[Nepomuk] Indexing encrypted filesystems

Martin Steigerwald Martin at lichtvoll.de
Sat Mar 24 11:12:29 UTC 2012 

Am Freitag, 23. März 2012 schrieb Volker Krause:
> On Thursday 22 March 2012 20:53:57 Ivan Čukić wrote:
> > > then why dont you just encrypt everything? What would be wrong with
> > > that?
> > 
> > In order for nepomuk and plasma active to work, the encrypted stuff
> > would need to be mounted on boot
> > 
> >  - not everything is private, no need to encrypt everything
> >  - no way to enter the password on a touch device before x starts,
> > 
> > leading to a lot of complications
> > 
> >  - if it is mounted on boot, all data is accessible to all programs
> > 
> > that are running and all users of the device (not covering all the
> > use-cases PA wants to cover, including a theft of an already running
> > device)
> > 
> > Encrypted folders are mounted *only* when the user is in a private
> > activity, and is encrypted using the password that is
> > activity-specific.
> 
> That sounds exactly like what we wanted achieve in KDE PIM back then as
> well. We had one crypto container for each of your private keys, so
> the index database was encrypted in exactly the same way as the
> original content, which means you can only access the indexed
> information when you are also able access the original content too
> (ie. your corresponding private key has been unlocked by
> password/smartcard/etc). IMHO it's a sound concept from the security
> and privacy POV.
> 
> If we actually find a way to solve this problem, I'd be very interested
> in reviving the encrypted email indexing code :)

Would it be possible to have encryption on single Virtuoso database 
entries?

Then just encrypt everything on a certain encrypted directory with some 
key and everything from another encrypted directory with some other key 
and then store those each key in the respective encrypted directory while 
keeping everything else in the central Virtuoso instance.

That would need some standard and transparant of encrypting any particular 
Virtuoso entry tough. Maybe thats even something which could be included 
in Virtuoso itself?

This would somehow resemble the ecryptfs and encfs way to store single 
files - aka nepomuk entries here - instead of complete block devices - aka 
whole Virtuoso database.

-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

More information about the Nepomuk mailing list