[Samba] VFS for encryption/decryption

Andrew Bartlett abartlet at samba.org
Thu Dec 22 19:36:33 GMT 2005

On Thu, 2005-12-22 at 11:04 +0100, Felix Brack wrote:
> Hello Andrew,
> In my case, clear over the network would be ok. The problem I am
> trying to solve is: I can setup Samba PDC perfectly so every user
> get's some space which is accessible by nobody else. The administrator
> of the samba server however (at least the user root) has access to
> all files of all users.
> The normal user has no LINUX login account on the box running the
> samba server.
> I could ask the users to run TrueCrypt (www.truecrypt.org) and create
> a encrypted file on their home directory on the Samba server. This
> works perfect but I was just looking for an even more transparent
> solution which I think could be provided by some sort of VFS module.

We run into issues such as 'how do you key the crypto'.  The
administrator has access to any secrets stored on the server, so how
would Samba decrypt the data, but the administrator not?

Without protocol modifications, or some extra client-side tool, this
becomes quite a challenge.  And then the administrator could still
subvert the whole thing.

A slightly easier goal would be to protect files on a stolen hard disk
(ie trust the admin, but not always the person with the server), but I
still don't see how to do it without protocol modifications.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051223/63cf4760/attachment.bin

More information about the samba mailing list