We are all aware that root has the power to do anything include read files which are set up for noone else to read except maybe the user/creator themself. So I would like to encrypt to some of my files so that I'm ultimately the only one who can read my important files. Can anyone suggest how I might be able to achieve this?

Thanks,

EVAC

Maybe with PGP... that's about all I can suggest. I've never really looked into this, so hopefully someone else can make a more specific suggestion.

Hmm I'm not quite sure if this is what you are looking for but it's worth a looksie.... http://forums.gentoo.org/viewtopic.php?t=31363. Hope I helped

Here we go, I think this might be helpful:

http://gnupg.linux.it/

PGP is the way to go.

Encryption does no good at all if you don't secure your encryption key. Root can still read all files, which means that if your PGP key is stored in a file on that system, root can read it. And decrypt the file you've encrypted.

Think about more than just the file you're trying to protect. ;) Either put the key on a system you own (and are root on), or don't store it at all (if PGP programs even give you that option).

I'm pretty sure you can have GnuPG crypt the key.

Hmmmmm......Thinking...

Thank You All for the replies given thus far.

EVAC

this article (http://forums.gentoo.org/viewtopic.php?t=31363&highlight=encrypt+filesystem) from the gentoo forums will help you create an encrypted filesystem. it is for creating an encrypted root filesystem but it can be done for any file system.

(it is not Gentoo-specific)

Originally posted by andysimmons
I'm pretty sure you can have GnuPG crypt the key. So how does it get decrypted when you need to use it?

You've got the same problem now, even with an encrypted key. Anyone that can read the key for that encryption can decrypt the key, and then decrypt your file.

The key is just a password you'd have to type to read the file. If GnuPG uses crypt with a randomized salt (as opposed to using the first 2 chars in the key as the salt), and he picks a good key, it'll be a lot harder to crack.

Originally posted by bwkaz
So how does it get decrypted when you need to use it?
I'm sure you (bwkaz) understand what I'm getting at after the last post, but for other people reading, it doesn't get decrypted. If it's using crypt, GnuPG will just encrypt the password entered with the same salt as the encrypted key, and if the two match, it decrypts the other file using the clear-text password (which you just entered) as the key. At least thats the way I understand it, and I could have that wrong...feel free to correct me.

OK, it seems to me that there must be a simpler way. The use of a key seems really strange. One book mentions "..., a fundamental characteristic of any good cipher is that its security revolves around a key, or even several...the security of a good cipher does not rely on keeping the cipher's algorithm a secret.

Strange...

I mean wouldn't be easier just to make some simple executable that will encipher the data, throw away the pre-compiled code and only the user knows how to use it. On top of that who in the world is going to know that this abitrary executable is the enciphering/deciphering algorithm. I think that I'm missing something or I don't understand the theory of encryption.

EVAC

Originally posted by evac-q8r
I mean wouldn't be easier just to...
Easier usually does not mean the same thing as better.. :) If you want, you could probably think of the key as the "source code" to the decryption (or encryption) algorithm. Keys are good though, since a computer can make as many as it wants by just using random numbers. It's like a special interpreted language by the encryption program.

(btw. that was me just making up a bunch of stuff. You can ignore me if you want. :D)

Originally posted by andysimmons
The key is just a password you'd have to type to read the file. Ohh... duh... a crypt()ed key, not an encrypted key. Apparently I misread that... ;)

Anyway, yeah, easier != better. it's much, much more secure to have your encryption algorithm known, so that you can get peer review on it (it may have some major holes in it that you don't see, but others would, assuming enough of them look at it). Given that you want the algorithm to be secure, and I would hope you do, you will still need some part of it to be secret. That part is the key. Or, in the case of public-key systems, that part is the private key (another key, the public one, is known).

If you're planning to encrypt more than just a couple files, I recommend an encrypted filesystem.

P.S.
Don't use xor encryption, it sucks.

Originally posted by Hayl
this article (http://forums.gentoo.org/viewtopic.php?t=31363&highlight=encrypt+filesystem) from the gentoo forums will help you create an encrypted filesystem. it is for creating an encrypted root filesystem but it can be done for any file system.

(it is not Gentoo-specific)

BTW ... I just had to comment that I like how that 13 year old claims he discovered how to do it by himself... a quick search yielded a howto that is almost word for word... dated 1999. I'm just saying... credit should be given where credit is due

Originally posted by evac-q8r
OK, it seems to me that there must be a simpler way. The use of a key seems really strange. One book mentions "..., a fundamental characteristic of any good cipher is that its security revolves around a key, or even several...the security of a good cipher does not rely on keeping the cipher's algorithm a secret.

Strange...

I mean wouldn't be easier just to make some simple executable that will encipher the data, throw away the pre-compiled code and only the user knows how to use it. On top of that who in the world is going to know that this abitrary executable is the enciphering/deciphering algorithm. I think that I'm missing something or I don't understand the theory of encryption.

EVAC

what you are sying here is just HARD CODE the key then thow away the source.

that sort of works !!!

(it's the nature of encryption to use a key somehow)

the real issue is -- who will be looking at the data and how hard are they going to try to read it.

really a super simple bit switching algorithm with a hard coded key
is enough to do what you want.