On Tue, 2007-12-11 at 11:26 -0600, Paul Johnson wrote: > How do you secure privacy of files on a USB stick? > > The usb flash memory stick works fine if it is VFAT, but what if you > are worried you might lose it and then anybody could read your > secrets. Or, if you need to share a file to somebody, but don't want > them to read everything else, what do you do? > > I thought I could fix that by putting on an ext3 file system. But it > doesn't help. Windows users with IExplore can see all the files, no > matter who owns them. > > On a Linux system, the owners of the files are not recognized. I had > forgotten that ext3 uses user numbers, rather than user names, for > ownership information. So when I take a disk from one system to the > next, then the user is either unrecognized or wrong. Here's a case > where it is unrecognized: > > drwxr-xr-x 3 29999 29999 4096 2007-11-26 19:50 Booger > > I've seen other cases where another user who happens to have the same > user number is given ownership of my files. Files and directories are ALWAYS done by UID and GID (numbers), regardless of the Unixish filesystem used to create them (ext2, ext3, jfs, xfs, you name it). The user- and group-names are simply convenient to us and are ENTIRELY based on the ability of the listing process to read the /etc/passwd and /etc/group files. If the listing process can't read those files, you see the numbers. If it can, you see usernames and groups. > So, apparently I can't rely on the file system permissions to give me > any security. This is ALWAYS an issue when you move files from system to system. If you don't keep the UID/GID stuff consistent across all of the systems, how do you expect them to honor the permissions? This is EXACTLY why stuff such as NIS and LDAP were created--so there was a single point of management of UID/GID information. > Aside from tarring up stuff that I don't want to be public and > encrypting with a gpg signature, I'm stumped on what I should do. > > Can you put an encrypted file system on a usb flash disk? How? Use ecryptfs on it. Make sure you install ecryptfs-utils. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Never test for an error condition you don't know how to handle. - ----------------------------------------------------------------------