I am sudo user of our server (Ubuntu). There is also another sudo user in our server, so both of us have access to other directories as root. I have some private files that I do not want to share with the other sudo user. Is there any way to do that?
Asked
Active
Viewed 614 times
2 Answers
3
I have some private files that I do not want to share with the other sudo user. Is there any way to do that?
There is only 1 way: do not store those files on that system.
If it is your server and you do not trust that other user remove his sudo access. Otherwise private data should not be stored on that machine. In case you are in the European Union: The new privacy law does not allow you to store private data on a machine you do not own without notifying, and getting written consent from, the owner of that machine.
- a sudo user with no restrictions can do and undo whatever you can undo and do.
- Encryption of the files or a directory with the files will only give you a false sense of security.
- The same goes for accessing it from a remote system where you need a password (like an USB drive with encryption or a password to mount, gdrive, or a ssh connection).
It is pretty easy to activate a watchdog that copies files to another location. And you yourself will never notice it happening. And it is even easier to install a key logger to catch any password you type.
Rinzwind
- 309,379
1
You can not hide files from the other sudo user, but you can encrypt your private files before (!) you upload them to the server. To work with your private files (i.e. do en edit), you need to download and then decrypt. After you have finished your work, you must encrypt and upload again.
The sequence matters and it's probably not the most convenient way, but it works: you can store your private (encrypted) files on your server and prevent the other sudo user from reading your private content.
Important: You must do each encryption/decryption process only offline (to be precise: not on your server). If you do it on your server, the other sudo user can record the process and in the end gain access to your files.
Different encryption methods have various pros and cons and to keep my answer short, I'd like to suggest only two tools:
GPG offers file encryption with a symmetric cipher using a passphrase (and much more) and is pretty straightforward.
cryptsetup allows you to create a password protected LUKS container and use it like a common loop-device. Be advised: you never want to unlock a LUKS container online (to be precise: on your server), else the other sudo user can extract the LUKS master key and use it to add a new key (thanks to @Rinzwind for the URL).
Needless to say it's always good to choose strong passwords and of course the other sudo user can download your encrypted file and try to decrypt using brute force.