Password protected directory

10 replies [Last post]
Jaret
Offline
Joined: 12/19/2018

Hello!
Let's say I want ~/.prn to be password protected, how can I do that?
There are different sudoers on my home computer, so chown root:root won't prevent them from seeing contents of that directory. Any advice?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

If you have a GPG key (not on the local disk, otherwise other sudoers have your private key) and if ~/.prn is a file (not a directory):
$ gpg -er lcerf[at]dcc.ufmg.br ~/.prn
(lcerf[at]dcc.ufmg.br is the id of my key)

To use a password (a symmetric key) instead:
$ gpg -c ~/.prn

To decrypt the file:
$ gpg -d ~/.prn.gpg

If ~/.prn is a directory, 'tar' it first (possibly with compression).

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Let's say I want ~/.prn to be password protected, how can I do that?

Not sure if this is the easiest way, but you could encrypt it with gpg.

Nautilus (GNOME's file manager) has a plugin for doing this graphically.
If you use Nautilus, install the plugin with

$ sudo apt install seahorse-nautilus

and you'll have to option to encrypt a file by right clicking on it. I
haven't tried this myself, so I'm not sure if you'll be able to encrypt
directories.

If you use Caja (MATE's file manager), there is also a plugin but it is
not in Trisquel's repository.
https://github.com/darkshram/seahorse-caja/

Again, I'm not sure if that works on directories, or just files.

Alternatively, you can do all this from the command line:

To encrypt a file, run

$ gpg -c /path/to/file

You'll be prompted to enter a password twice, and /path/to/file.gpg will
be created. If you then delete the original,

$ srm /path/to/file
(you might need to run "sudo apt install secure-delete" first)

then only the encrypted file will remain.

To decrypt it, run

$ gpg /path/to/file.gpg

Enter the password you created earlier, and the file will be decrypted.

This only works on files, not directories. However, you could either
encrypt each file individually (assuming you don't mind the directory
structure being visible)

$ cd ~/.prn
$ for file in $(find -type f); do gpg -c $file && srm $file; done

or convert the directory to a file and encrypt that.

$ cd ~
$ tar cf .prn.tar .prn
$ gpg -c .prn.tar

Before deleting the original, make sure that you can successfully
decrypt .prn.tar.gpg with

$ gpg ~/.prn.tar.gpg

and extract the resulting .prn.tar with

tar xf ~/.prn.tar

When you're ready to delete the originals,

$ srm .prn .prn.tar

Jaret
Offline
Joined: 12/19/2018

Thanks!
Unfortunately, the .prn is a directory and it's size is around 70 Gb.
So I guess tar/untar it every time I need access to it is the only option?

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Unfortunately, the .prn is a directory and it's size is around 70 Gb.
> So I guess tar/untar it every time I need access to it is the only option?

If it's only the content of the files you need encrypted, then you can
recursively encrypt all of the files with

$ cd ~/.prn
$ for file in $(find -type f); do gpg -c $file && srm $file; done

like I suggested, and then decrypt individual files as needed. However,
if you don't want anyone to even see the directory tree, then I don't
see a way around encrypting and decrypting the entire tar archive when
you need it. With 70 Gb that could take a while. secure-deleting 70 Gb
with srm could take a while too. Maybe you could save time by separating
.prn into multiple directories and creating a separate tar for each, so
that you don't have to decrypt all 70 Gb every time.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

'tar' is fast. You just do not want to compress with a computationally demanding algorithm. GZip should be OK.

Encrypting with a public key:
$ tar -czf /dev/stdout ~/.prn | gpg -eo prn.tar.gz.gpg -r lcerf[at]dcc.ufmg.br
Encrypting with a password:
$ tar -czf /dev/stdout ~/.prn | gpg -co prn.tar.gz.gpg
Decrypting:
$ gpg -d prn.tar.xz.gpg | tar -xz

Jaret
Offline
Joined: 12/19/2018

The problem is that this PC was bought using family budget and all adult family members have sudo on it.
We use phones for most our everyday activity, but whenever we need to use a real PC, we have this machine available for all family members. I though that there should be an option to simply put a password on a directory and rename it something like .muttmailrc to make it look like a part of the system. I will probably end up buying a separate laptop and use it for my personal needs.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I though that there should be an option to simply put a password on a directory and rename it something like .muttmailrc to make it look like a part of the system.

That is what 'gpg -c' does. You can use option -o to specify the name of the encrypted file. And, as chaosmonk told you, there is a Nautilus extension, seahorse-nautilus, to do that with the mouse, from GNOME's file manager, which I happen to use: right-click on the file/directory and choose "Encrypt..." in the contextual menu.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> The problem is that this PC was bought using family budget and all adult
> family members have sudo on it.

> I though
> that there should be an option to simply put a password on a directory and
> rename it something like .muttmailrc to make it look like a part of the
> system.

> I will probably end up buying a separate laptop and use it for my
> personal needs.

Maybe you should just buy a USB drive and store your private data on
that. It would be cheaper than buying a laptop, less suspicious than 70
Gb of config files, and possible to encrypt the entire disk.

Jaret
Offline
Joined: 12/19/2018

OK, thanks!

Narcis Garcia
Offline
Joined: 04/15/2019

If you can't separate this as an independent encrypted partition, the
solution is a disk image (encrypted) mounted with ploop.

When you need to access to protected directory, you only mount image
file with ploop, and will need unlocking password. Once this is done,
you will have transparent access to full tree.

El 29/4/19 a les 19:31, name at domain ha escrit:
> Hello!
> Let's say I want ~/.prn to be password protected, how can I do that?
> There are different sudoers on my home computer, so chown root:root
> won't prevent them from seeing contents of that directory. Any advice?