LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-05-2011, 06:18 PM   #1
cryptyk
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Rep: Reputation: 0
Encrypt folder so it's accessible to cron


I have a script that crond runs each night. The script pulls some sensitive files from an SFTP server and stores them in a folder on the local machine.
I need to encrypt those files on the filesystem. Ideally, I could encrypt the folder they're stored in to require a password whenever the files are accessed. The problem is that then crond wouldn't be able to access the files. Using something like ecryptfs would allow the cron script to mount the encrypted storage by supplying the password, but now the keys to the kingdom are just sitting in a cron shell script.
Is there a good way to approach this? One thought I had was finding a tool that lets cron encrypt the files using a public key, then require a password to decrypt them (silently using the password to access the related private key)
I don't want too much complexity on the decryption side, because I will have relatively non-tech people needing to access those files occasionally.

Any thoughts?
Thanks,
Ryan
 
Old 01-06-2011, 12:50 PM   #2
lukav
Member
 
Registered: Sep 2008
Distribution: Slackware & Ubuntu
Posts: 39

Rep: Reputation: 15
How granular do you need the encryption to be? Should users be able to access all encrypted files or should they only be able to access specific files? If you do not need it to be very granular and you trust all users on your system, then you could mount an encrypted file system and have cron dump to that mount.

You do not have to have the password for the encrypted file system sitting in the cron script.

Last edited by lukav; 01-06-2011 at 12:53 PM.
 
Old 01-06-2011, 01:06 PM   #3
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,089

Rep: Reputation: 368Reputation: 368Reputation: 368Reputation: 368
perhaps defining a user account that has write only privileges (treat the folder like a drop box to that user) to the encrypted volume (no read or execute) and put the password for that user in the cron script, that way if the password from the cron script is compromised they can only add bogus material to the directory and not read or modify existing information? not sure the specifics of how to do that but i'm sure something like that can be done.
 
Old 01-06-2011, 04:57 PM   #4
cryptyk
LQ Newbie
 
Registered: Jan 2011
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the replies.

I can't trust everyone on the box; only users that know the decryption password. One of the things we're trying to protect against is a rogue root admin having access to sensitive information. I wish I could encrypt the data with one password (so cron could store that password in it's script), then decrypt it with a different password...

Again, thanks for the ideas. I'll keep looking for something that works.
 
Old 01-23-2011, 03:50 PM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Please post back when you find it -- you might help someone else.
 
Old 01-25-2011, 11:52 AM   #6
petebow4
LQ Newbie
 
Registered: Sep 2005
Location: West Hartford, CT
Distribution: Ubuntu
Posts: 19

Rep: Reputation: 2
You could check out implementing a public/private key encryption scheme (RSA). Give the public key to the cron job, and restrict the private key to only users you trust.



Check out http://www.techrepublic.com/blog/ope...with-gnupg/168 for an example.

Last edited by petebow4; 01-25-2011 at 11:58 AM. Reason: adding link
 
Old 01-25-2011, 02:59 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,120
Blog Entries: 54

Rep: Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788
I sense conflicting requirements.
- Can you give a description of the type of information?
- How could possessing of exposing this information compromise business, public image, et cetera?
- What other scenarios are you protecting against?
- What would keeping file contents sensitive be worth?
- What would be a practical reason against encrypting it against a shared GPG key on the server before transferring it?
* Note I'm completely ignoring ease of use because if the information truly is sensitive then ease of use can not be a priority.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
encrypt folder ufmale Linux - Newbie 1 09-22-2010 12:16 AM
crypt() perl function to encrypt Password in shell scripts or How Encrypt passwords ? balakrishnay Linux - General 13 01-14-2010 09:35 AM
FTP Folder accessible by multiple users question JohnnyAvocado Linux - Networking 1 01-13-2007 07:39 AM
how to lock and encrypt a folder in my home? greythorne Suse/Novell 4 06-26-2005 02:18 PM
Encrypt Kmail message folder solspin Linux - Security 3 08-11-2003 01:38 PM


All times are GMT -5. The time now is 03:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration