On Tue, 31 Jul 2012 13:26:30 +0530
SaNtosh kuLkarni <santosh.yesop...@gmail.com> wrote:
| Ok, but how is relative and absolute pathnames handled when opening or
| creating a new directory or file.
|
Without the Directory IV chaining option active (default is off)
then relative directory moves have no problem.
.. need no filename decryption
and forward link filenames decrypt directly from the cryptographic key
(whcih is held in memory.
With Directory IV chaining, EncFS would either need to hold the current
IV for each directory in the current path to do relative links, but
converting a relative link to a fully qualified path is not a big issue
so it could just follow the chain from the mount point.
Note this question is getting beyond my understanding on how EncFS works,
and FUSE filesystems in general (which I have not personally programmed).
Note your original question of using a separate password for each file
and directory would mean that following even a modest path would entail
many passwords. On the other hand a FS (filesystem) that only encrypts
specific files and not directories would only need a key when a specific
file (not directory) accessed.
However such a FS would need have some method of asking users for
the password of each file access. That is, some type of out-of-band user
communication separate to the applications that is making file access.
Say for example using popups in a GUI or on a dedicated text console
window, may actually be a useful addition for security.
Applications would not need to know the file they are opening is
not encrypted, as the FS does this outside the application, only as
needed. That is it would be useful with exixting applications
without change.
This may be especially useful on multi-user shared systems, or even
cloud systems where a ALL or NOTHING decrypted mounts like EncFS or
a Block Directory FS, may not be a good thing, security-wise.
An example would be a shared data directly with different files owned
by different people and applications. In such a situation a 'password
decrypt as need' may be very useful indeed! But only if the out-of-band
communication can be made to work!
This should only be on specific files or data directories, and not all
files. As an application may access large numbers of files, such as
configuration files, data stores, libraries, dynamic libraries, images,
resources, etc., etc., etc., none of which is normally 'confidential'
and thus requiring encryption.
Watch out for applications that cache data in files, especially
temporary files. VIM for example has a swap and backup files. The
'safe file edit for vim' I previously provided turns on these VIM
aspects to protect the encrypted data.
Anthony Thyssen ( System Programmer ) <a.thys...@griffith.edu.au>
--------------------------------------------------------------------------
Programming errors are like mermaids,
just because you haven't seen one, doesn't mean it isn't there.
--------------------------------------------------------------------------
Anthony's Castle http://www.ict.griffith.edu.au/anthony/
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Encfs-users mailing list
Encfs-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/encfs-users
