1

I am connecting to my server provided by institution via ssh. It is an Ubuntu server.

Home folder contains many users. Each user has a password. But I am not sure whether any user can enter into my folder.

I want to either hide or encrypt my folder. What I need to execute on my terminal?

Improve this question
10
  • 2
    What is the permission on your home directory. What's the output of ls -ld "$HOME"? Do you trust the system administrator? Commented Feb 14, 2021 at 18:54
  • @Kusalananda drwxr-xr-x 7 .... Commented Feb 14, 2021 at 19:00
  • @Kusalananda I don't trust. Commented Feb 14, 2021 at 19:01
  • 2
    If you don't trust the system administrators, I would consider that system as "tainted" and not store anything on it, nor use it for anything. In particular I would never enter a password or any sensitive information while logged into it. In short, if you don't trust your admin, then the system is more or less useless to you. You could use it to store encrypted data, but de- and encryption should happen elsewhere. Even on a home system, you would probably want to avoid storing passwords in plain sight in text files. Use something like password-store, depending on what passwords these are. Commented Feb 14, 2021 at 19:06
  • 1
    I think we need a bit more context to be able to say very much more. What is your intended use of this system, what sort of data do you need to store on it, and why do you think you need to store important passwords on that system and not on a safe private machine? You mention "institution", is that a university? If so, you should probably not store personal data on that system in any case (only things related to your studies or your employment). Commented Feb 14, 2021 at 19:50

2 Answers 2

Reset to default
2

As others have pointed out, you can't stop system administrators (anyone with sudo access) accessing your files. Even if you encrypt them, if you need to access their content on the server, then an admin can snoop on you while you do. This is true in most/all operating systems.

Your home directory is readable by all other users, usually by default. In comments you said your home directory had read permissions by all users.

Often all you need to do to stop other regular users is change the permissions on your home directory;

chmod 700 ~

This will block all users except for root (admin) from your home directory.

If you need to encrypt your data for legal or commercial reasons then this is often not enough unless you have been informed that the drives are encrypted.

Improve this answer
0

reading the title "hide/encrypt my files " ...

To encrypt a file (in the example below, denoted F);

(e.g with openssl,

using AES with CBC as Mode Of Operation)

AES - Advanced Encryption Standard

CBC - Cipher Block Chaining

openssl aes-256-cbc -base64 -pbkdf2 -in F

Note: pbkdf2 and -iter is not supported by lower versions than OpenSSL 1.1.1

One could use -iter <integer> to add a extra layer of security.

This, makes it harder(by making it slower) to try to brute force(guess) the password, but if a ridiculous amount of iterations is used, it will take very long - although, this is symmetric encryption and that is quite fast most of the time, just thought of mentioning this.

Note: use >= 10000 iterations

openssl aes-256-cbc -base64 -pbkdf2 -iter 10000 -in F

Decrypt

Denoting encrypted file "file.enc":

cat file.enc | openssl aes-256-cbc -base64 -pbkdf2 -d

Encrypt multiple files

(With the same extension) instead of encrypting every file:

For example,

to encrypt all files ending with .odt, in the folder odtFiles with a unique password (which is asked for interactively) and output the encrypted files to <originalfilename>.enc:

find odtFiles/ -name "*.odt" -type f -exec openssl aes-256-cbc -base64 -pbkdf2 -in {} -out {}.enc \;

References:

Related OpenSSL 1.1.1b warning: Using -iter or -pbkdf2..

OpenSSL Manual

Improve this answer
5
  • Optionally, if you prefer GUI rather than bash. I would suggest using Veracrypt. veracrypt.fr/en/Documentation.html Commented Feb 14, 2021 at 22:46
  • 1
    Even assuming OpenSSL 1.1.1 (lower versions don't support enc -pbkdf2 [-iter $n]) the default iter count is 10000 so 850 is a big decrease in security; it is even lower than was recommended by RFC2898 in 2000! Commented Feb 15, 2021 at 6:48
  • @dave_thompson_085 Hey! Thanks so much for pointing these things out! You can't imagine how thankful I am that there are people like you; thanks again - Will edit; GOSH thanks again for pointing those 2 crucial things out! Commented Feb 15, 2021 at 10:14
  • 1
    Just a comment about readability: The first thing that one reads of this answer is "Don't use 850 Iterations", and one needs to reed much further to figure out what that's about. It would be better if you incorporated edits into the natural flow of the text, so that the answer, at any time, is coherent when reading it from top to bottom, without any "Edit:" or "Updated:" markers. Also, avoid section headings for a short post like this. Commented Feb 15, 2021 at 11:25
  • Okay - noted down, thanks for the explanation, *Just one question, avoid section headings for a short post - you mean I should not use ## or # (bold text) if the post is very short? - If there's something I have misunderstood (I've tried to edit according to your comment) please tell me that, or feel free to edit - I appreciate it! Commented Feb 15, 2021 at 11:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.