Password protect folders

Support
1

On my filesystem I have a folder (and subfolders and files) I want password-protected.

  • it is a native Linux FS (whole partition is LUKS+ext3);
  • I took into account that root can browse it anyway and good so;
  • DE is GNOME;
  • folders are not HOME;
  • folders can be viewed by root: other users must not without password.

According to my idea, I log in as a user in my session and I cannot normally browse that folder.
Then when I want to access that folder, I get asked for password.
After that, I can freely navigate that folder/subs/file, viewing previews/thumbs.
At its best, that password could automatically time out after a while.

I know I could encrypt folders, but I would avoid it.
I have already tried with chmod 770 + chown XY + chgrp ZZ but, especially when I leave that folder and try to browse it again, I am no longer asked for the password and its content is left freely browsable.

Thank You for Your help!

2

If the folder/files are stored on a non-native Linux file system - exfat and ntfs - encryption is the only way.

With a native Linux file system - even though you can apply permission - which is the first step - this will not prevent a root account from accessing the files/folders.

Apply permissions

Example folder /home/secrets

chown $USER:$USER /home/secrets -R
chmod u+rw,go-rwx /home/secrets -R

Encryption

Educate yourself with Data-at-rest encryption - ArchWiki

1 Like
3

OK, thank You.
Just forgot to mention that:

  • yes, it is a native Linux FS (whole partition is LUKS+ext3);
  • I took into account that root can browse it anyway and good so: I just do not want normal user can rwx without passwd;
    Thank You
4

When I apply Your suggestion:

  • Files+Thunar+Nemo compain: “A problem has been detected with thumbnail cache. Fixing it will require administrative privileges”. Means should I chmod some folder in that user’s home cache?
  • No application can read those files;
  • no thumbnail.

I also tried to sudo usermod -a -G secretGroup casualUser
but without avail.

When I am done with that folder, how can I “unprivilege” it (since it does not automatically time out/log ot)?

5

You will have to think - don’t apply blindly what I comment - it is an example - not a how-to.

I have no idea what you are trying to accomplish so my comment is generic.

You need to read up on permissions File permissions and attributes - ArchWiki and heed the Warning at the beginning of the article.

Also see Access Control Lists - ArchWiki

But if you are trying to do what I think you do - you will not have much success.

Use eCryptfs as suggested above.

6

Yes, I know I have to gauge hints :slight_smile:
I am a bit of a worry because in ancient days I had problems recovering data in emergency from eCryptfs. I am a bit scarried off.

7

You will require some kind of encryption or obfuscation as you cannot password protect a folder structure. It is as simple as that.

If encryption is not an option - you only have permissions to work with.

In any case it provides no real security - as you must know by now.

If you don’t like eCryptfs - then try one of the other cryptfs options

8

If you are using KDE, I highly recommend plasma-vault
Super easy to setup and very robust and safe. YOU select what method to encrypt with, then just unlock/lock with the applet.
I opted to go with cryfs.

1 Like
9

No, I use GNOME but since looking interesting I’ll give it a go!
Right now I am delving with eCryptFS and ACL, the latter being more promising, the former with dangerous deficiencies as stated in Making sure you're not a bot!.

Also, tested GNOME Vaults: installed 130MB deps for 2.4MB app… and didn’t work because of am adwaita version mismatch… uninstalled. :frowning:

Seems cryfs the most viable solution without too much hassle.
After a couple of hours one discovers that:

  • it is prone to data corruption;
  • after setting it up and playing around, - at least on my system - it cannot longer unmount the unencrypted directory;

Switched to gocryptfs: worked at first shot. Go on testing:
was slower at the beginning but works fine now.

TOMB is good: a LUKs FS within my LUKs. Works fine.