Re: Userland encrypted filesystem that root cannot access.

From: Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Date: Fri Feb 18 2000 - 09:05:14 EST

Next message: Jeff Garzik: "Re: IP autoconfig doesn't work in 2.3.46"
Previous message: Alexander Viro: "Re: Userland encrypted filesystem that root cannot access."
Maybe in reply to: Mike A. Harris: "Userland encrypted filesystem that root cannot access."
Next in thread: Pavel Machek: "Re: Userland encrypted filesystem that root cannot access."
Reply: Pavel Machek: "Re: Userland encrypted filesystem that root cannot access."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Mike A. Harris" <mharris@meteng.on.ca>:
>Are there any patches for the kernel, or userland solutions which
>allow a user to mount an encrypted filesystem (perhaps through
>loopback) which while mounted, root cannot read? Or is this
>concept beyond Linux currently?

yes, sort of and no. The RSBAC project appears to have the security, but
not the loopback encrypted mount. This could be done via the NFS type
of mount with the daemon providing the file system support. The major
difficulty is having the user supply the key to the daemon. The user
must be logged in first. There were some CFS patches in the past but
the next part eliminates them. If I remember right, the access key was
stored in the kernel to allow for decrypting the I/O. Then anyone with
access to kmem could get the key...

Root would not be able to see the file system, but would be able to
capture the key, and then see the filesystem.

Right now, you would have to be root to mount the file system, although
I'll admit that modifications to the mount sys call could allow something
like a key to be passed. But since all filesystem I/O goes through the
kernel anyway, root would be able capture the key (and decrypted I/O buffers).

>I'm thinking of the case where the superuser can admin the
>machine but due to confidentiality, the data must not be readable
>by root under any circumstance. Possible?

Most of the RSBAC project would remove the normal root privileges, but
what is substituted is a security manager. The security manager may
elevate the normal privleges to become the equivalent of root.

The usual rule for information is that the system (and support staff) must
have security clearance to see any data stored on the system. General users
may not have need-to-know, and hence not have access (encrypted or not).
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: IP autoconfig doesn't work in 2.3.46"
Previous message: Alexander Viro: "Re: Userland encrypted filesystem that root cannot access."
Maybe in reply to: Mike A. Harris: "Userland encrypted filesystem that root cannot access."
Next in thread: Pavel Machek: "Re: Userland encrypted filesystem that root cannot access."
Reply: Pavel Machek: "Re: Userland encrypted filesystem that root cannot access."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:21 EST