Programmatic Full Disk Encryption

agolangf · · 474 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>Anyone made use of a full disk encryption solution with programmatic access? What I’m looking for doesn’t have to be a fully golang specific solution, but the calling program is a server side golang implementation.</p> <p>Things I’ve evaluated so far are Veracrypt, LUKS, and AES Crypt. </p> <p>The only preference is that this plays well on both Linux and Windows in some way. </p> <hr/>**评论:**<br/><br/>Femaref: <pre><p>Go has access to the file system, so if you can mount a normal solution you can access it via go.</p></pre>redtuxter: <pre><p>Yes, but specifically I’d really like to find something that lends itself to programmatic access rather than a hacky bash os.exec call. </p></pre>Femaref: <pre><p>What is your real requirement? Because it seems like you aren&#39;t telling the whole thing.</p> <p>Put the encrypted disk into /etc/fstab and mount it on startup. Access it from any program via its mount point. It&#39;s not the job of your server program to create the volume in the first place.</p> <p>If you are looking for something that is limited to your program (i.e. not accessible by others) you aren&#39;t looking at full disk encryption anyway.</p></pre>redtuxter: <pre><p>Fair points. So, the real requirement is for a user to be able to remotely lock and unlock the disk in the easiest manner possible. However, I haven&#39;t seen anything that lets LUKS play well (easily at least) on Windows, and it&#39;s the only one that would allow automounting with /etc/fstab. Veracrypt requires some command line parameters at each mount and unmount, and makes it really not reliable for something like udev rules. Currently users access a disk that&#39;s mounted with udev rules to a known path. This makes the implementation nice and easy and there&#39;s no mounting work to be done by Golang. Essentially I&#39;d like the same thing, but with the added layer of encryption. Granted, users will need to provide the password &amp;/or key at mount time. The additional requirement I probably should have spelled out would be that the disk is unlocked via the key provided by the user over the web ui or REST API and at some point also would be plugged into a Windows box directly where it would need to be decrypted as well. I point to full disk encryption because it would eliminate the need to dynamically allocate encrypted storage space, which can take some lengthy preparation time based on the size requirement. With a full disk solution, we can prep this disk in advance.</p></pre>balacode: <pre><p>I&#39;m not getting exactly what you need to achieve, but doesn&#39;t VeraCrypt, for example have a command line interface. So in theory, you could write a Go app that interfaces with this command line program, passing it the mounting details and forwarding the user&#39;s passwords to it. I&#39;m thinking of a Go service that listens for remote user commands and then executes the VeraCrypt mounter. Of course, with this arrangement your OS drive will not be encrypted, but you could full-disk encrypt other connected drives or partitions.</p></pre>kormoc: <pre><p>What exactly are you trying to do? The cross platform requirement is strange in this context (to me at least)</p></pre>icholy: <pre><p>Ransomware?</p></pre>redtuxter: <pre><p>The drive is removable, and users access it after they&#39;re finished writing data to it remotely, they then plug it into a windows machine.</p> <p>I agree it&#39;s a very unique situation.</p></pre>kormoc: <pre><p>I’d investigate truecrypt personally</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

474 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传