Quote:
Originally Posted by rajeev.dhiman
Hello Everyone,
I have a situation where I need to protect the files on linux/Centos in such a way that If the files are moved/copied onto another machine those would not be usable
|
"The files". All of the files, or a specific file? For ALL of the files, I suppose you could use Windows file formats, since they are mostly unusable to one degree or another.
If a specific data file, that's the classic encryption problem, with classic solutions. You want the intended recipient to be able to decipher the file, but have the file be "junk" to anyone else. Note that's what DRM was all about and that was a $300 million dollar failure, so it's easy to get it wrong. If one person / program can use it but others can't, that means the intended user program needs a decryption key that others can't get. That probably means a human typing in a passphrase when the software starts up. You can instead store the decryption key / passphrase somewhere, but where are you going to put it that the bad guy can't read it? You'll probably need to store it in a brain and have a human type it in if you really want to keep it secure.
Once you accept that fact, the question reduces to "how to I encrypt and decrypt data"? That's a question with many good answers depending on the specifics - how much data, how secure does it need to be, etc. There are many books and web pages comparing different encryption and decryption algorithms for different purposes.. The one thing I'll say about that is
don't invent your own. Linux Torvalds uses standard encryption rather than trying to come up with his own. Unless you're much smarter than him, follow his lead and do the same.
Note that an attacker with root access to the system could in theory read the contents of RAM, so the software may want to decrypt it only as needed rather than decrypting it all on startup and generally try to have as little decrypted as possible for the shortest possible time. Further discussion on that topic is probably best left for another thread.