Hi,
I’m wondering what is an appropriate solution to protect my files on a shared computer.
I have installed Manjaro on a computer that is shared by a few students, including me, and I have created a user for myself, protected by password. I have a folder with my work files that syncs through syncthing with my phone and home computer.
The problem is that the HDD is not encrypted, so if someone boots into a live USB, or logs into root somehow, they can access the files in my user’s home folder.
I’m aware I can create a zip that is password protected, but it would be very inconvenient to have to zip/unzip my files all the time.
Is there a way I can better protect my home folder on this PC, in a way that when I login into my user, syncthing is immediately able to sync my files?
To protect your personal files from being accessible by anyone who boots your machine from a USB
you have to encrypt at least your $HOME
so that, even if the whole system is accessible
the content of your $HOME is not
is another way to selectively encrypt directories inside your $HOME
they will be synced as they are - encrypted
slightly more inconvenient to use, though
as you have to actively open them when you want access
You want to also protect them from the other students who also use this computer? Block-device encryption (such as LUKS) technically won’t suffice; although it can protect the data if it is locked with a strong passphrase that must be entered up boot. (Protection against strangers and thieves.)
In your case, since you’re using KDE, you can install and use Plasma Vaults. It supports different encryption backends, and is designed to be user-friendly. You can manage, lock, and unlock your “vaults” at will using the GUI applets. No overhead nor inconvenience, compared to using “zips” and other older methods.
The package to install is named plasma-vault, and it will prompt you to also install one of three “optional” dependencies, if you don’t already have one or all of them installed: cryfs, gocryptfs, or encfs.
The applet can be placed in the tray and/or anywhere on the desktop screen.
Thank you very much, I think eCryptfs might be what I’m looking for. I’m gonna read about it and try to use it. To have certain folders be decrypted automatically when I login would be ideal. I was also worried about my firefox profile being accessible, but If it encrypts my complete home folder, I believe it solves this problem too.
Thanks. I did consider this option. But, although I’m the one who has been maintaining that computer, it is not mine, and some other people in the lab should be able to maintain it as well, if needed, and not be forced to rely on me. So, the other people would need to know the passwords to the BIOS and Grub too, which would defeat the purpose.
Plasma vaults seems like it could be a solution, i’ll try it. From the screenshot you gave, it reminds me of veracrypt, as in it create a file that can be mounted as a drive when I input a password (i’m guessing from the eject symbols, but I’m not sure). So I wonder if it will work well with syncthing, or if I will be able to synk my whole user folder.
Thanks again, your answer was very helpful.
An issue with encrypting your home folder, if root access is shared the system itself can be an attack vector. Any command for example ls or syncthing can be replaced by a trojan.
How about an encrypted partition with a full install on it?
Ahh, that’s a good point. Hadn’t though about that. But I don’t really believe people in the lab would go that far to access eachother’s files. In any case, it’s good to keep in mind this vulnerability.