LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Encrypting the ~/.cache folder (https://www.linuxquestions.org/questions/linux-newbie-8/encrypting-the-%7E-cache-folder-4175588477/)

hydrurga 09-01-2016 05:51 AM

Encrypting the ~/.cache folder
 
Hi there,

To avoid the possibility of this being an xy problem, my aim is to find a way of encrypting a text file, then being able to click on that file to open and edit it. The edited file will automatically be encrypted back to the original file when it is closed, and no trace of the decrypted temporary file will remain.

I thought that I might be able to achieve this by taking advantage of the functionality of an archive manager, Engrampa in my case, to open a file and automatically save it back to the archive when finished. I would combine this with using an encrypted archive.

The problem here is that Engrampa temporarily saves the decrypted file in ~/.cache, which it then deletes when the file is closed. However I am not sure whether Engrampa shreds or merely deletes the file (but suspect the latter), so I thought I should better effect security by encrypting ~/.cache.

So, my first question is: What is the best way of encrypting ~/.cache?

This leads on to my second question: Will encrypting ~/.cache affect system startup? (as the desktop etc. are in the process of launching, they may well need to open files and folders in ~/.cache)

So, third question: Is the best way of going about this to encrypt my entire /home partition?

agillator 09-01-2016 06:40 AM

Look into veracrypt which encrypts/decrypts files/directories/partitions on the fly. That might well be the place to start and then add in a few specifics like making sure memory is cleared, etc. when you are done if that is necessary. I use veracrypt and it may take time to open a volume but once it is open your can't tell it is working.

It may not fit your exact needs, but it is worth a look.

hydrurga 09-01-2016 07:53 AM

Quote:

Originally Posted by agillator (Post 5599199)
Look into veracrypt which encrypts/decrypts files/directories/partitions on the fly. That might well be the place to start and then add in a few specifics like making sure memory is cleared, etc. when you are done if that is necessary. I use veracrypt and it may take time to open a volume but once it is open your can't tell it is working.

It may not fit your exact needs, but it is worth a look.

Thanks (and see you later ;)), agillator. I actually use Veracrypt to encrypt partitions and file containers, and it's great for that purpose. I'm not sure that it lends itself for my single file on-the-fly decryption/re-encryption however, as the program and operating system that open the file may temporarily store the unencrypted file or metadata thereof.

I have to admit that I find it hard to get my head round this. All I do know is that in my Windows days I used the program AxCrypt to do exactly what I am wanting to do, and would like to find some encryption solution in Linux that does similar.

Habitual 09-01-2016 08:18 AM

http://www.linuxandubuntu.com/home/t...older-in-linux

agillator 09-01-2016 08:20 AM

As I understand it, and I may well be wrong in this, but the decrypted file is never stored anywhere. That's the 'on the fly' bit. There is no decrypted file. The only thing that may be decrypted is the piece you are actually working on that may be in memory. The drivers insert themselves between the system and the disk to encrypt/decrypt and the system never knows the difference as I understand it. Again, I could be wrong as I haven't looked into it to that detail. You might check on that, though, because if I am right it sounds like that would come very close to what you want.

IsaacKuo 09-01-2016 09:13 AM

Quote:

Originally Posted by hydrurga (Post 5599187)
Hi there,

To avoid the possibility of this being an xy problem, my aim is to find a way of encrypting a text file, then being able to click on that file to open and edit it. The edited file will automatically be encrypted back to the original file when it is closed, and no trace of the decrypted temporary file will remain.

I thought that I might be able to achieve this by taking advantage of the functionality of an archive manager, Engrampa in my case, to open a file and automatically save it back to the archive when finished. I would combine this with using an encrypted archive.

The problem here is that Engrampa temporarily saves the decrypted file in ~/.cache, which it then deletes when the file is closed. However I am not sure whether Engrampa shreds or merely deletes the file (but suspect the latter), so I thought I should better effect security by encrypting ~/.cache.

So, my first question is: What is the best way of encrypting ~/.cache?

This leads on to my second question: Will encrypting ~/.cache affect system startup? (as the desktop etc. are in the process of launching, they may well need to open files and folders in ~/.cache)

So, third question: Is the best way of going about this to encrypt my entire /home partition?

It sounds like what you really want is to make sure ~/.cache never actually gets to the disc in the first place. For that, I'd create an entry in /etc/fstab to mount /home/USERID/.cache to a ramdisk (tmpfs). That way nothing in ~/.cache is ever written to any hard drive. Nothing written, nothing needed to be erased, right?

Here is how such an entry would look in /etc/fstab:

Code:

none /home/isaackuo/.cache tmpfs defaults 0 0
Just add that line into /etc/fstab, replacing "isaackuo" with your userid. If you want to be really clean about it, erase the current contents of .cache before mounting it:

Code:

rm -fvr ~/.cache/*
mount .cache

Before doing this, quit any programs that may be actively using the .cache folder, of course. The easiest way to ensure this is to log out as the regular user and just log in as root on a console (ctrl-f1...f7 to switch between text console and graphical login).

Since this is in "Linux - Newbie", you may not already know what tmpfs is. Basically, it's a ram disk that can dynamically expand or shrink as necessary. By default, it is limited to consume no more than half of your system's RAM - you can optionally change the limit. There is no persistent media backing it up. Every time it is mounted, it starts off empty. Every time it is unmounted, everything in it just goes poof. Even if you don't turn the computer off (which wipes out anything in RAM), when you umount and mount a tmpfs partition it comes back empty.

By placing .cache in a tmpfs folder, you do wipe out the cache every reboot. If you want to get really fancy, you can make some bash scripts copy off stuff you desire to keep across reboots - such as ~/.cache/chromium or ~/.cache/mozilla. Or you could just manually run such commands. For example:

Code:

cp -vax ~/.cache/chromium ~/
...
cp -vax ~/chromium ~/.cache/

The first command copies chromium's cache to your home directory.
The second command copies chromium's cache from your home directory to .cache.

Other than that, you'll find that putting .cache in a tmpfs ramdisk may actually boost performance. It's faster than an SSD.

agillator 09-01-2016 09:38 AM

One caution/addition to IsaacKuo's comment, if you go that way. I believe that when you release the tempfs it doesn't just 'go away'. All references and pointers to it are invalidated. The data in memory remains until it is overwritten in the normal course of operations. The blocks against overwriting are simply removed. This is the same as 'erasing' a file on disk. The only thing that is immediately affected are the pointers to the file (inodes) until in the normal course of events those areas happen to be overwritten. I believe one of the things you are trying to prevent is having a complete file unencrypted anywhere at any time (including in memory). As an interesting question: when a computer today is shut off does the data in memory actually go away or does the system simply assume it is blank and useless garbage the next time it boots?

This may be getting too deep and going further than you intend or are concerned with, but from your initial questions I can't be sure. Who are you concerned about, the other people in your office? People at home? The NSA?

hydrurga 09-01-2016 09:42 AM

Thanks for that detailed explanation, Isaac. A quick look at my .cache folder shows folders (presumably persistent across logouts/logins as indicated by their modification dates) created by clementine, dconf, fontconfig, google-chrome, gstreamer, mate, mozilla, and webkit.

Some are obviously more important than others, but do you reckon that these applications would be able to cope with .cache being emptied at each login?

hydrurga 09-01-2016 09:59 AM

Ok, going back to this possibly being a X-Y problem, if I ensure that the underlying file format is one that can be read by LibreOffice, could I just encrypt all such files with LibreOffice and do it like that? I'm assuming that LibreOffice doesn't reveal any details of its decrypted file to disk or memory while editing it and before re-encrypting it on save.

@agillator - thanks for the caution. Interesting. Yes, you're right - the aim is to have the chosen files encrypted at all stages except visually while editing. No particular bogeymen in mind.

UseTheSourceLuke 09-01-2016 03:32 PM

deleted


All times are GMT -5. The time now is 08:53 AM.