On Tue, 31 Jul 2012 13:26:30 +0530 SaNtosh kuLkarni <santosh.yesop...@gmail.com> wrote: | Ok, but how is relative and absolute pathnames handled when opening or | creating a new directory or file. | Without the Directory IV chaining option active (default is off) then relative directory moves have no problem.
.. need no filename decryption and forward link filenames decrypt directly from the cryptographic key (whcih is held in memory. With Directory IV chaining, EncFS would either need to hold the current IV for each directory in the current path to do relative links, but converting a relative link to a fully qualified path is not a big issue so it could just follow the chain from the mount point. Note this question is getting beyond my understanding on how EncFS works, and FUSE filesystems in general (which I have not personally programmed). Note your original question of using a separate password for each file and directory would mean that following even a modest path would entail many passwords. On the other hand a FS (filesystem) that only encrypts specific files and not directories would only need a key when a specific file (not directory) accessed. However such a FS would need have some method of asking users for the password of each file access. That is, some type of out-of-band user communication separate to the applications that is making file access. Say for example using popups in a GUI or on a dedicated text console window, may actually be a useful addition for security. Applications would not need to know the file they are opening is not encrypted, as the FS does this outside the application, only as needed. That is it would be useful with exixting applications without change. This may be especially useful on multi-user shared systems, or even cloud systems where a ALL or NOTHING decrypted mounts like EncFS or a Block Directory FS, may not be a good thing, security-wise. An example would be a shared data directly with different files owned by different people and applications. In such a situation a 'password decrypt as need' may be very useful indeed! But only if the out-of-band communication can be made to work! This should only be on specific files or data directories, and not all files. As an application may access large numbers of files, such as configuration files, data stores, libraries, dynamic libraries, images, resources, etc., etc., etc., none of which is normally 'confidential' and thus requiring encryption. Watch out for applications that cache data in files, especially temporary files. VIM for example has a swap and backup files. The 'safe file edit for vim' I previously provided turns on these VIM aspects to protect the encrypted data. Anthony Thyssen ( System Programmer ) <a.thys...@griffith.edu.au> -------------------------------------------------------------------------- Programming errors are like mermaids, just because you haven't seen one, doesn't mean it isn't there. -------------------------------------------------------------------------- Anthony's Castle http://www.ict.griffith.edu.au/anthony/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Encfs-users mailing list Encfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/encfs-users