Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am a newbie to the encryption world. I understand that one can mess things up if you get it wrong. That being said, I would like some guidance on what encryption software to use, and how to set it up for encrypting my data on a SAMBA share. Initially I want to be able to access the encrypted data from both windows and linux platforms on my local network, then eventually access the data over a VPN connection to this local network. Thanks!
I would recommend you do a search online to learn how to encrypt a file, a partition, or a whole drive. You need to understan how to handle keys, private and pulic.
You need to understand who is going to access the encrypted files. Are they linux users, windows users, or mac users.
Samba shres are for multiple users, and Samba has ways to limit who can access those shares. Ask yourself, do I really need encryption on those files. If the material is that critical, I would not put them up on any share.
The security provided by SAMBA is provided by the Windows host which actually owns the files and brokers access to them.
If, as @camorri says, you actually need to put sensitive information "on a share," then I recommend that you first encrypt them using a trusted tool such as PGP® or GPG – taking care to use these tools properly – before you place them there. If you use digital certificate technology appropriately and wisely, the files can be effortlessly-readable to you, but indecipherable to everybody else. All of these trustworthy tools are "cross-platform" and they work everywhere.
You should always use VPN – again, "set up properly" – to obtain any remote access to an internal network. Once the "tunnel" is established, the internal network simply becomes "local" to you. The connection, although transparent to its users as though it wasn't there at all, is verifiably secure. "OpenVPN with 'tls-auth', using individual digital certificates," is my personal favorite.
Last edited by sundialsvcs; 03-20-2023 at 08:27 AM.
I appreciate the pointers. The share that I set up is on a NAS device. My concern about securing files is that I have several computers on my local network, on which my wife and I do financial record keeping and tax returns. So far, the financial and tax records have been stored on the local hard drives in the various computers. They are not encrypted at this point. Now we also use these computers to access the internet for getting e-mail, shopping, streaming, and interacting with social media. I want to be able to move our financial and tax data files to the share on our NAS device, and encrypt it. That way, if someone does gain access to our local network, they won't be able to access our sensitive financial data.
I recommend that you simply use GPG to encrypt the files. There are, today, several very-easy ways to do that, including some that "are a right-mouse click away in a GUI." This, even if used "just with a reasonable 'password,'" will achieve the essential goal that the files, if intercepted, would be useless to anyone but you. Simply encrypt the files on your local machine and move the encrypted versions to the share. Problem solved.
As far as "gaining access to your local network" is concerned, I repeat my advice about OpenVPN with digital certificates and tls-auth. As I discussed in this article on my own website, you can use this technology to "provide a moat" around your local network which features "a secret(!) drawbridge." Then, put secondary defenses like "ssh" at the portcullis: accessible only if you have first found the drawbridge then successfully crossed it.
If one is in possession of two digital certificates – one to pass "tls-auth" in order to find(!) the bridge, then a non-revoked unique-to-you certificate to cross it, then "the pathway forward is as easy as pie." Click on an icon at the top of your GUI toolbar and just wait a few seconds.
"Otherwise, you're screwed." You can't even get started with your attack. In fact, you can't even find your attack point. Hence the title of my piece: "Number of unauthorized access attempts: Zero."
Last edited by sundialsvcs; 03-20-2023 at 07:12 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.