Comments (5)
ebiggers
commented on September 1, 2024
1
As mentioned on other issues, you can use chmod 0700 to forbid other users from accessing directories.
from fscrypt.
Redsandro
commented on September 1, 2024
Unfortunately this appears to be a side-effect from the current implementation.
This is a known issue with filesystem encryption in the kernel: the caches that allow encrypted files to be accessed are systemwide
So your data is safe from extraction after physical hardware theft. However, parties that manage to get some kind of access to your machine can still spy on your files. As soon as you access them, they can see them too.
from fscrypt.
Redsandro
commented on September 1, 2024
Just as a reminder for people who come here from google: Make sure to do a umask 077 that sticks.
Otherwise every new dir/file created with your user will default to 755/644.
Be aware of the maze that is .profile, .bash_profile, .bashrc and which one is read when. It might be best to set system-wide defaults in in /etc/profile/etc/login.defs.
from fscrypt.
ebiggers
commented on September 1, 2024
2b6667a changed fscrypt encrypt to set mode 0700 on new encrypted directories.
So I think this issue should be closed.
from fscrypt.
josephlr
commented on September 1, 2024
Closing as resolved by #134
from fscrypt.
Related Issues (20)
- How to resolve "Some processes can't access unlocked encrypted files"? HOT 2
- Should we make the fscrypt metadata harder to delete? HOT 2
- multiple login nodes (multiple lustre client), how should I correctly apply the fscrypt tool to encrypt files under shared storage? HOT 1
- Unlocking of encrypted directory inside of disk partition image does not work while fscrypt confirms "ready for use" HOT 4
- Generate `fscrypt.conf` with Adiantum as the encryption mode HOT 2
- How to unlock encrypted regular files located in an unencrypted directory? HOT 8
- Obscure error message due to process address space limit HOT 5
- A question: how does diectory know what policy protects it? HOT 12
- Is it good Idea to copy and reuse policy on other device? Is it good idea to copy and reuse a protector? HOT 2
- fscrypt on CephFS does not recognize locked directories upon remount HOT 8
- fscrypt on CephFS: no buffer space available HOT 1
- Can't lock folders encrypted with fscrypt HOT 10
- Inability to change fscrypt's default directory HOT 1
- pam_fscrypt probably locks too much memory HOT 9
- Feature Request: Command to fetch protector ID and policy ID for a given directory
- How to recover after forgotten login password? HOT 2
- Concurrency issue when new mounts are added HOT 5
- looking for commit 7c80c73c084ce9ea49a03b814dac7a82fd7b4c23 HOT 2
- Unlocked files not accessible by root HOT 3
- LXC container Ubuntu: Required key not available HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fscrypt.