Encrypted home partition accessible by administrator

Colin Law clanlaw at gmail.com
Wed Apr 24 13:18:33 UTC 2019


On Wed, 24 Apr 2019 at 13:00, Liam Proven <lproven at gmail.com> wrote:
>
> On Wed, 24 Apr 2019 at 13:25, Colin Law <clanlaw at gmail.com> wrote:
> >
> > Even when the user whose home is encrypted is not logged in?  I had
> > assumed that the users password was part of the key to unlocking the
> > encryption.
>
> As I said, I have only done this on the whole-partition level. As such, yes.
>
> This is why Unix sysadmins have joke T-shirts that say:
>
> I CAN READ YOUR EMAIL
>
> Root can do anything it wants.
>
> Windows NT is a bit further down the line and has the concept of
> permission levels for admin accounts. E.g. in a prior role I was a
> domain admin but I only had permissions to install apps locally on
> workstations, not on servers, and I could not create, delete or alter
> user accounts on servers.
>
> I do not know of any Unix system that does stuff like this yet, but
> it's not my area of expertise. It is probably something that is
> possible with enterprise Unixes using groups, and as such, admins
> wouldn't be root -- because normally, root can do anything and
> everything.

Thanks Liam.
An admin would not be able to decrypt if the users password or another
passphrase was required to decrypt it, but it appears that is not how
it works.  Looking at suggestions from earlier in the thread gocryptfs
looks as if it might do what I want. I am just off to try it out.

Colin



More information about the ubuntu-users mailing list