2

I need to encrypt the folder /var/www/test.

The folder contains PHP files. The goal it to prevent any user to read the php content AND if the HD is mounted on another computer, the /var/www/test should be encrypted AND if computer booted up without any user logged I would like anyone to be able to access data in /var/www/tests.

What is the correct approach for this?

I've tried "ecryptfs-setup-private" as advised in How to encrypt /var/www? yet it didn't work for me. I've might missed something - I've tested the folders while booting with ubuntu 12.04 installation disk and mounted the drive, than I was able to access /var/www/test content.. yet this is what I want to prevent.

The gnome-encfs isn't the way to go since its decryption happens when users logs on to the system & I would like the system to be working after power failure etc' without any one logged in.

Please advice.

Community
  • 1
sirchaos
  • 21
  • possible duplicate http://askubuntu.com/questions/105850/how-to-encrypt-var-www –  Oct 16 '12 at 05:25
  • Query: should a user be able to navigate to www.yourpage.com/test/*.php, or are this compeletly private files? – jmartin2279 Oct 16 '12 at 06:40
  • Sorry for not clearing it correctly - yes I would like users to be able to navigate to the www.yourpage.com/test/*.php – sirchaos Oct 16 '12 at 07:48
  • thanks for the info, left me look around at this, I have access to several LAMP servers, so I will try to duplicate the issue and a solution. – jmartin2279 Oct 16 '12 at 15:56
  • Thank you, any testings or data you need let me know & I'll replay with it.. – sirchaos Oct 16 '12 at 23:38
  • Related: http://unix.stackexchange.com/questions/65189/problem-with-encrypting-var-www-and-ikiwiki – student Feb 19 '13 at 13:20

1 Answers1

2

I found a way to encrypt the folder. it works by encrypting /var/www, then you mount it in a different location. example:

I mount the encrypted /var/www, and I have to add files by putting them in /home/jmartin/mounted

As far a making it not visible if the drive is mount via livecd or another computer? you would need to have your partition setup as an encrypted LVM. this must be done at the time of installation. Its a clear choice when installing server, use this guide for desktop: http://ubuntuforums.org/showthread.php?t=1782296

back to encrypting your folder. open a terminal and type:

sudo apt-get update && sudo apt-get upgrade

its a good idea to update before doing anything new. next type

sudo apt-get install encfs

this will install encfs, an encryption tool. next:

sudo encfs /var/www home/USERNAME/mounted

the first location is what you are encrypting, the second is what where you will access it. use your username where it says "USERNAME".

to unmount the visible location:

sudo ifusermount -u home/USERNAME/mounted

to unlock and mount:

sudo encfs /var/www home/USERNAME/mounted

hope this helps! more info: https://help.ubuntu.com/community/FolderEncryption

jmartin2279
  • 467
  • Thank you for the tutorial!. Yet when I access the folder I need to unlock and mount.. but if this is exactly the issue: I don't want to type anything the encfs needs me to type my password so every time the computer is off than on again I need to be near it to type the password to unlock (in both ways the hole disk encryption of LVM and in what you offered). Isn't there a simple way for unlocking folders (automatically) for www-data when only this user trys to access? [Yes this is less secure but the goal is simply prevent copying my php files]. – sirchaos Oct 17 '12 at 09:38
  • if your trying to prevent that, its near impossible given the fact that its available at www.yoursite.com/*.php.. there are plenty of tools to grab the files that way. using file encrypting simply locks the files from local and network users, which is a good idea anyway. once is on the web, its nigh impossible to prevent downloading. – jmartin2279 Oct 17 '12 at 17:13
  • well I've resolved to violence :P I'll leave no encryption on the drive rather than compiling my php with hiphop php.. That would prevent viewing/modifying the code right? – sirchaos Oct 18 '12 at 00:00
  • to an extend.. there are still tools to download entire sites. heres the truth- nothing is secret on the internet. – jmartin2279 Oct 18 '12 at 06:29
  • @jmartin2279 Your comment in regards to php files (specifically PHP CODE in php files) being accessible from the web is simply untrue - PHP files are processed on server side. With proper config of Apache / PHP it is not possible for anyone to access your code client side - only the output. As such, servers in a DMZ should have php errors inserted into a log file, and display_errors should be set to 0. If all this is done - and file & folder permissions are properly set (usually 755 for folders / 644 for php files) all should be good on that front. Web scrapers can get html output, not PHP. – webaholik Dec 08 '15 at 17:18