfs, the program maps the encrypted folder to a “human-readable”-folder. Any change, deletion, or new files/folders you create in your “human-readable”-folder, is mapped from the encrypted folder. Perhaps the main disadvantage here, is that the crypted folder is visible and has the same permissions as the decrypted, mapped folder. Thus people with access may still do harm.

Level 4: Virtual encrypted filesystem

There is also the option of creating a virtual encrypted filesystem. I would recommend TrueCrypt for this. The main advantage here, is that your entire filesystem (i.e. folder) is mounted as any other drive/device, but actually is located within one pre-allocated encrypted file. You may thus send, transport, copy, move, do whatever you want with this file. Wherever and whenever you mount it, your filesystem/folder magically appears at the mount point.

Several people have written excellent posts and howto’s about Truecrypt – a simple google reveals this. I personally started using it with Dropbox – see that post here.

Level 5: OS/Harddrive encryption

At the moment, I don’t see the need for this. However, I am going to try it out! My goal is to use an USB-stick, with a fully encrypted bootable OS, using Dropbox to store my personal files – encrypted of course. This will have to be a follow-up post as I suspect I will use some time on this.

That’s it for personal security.

encfs – is a tool for encrypting a filesystem, i.e. a folder. It is very easy to use.

The debian package should be available in Debian and Ubuntu. Simply

$ sudo aptitude install encfs

encfs uses FUSE works perfectly for this kind of task. If you don’t have it installed, it should be installed with encfs. Remember to add yourself to the FUSE group.

$ sudo usermod -a -G fuse username

Now, there is mainly two commands you need to focus on. The one which mounts and creates the encrypted folder, and the one that unmounts it.

Create and mount

$ encfs /fullpath/.cryptic /fullpath/readable

You now answer a few question, and voila – good to go! Next time you simply issue the same command to mount an existing encrypted folder.

Unmount

$ fusermount -u /fullpath/readable

How hard can that be, right!

Applications of encfs

You may use this in several ways. One and maybe the obvious, is to have your own personal folder with encrypted data – just for fun, or to avoid your girlfriend/boyfriend finding out about your deepest secrets! It sure is an easy way of keeping a diary.

You may also use this to make your home-folder encrypted. I have read somewhere that Ubuntu is planning to make encrypted-home as an option sometime. And I believe encfs is the candidate to use. There exists another package which uses the PAM for authorizing. This way, you may automount your folder when you login, making it ideal for home-folder encryption. Follow the links below for further information.

Links:
A howto is located at ubuntu’s help.

http://www.linux.com/feature/52820

Alternatives:
http://www.debianadmin.com/filesystem-encryption-tools-for-linux.html

Updated 12th May 2010

Ubuntu 10.04 ships with Ubuntu One pre installed. It does not take much effort to sync your files to the cloud. It’s even more easy to share your files on the cloud. You right click on a file that you have on your cloud ( read Ubuntu One folder ), and publish it. Then you may send the link to this published file via email.

Security on the other hand is somewhat sparse. Yes, they do use SSL to sync the files from your computer to your storage place in the cloud. But your data is not encrypted on the server – anyone with access may read it. This is not so good!

This old post is now more valid than ever. Use encFS and sync your encrypted folder – keep the decrypted folder on your local machine. Trying to sync the actual encrypted folder did not work for me – Nautilus simply closed down. I believe this is an implementation issue with encFS as it uses fuse. The solution is to have one extra layer – sync the folder of which the encrypted folder resides.

I created a folder ~/cloud which I’d like to keep synced. The idea is as follows; you store the files you’d like on the cloud in this folder. But these files themselves are not encrypted, so this folder will not be synced. The paralleled encrypted folder, you should store on the existing Ubuntu One folder or in some other folder were you keep encrypted stuff.

Suggested setup:

$ mkdir ~/cloud
$ mkdir ~/Ubuntu One/clouded

Thus my mount command:

$ encfs ~/Ubuntu One/clouded ~/cloud

First time you execute this command, you must provide a password. Note the folders must exist. Now, I save all the files I am working on inside the non-encrypted ~/cloud folder. The encrypted folder ~/Ubuntu One/clouded is synced.

I wanted to make a keyfile for added security in TrueCrypt. You may use any filetype you’d like, but to create a new layer of security, I made a pass-phrase and encrypted this into a file using bcrypt. The same approach may be used to encrypt any file you want, to share with a friend or send by e-mail. Just as long as the decrypter knows the password, you are good to go.

Bcrypt uses the Blowfish algorithm, and is available in the official Debian repo.

Encrypt

$ echo “pass-phrase” > keyfile
$ bcrypt keyfile

You will be asked to provide a password, and the encrypted file is created.

Decrypt

$ bcrypt keyfile.bfe

Provide the password used for encryption, and the file is converted back to the original ‘keyfile’.

In my journey in the GNU/Linux world, I am always look to adapt good ideas, and to embrace excellent GNU/FOSS software. If it for some reason is not open source, it needs to be really good, and fit my needs and expectations to the fullest – i.e. Opera, Dropbox, Picasa and Google Earth.

The last couple of days, I have found two excellent softwares, one being “free speech” and the other being “free beer” – TrueCrypt and DropBox.

TrueCrypt
Is a one of them things you just gotta love! It is a piece of software that let’s you create a virtual encrypted file system within a file. For a normal user, this is transparent. You create a file, specify which algorithm to use, set a looong password, and then you mount the file as a volume. In this way, you may store sensitive information encrypted on your computer. Given the use of a file container to hold this virtual filesystem, you may transport, copy the file and mount it on another computer just as easy as mounting an external harddrive.

Applications of TrueCrypt
I discovered TrueCrypt when browsing the Dropbox forum. There I came across a discussion about the security of the Dropbox account. Dropbox uses SSL to send and recieve files from your computer to the Dropbox account. Dropbox then uses the Amazon S3 storing service to host your files. The files itself, and your entire account, is encrypted with AES on the server.

However, the discussion was mainly about where the AES key was located – at Dropbox or at Amazon. Either way – somebody may have access to your uploaded files, so the need for encrypted files gave spring to the solution of using TrueCrypt localy and uploading this file.

Dropbox+TrueCrypt

First of all – Dropbox is in beta, and their license is “AS IS”. If they run out of funds, or for some reason terminates their service, your online files MAY be lost. So you should always keep a backup of sensitive information elsewhere. Because you keep your files locally on your computer, you always have backup. The folder gets synchronized with your Dropbox account when you connect. If their service for some reason is down, you will not loose your files, because you have them stored locally on your computer.

So – to get started – my initial thought, was to store a key-file – a password file on my Dropbox account – for easy access from the computers I use daily. I have a lot of accounts in the cloud, and I rarely – if ever – use the same password twice. And everyone of them are generated.

Therefore – I wanted to store my encrypted password file in a virtual encrypted filesystem in my Dropbox account (which is also encrypted) for shared access from my computers.

I use Gnome Revelation password manager to store my online/offline password for various services. I store this file within my virtual encrypted filesystem-folder, which is then synched to my Dropbox account.

About security
The password file itself is encrypted – I need a password to open it. The filesystem to which the file is stored, is encrypted – I need an even longer password. My Dropbox account is encrypted – so a third password is needed.

I am not that worried about security!

Outside the box
Okei – so now I have my password file available from my computers. Next step must be to have a common set of config-files on each of them. I am not going to say much about this – it is simple enough. Just think of what sym-links can do!

“In order to be successful, one must project an image of being successful.” – Buddy Kane in American Beauty

Choosing a new design is not easy! Anyway – I needed a change!

Dropbox is THE file-share-over-multiple-systems thingy you’ll ever need! What is dropbox? Take a look at the image below – it says it all! In simple words – you have a folder on your computer, which is synced with an online folder at all times. You simply link every computer you want to this folder – and you have a share-folder! Version control, trash-can, public folder etc is available. It rocks!

I came across these to posts which is worth a read:

Both of them use a NON-gnome environment, and both came up with the same solution. Just download the Linux tar, start the daemon, and you are up and running! The hype about Nautilus/Gnome is that they have made a Nautilus-plugin – which you really don’t need.

I have made a request of choosing which filemanager you want to open your Dropbox-folder in. Hopefully – it will be heard!

Share over multiple systems

Share over multiple systems (from https://www.getdropbox.com/tour#3)

User control

Computers with several users who don’t want DropBox, may be somewhat turmoiled by the reoccuring registration window for DropBox. This is simply fixed – and a rather elegant and “WTP” solution was found on the DropBox forum, posted by user infinito d:

# addgroup dropbox
# chown root:dropbox /usr/lib/nautilus/extensions-2.0/libnautilus-dropbox.*
# chmod 640 /usr/lib/nautilus/extensions-2.0/libnautilus-dropbox.*
# adduser <username> dropbox

<username> is the user who will have Dropbox enabled. Repeat that steps to allow more users to use Dropbox. Be aware that paths are for Ubuntu, maybe those can change on other distros.

I personally use LXDE+Openbox on a Debian system. So I don’t have DropBox installed as a .deb-package. I rather have it located in at /opt/.dropbox-dist. And the daemon starts by having a .desktop file located in ~/.config/autostart which exec=/opt/.dropbox-dist/dropboxd, which would also be the location for the how-to above.

Updated – TrueCrypt and Dropbox

I have made new post which talks about TrueCrypt and Dropbox – check it out!

I just installed Debian Lenny with LXDE on a Dell Inspiron 8600. Iceweasel is now default in LXDE, but there seems to be some kind of permission problem. I was not able to start Iceweasel as a normal user – It only ran as root!

The problem was that ~/.mozilla did not belong to the user, but rather to root! So I changed ownership, and everything worked just fine!

cd ~
sudo chown <myusername>:<mygroup> .mozilla

Came across this post. The gmail notifier did not work on my girlfriends exceptionally old computer….

This fixed it.