[Samba] VFS for encryption/decryption

Guido Lorenzutti guido at lorenzutti.com.ar
Fri Dec 23 11:35:32 GMT 2005

You just explain this perfect. I have the same problem. If i could 
provide something like this to my users I will be in heaven. I can't be 
the ONLY administrator to have full access to every single file.
Even more, in my work, be use a LTSP enviroment. I don't have any user 
with hard drive to locally store something, everyone MUST use H:. 
Imagine that! I have sooooo many users that says "I don't wanna use 
that! TI PEOPLE can see my files!!".

Felix Brack wrote:

>It's true (partially) that the administrator has access to all secrets
>stored on the server. However the administrator does not _know_ a users
>password or samba password. He can of course change those passwords.
>This however would be noticed by the user who's password has been
>changed and data encrypted with the users former password would still
>not decrypt (with the new password) to some meaningful data, right?
>If this is correct my requirements would be fulfilled.
>I do not know at all how things are running within samba but fact is,
>that any user authenticates himself when connecting to a server share
>from his client. Wouldn't this be the method to tell a VFS module to
>do encryption/decryption with the user's password? As I already
>stated, I am aware that things are not that simple but the principle
>should remain.
>My PDC is setup to present the user a network drive H: that holds his
>home directory; this is great and very simple to configure with samba.
>Why not present the user, say network drive Q:, showing the decrypted
>contents of a file stored on the server that is encrypted with the
>users password? The user wouldn't 'see' any difference between
>accessing files on H: or Q:. This would provide a truly transparent
>access to encrypted data.
>Andrew Bartlett wrote:
>AB> We run into issues such as 'how do you key the crypto'.  The
>AB> administrator has access to any secrets stored on the server, so how
>AB> would Samba decrypt the data, but the administrator not?
>AB> Without protocol modifications, or some extra client-side tool, this
>AB> becomes quite a challenge.  And then the administrator could still
>AB> subvert the whole thing.
>AB> A slightly easier goal would be to protect files on a stolen hard disk
>AB> (ie trust the admin, but not always the person with the server), but I
>AB> still don't see how to do it without protocol modifications.
>AB> Andrew Bartlett

More information about the samba mailing list