this post was submitted on 22 Jun 2024
37 points (93.0% liked)
Linux
48183 readers
1375 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Just make the file root owned and readable by no one. An unreadable file can't be copied. You can use
chattr
to add some flags like immutability if you desire (shouldn't really need to). Use a command likefind /some/path -type f -exec chattr whatever {} \;
if you need to do this recursively. Root account should need a password, and should (hopefully) not be accessable with an unprivileged user's password throughsudo
/doas
, but on its own account with it's own password usingsu
orlogin
.Note that without encrypting the file, this does not protect you from someone just grabbing your storage device and mounting it with root permissions and then they can do whatever they want with your data. It also doesn't protect you if someone gets root access to your device through other remote means. If you want to encrypt the file, use something like
openssl some-cipher -k 'your password' -in file -out file.cipher_ext
. If you want to encrypt multiple files, put them in atar
ball and encrypt the tarball. You can again also usefind
withopenssl
to encrypt/decrypt recursively if you don't want to use a tarball, which may be better with ciphers like blowfish that aren't secure at large file sizes; but if you do that, you expose your encrypted file system structure to attackers.I am not a fan of full disk encryption, because it usually means leaving all your data decrypted during runtime with how most people use it. If you only decrypt a block device when you need to, there's nothing wrong with that, and can work as an alternative to encrypting a tarball.
Definitely one of the better answers I've received so far. Thank you for that. However, I feel as if the following part reveals that it's not as 'protected' as I'd like:
Though, at this point, I've somewhat accepted that I'm seeking a software solution for a hardware problem. Hence, the impossibility of my query... I hope I'm wrong and perhaps you can point me towards the solution I'm seeking. However, if that's not the case, then I would like you to know that I appreciate your comment. Thank you.