1

I'm attempting to roll out eCryptFS support for users on our RHEL infrastructure. One large snag has come up.

Given a user with no root access and (preferably) without the use of sudo, how would one go about allowing that user to mount an arbitrary ecryptfs directory under their home folder?

The reason for not making an fstab entry is that, with thousands of users, individual mount points defined in fstab would turn it into a huge unmaintainable mess. Also, we would prefer arbitrary directories.

We definitely don't want to enable a profile-wide encryption scheme, and do not want these directories to be automatically mounted upon login.

Currently, the solution involves providing sudo access to a specific script to perform the locational logic and get the credentials for mounting. This is not a particularly good solution. Setting the SUID bit on a script is completely out of the question.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • eCryptfs was added to RHEL 6 as a Technology Preview; it was deprecated and removed in RHEL 7. At the moment they give no alternatives aside from LUKS. – Michael Hampton Apr 17 '15 at 20:24
  • @MichaelHampton True story, but we may be able to negotiate support through our TAM should we manage a workable solution. LUKS just won't cut it, as full-disk encryption doesn't help much for an always-on system with physical security. – Hyppy Apr 17 '15 at 20:27
  • LUKS generally meets data at rest requirements, and you can also do key escrow with it (which eCryptfs cannot). Something like eCryptfs is more useful for removable media, and even there you can still use LUKS. I'd be interested in hearing more about the specific use case that led to choosing eCryptfs. – Michael Hampton Apr 17 '15 at 20:31
  • @michaelhampton This is getting severely off the topic of the question, but I'll humor you. Scenario A: I have file `$foo`. I want file `$foo` encrypted. Scenario B: I have working directory `$bar` in `/home/$user/`. I want everything written to `$bar` to be encrypted, but only while the user is actively using it. Scenario C: I have $host connected to the network 24/7. If a bad actor exploits some unforeseen vector to access files on $host, I don't want them in plaintext. – Hyppy Apr 17 '15 at 20:39

0 Answers0