Symlink two folders, one copy encrypted, the other not?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Symlink two folders, one copy encrypted, the other not?
I wondered if anyone knows of a way to hijack the symlink mechanism such that it runs any changes through a cipher, resulting in one folder being unencrypted, the other encrypted.
Or, just a way to achieve the same.
I'd like to symlink my Zim notebook folder inside my Dropbox folder with:
Code:
$ ln -s ~/Notebooks ~/Dropbox/Notebooks
But I'd rather not give Dropbox a plain text copy of my notes.
I appreciate there are likely options that involve scheduling a job, I'm curious if anyone who reads this is aware of any means to achieve the ends I'm trying to here.
...I was searching with the keyword symlink, I realized I needed to generalize my query to being about normal folders. Since adjusting my keywords, it seems there are some options to explore. I've tried Cryptomater, but I get "Mount Failed", so will try BoxCryptor Classic (https://www.boxcryptor.com/en/download/)
Last edited by Thewyzewun; 11-22-2016 at 02:07 PM.
I get the impression that BoxCryptor may aswell not be performing the encryption client-side; they keep a copy of the keys on a centralized server, from what I can tell (so, I'm just introducing an additional party into the mix, not very helpful!).
Anyone got any better ideas? I read about EncFS, but it's not secure in this scenario (as detailed on Wikipedia).
Last edited by Thewyzewun; 11-22-2016 at 02:24 PM.
I get the impression that BoxCryptor may aswell not be performing the encryption client-side; they keep a copy of the keys on a centralized server, from what I can tell (so, I'm just introducing an additional party into the mix, not very helpful!).
They claim that the keys are encrypted by your password, so it should be safe if you choose a sufficiently large and random password.
Boxcryptor is a zero-knowledge service provider because any private and sensitive information that we receive from the users will always be in the encrypted form protected by the user’s password - which is never transferred to us or anyone. Only public keys are in plain text.
Quote:
Originally Posted by Thewyzewun
I wondered if anyone knows of a way to hijack the symlink mechanism such that it runs any changes through a cipher, resulting in one folder being unencrypted, the other encrypted.
Or, just a way to achieve the same.
Perhaps you can use an encrypted loopback device? Then you would put the image file of your encrypted file system into the dropbox folder.
I wondered if anyone knows of a way to hijack the symlink mechanism such that it runs any changes through a cipher, resulting in one folder being unencrypted, the other encrypted.
Either I am confused or you are. With a symlink (or a hard link, for that matter) there is only one copy of the file stored. It can't be both encrypted and unencrypted. A stacked filesystem like eCryptfs allows you to have an unencrypted view of data that is stored encrypted on the disk. How is that different from what you are asking for?
Let's stop to consider exactly what these two types of "links" actually are. First, the preliminaries:
In the Linux system, the physical representation of "a file" is called an inode ... for purely-historical reasons now lost in time.
A "directory" is actually a file(!) containing file-names and their corresponding inode numbers.
So... having said all that ...
A "hard link" occurs when there exist (somewhere ... anywhere ...)two-or-moreactualdirectoryentries which refer to the same inode number.
A "soft link" is simply a file(!) ... albeit a specially-designated kind of file ... which contains: "a file name."
So far as the file-system is concerned, a hard link is indistinguishable from any other directory entry (although, in fact, the file-system does 'know better' ...). "It contains an inode-number, and that's that."
Whereas a soft link simply leads to "a file name," which then must be separately resolved. (And which may either succeed or fail. You won't know until you try.)
Nowhere in all of this will you find "two separate pathways to the underlying file-system, 'one encrypted and the other not.'" One way or the other, every path leads (or, fails to lead ...) to: "one particular inode."
Still, I would rather not trust a third party provider to be competent enough 24/7 to keep their word regarding "safety" - it's a massive thing to try and offer a customer, as endless companies have discovered in recent years when they've been hacked. It's not a trivial matter for any online entity to "keep their word" on this - there are many who see any centralized repository of private information as having a target painted on its back, and all year round these individuals probe for weaknesses, and if they've got targets in mind, perhaps just keep an ear out for new security problems, ready to spring into action as soon as they hear of something they can maybe use to get a foothold somewhere.
Quote:
Originally Posted by ntubski
Perhaps you can use an encrypted loopback device? Then you would put the image file of your encrypted file system into the dropbox folder.
I hadn't thought of that thank you very much, that sounds like it just might work!
EDIT: I don't think it quite will - I'm very much looking for a transparent, set it and forget it option.
All I want to do is backup some files, and keep the key locally.
I think a sensible solution might a scheduled task - I think it is that I am trying to set up something that "syncs on change" that is making this more difficult than it need be.
Last edited by Thewyzewun; 11-23-2016 at 04:41 AM.
If I understand the question right, it's possible to do what you want with ecryptfs.
Code:
mount.ecryptfs folder1 folder2
If you use the option plaintext passthrough, anything created/copied in folder1 will appear normal in both folder1 and folder2. Anything created/copied into folder2 will be encrypted.
Is the dropbox folder a FUSE filesystem? I believe is it also possible to stack FUSE filesystems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.