5

I'd like to address following scenario:

  • Company keeps documents in-house and not in Cloud
  • Documents are stored on Samba Share
  • Sysadmins have access to the storage so they can dump it
  • The point is to reduce the Evil Sysadmin Threat

I am considering following solution. Use the Samba Proxy which performs encryption in similar fashion as Disk Encryption is done today (just on the file level, which is reading, writing, seeking, overwriting from offset etc).

My question is, if there is a real software which can perform this task (not the imaginary one), and if not, is it worth implementing it or is there alternative in form of some sort of private cloud where it can be solved?

The private cloud would work with MS Office the way that the documents are stored there just like in Office Cloud and there's already security built-in, which means, it's encrypted per user and there's dedicated key server to which sysadmins do not have access.

Samba Encryption via Proxy

Aria
  • 2,706
  • 11
  • 19
  • Does your question includes client-side encryption (since answers implementing your exact scheme do not seem to rush)? This would seem the most straightforward way to go if I would like to ensure that the data cannot be deciphered by the SMB server administrators (or whoever took control of it). – WhiteWinterWolf Sep 05 '16 at 09:43
  • I'm not following. Your admins only have access to the "shared storage server"? Who maintains the other servers? Surely encryption keys have to be backed-up and whoever does the backup has access to the keys. – GnP Sep 05 '16 at 15:27
  • I agree with @WhiteWinterWolf, client-side encryption works well but only for individuals, not for groups. Any other answer probably requires encryption offload hardware so that keys are securely maintained without being accessible to admins. – Julian Knight Sep 12 '16 at 09:20

0 Answers0