Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!mintaka!ogicse!cvedc!mcspdx!adpplz!martin
From: martin@adpplz.UUCP (Martin Golding)
Newsgroups: comp.unix.questions
Subject: Re: encrypt a directory
Message-ID: <790@adpplz.UUCP>
Date: 7 Jun 91 16:57:26 GMT
Article-I.D.: adpplz.790
References: <1991Jun3.181239.283@csn.org> <1991Jun4.161017.2561@cbfsb.att.com>
Organization: ADP Dealer Services R&D, Portland, OR
Lines: 39


>>>>>> On 3 Jun 91 18:12:39 GMT, sullivan@csn.org (Steve Sullivan) said:

>Steve> Is there a way to encrypt a directory, so that it
>Steve> and all files & dirs below it are completely 
>Steve> inaccessable to anyone?  This would be much preferred
>Steve> to encrypting all files in a large tree.

In <1991Jun4.161017.2561@cbfsb.att.com> Dan_Jacobson@ATT.COM writes:
>Maybe encrypt a tar(1) or cpio(1) archive of the directory.

?? If you mean to encrypt the directory and all the stuff under it, isn`t
that "encrypting all the files in a large tree"? It shouldn't be any faster
to encrypt, and much slower to reload and decrypt when the data is needed.

The answer to the original question is no, absolutely not. The fact that
the directory names are encrypted doesn't prohibit people from reading
the files (if you converted "source" to "asdkjfhjjii", somebody does an
ls and gets asdkjfhjjii, and then does cat asdkjfhjjii). If you can't
protect the files sufficiently with the unix protections, you can't
protect the directory as a pathway. 

That said, I have seen 1) making a directory execute only (you can open
a file _only_ if you know the name) and 2) naming the subdirectories 
very strange names, and changing them occasionally. In the example
above, the "ls" wouldn't work (no read priveleges) and the wierd name
would be unknown to all but the select few, or to specified programs.
The purpose is to allow access to the lower data only to certain
(in this case database) programs.

This method only works to _allow_ access to the data. If you are
trying to _prevent_ access, and you are not confident of the unix
protections, nothing but encrypting the data will help.


Martin Golding    | sync, sync, sync, sank ... sunk:
Dod #0236         |  He who steals my code steals trash.
A poor old decrepit Pick programmer. Sympathize at:
{mcspdx,pdxgate}!adpplz!martin or martin@adpplz.uucp