protecting my files from root
In a remote box, my files are 700-chmoded, but I'm worried that root may be reading them.
Is there a way to add another layer of protection to avoid that, perhaps by encrypting them, but allowing smooth on-the-fly decrypting when programs run by me request them?
My typical use is a GNU screen session with irssi and vim running.
Thanks!
Thinking about it logically - without touching on any specific technologies - if it's not your machine and you don't trust root then you have a problem.
You really can't do anything about securing screen
and irssi
. Root will always have permissions to force the attachment of screen sessions, to sniff IRC traffic from the network or potentially to peek into the contents of process memory.
You could encrypt files with keys and passwords. But it would require the system having access to the encryption keys when required, which in turn means that root would also have access and that they could be attacked with brute force. Unencrypted files would be present in memory or disk for the period of time that they were used, and you guessed it, root can see those too.
No. Root sees all, knows all.
I'm not sure that any solution is going to work. What's to stop root signing in or su'ing to your user? Even if you require a password to be typed in the root user could easily set up a keylogger to trap it. The solution, if you don't trust the root user of the server you're using, is to use a different server.
This cannot be done, in any true meaning anyway.
If you don't trust the administrators you're out of options - there's always a way for them to get to the data as they control your hardware and your infrastructure.
Regulate access through written policy.