Hi Jerome,
On 17.07.2014 13:11, Jérôme Revillard wrote:
> Well, truecrypt is perhaps not the way to go:
> http://truecrypt.sourceforge.net/
>
> Do you know a good alternative?
does it have to be a container or are a per file encryption sufficient?
(no need for a fixed container size, per file scaling)
https://en.wikipedia.org/wiki/EncFS
https://en.wikipedia.org/wiki/ECryptfs
However, a distributed key management would make more sense with a
public-key system for distributing symmetric keys (i.e. gpg??)
Unfortunately, I know only about this commercial product (Win, Mac)
providing an encrypted fs with user/group management using asymmetric setup
https://www.boxcryptor.com/en/technical-overview#anc02
Cheers,
Thomas
> Best,
> Jerome
>
> Le 17/07/2014 13:07, Jérôme Revillard a écrit :
>> encrypted binaries.... I did not thought about it yet and will look at
>> it carefully. The decryption key could then be stored in the storage
>> elements with proper acls configured.
>> Concerning the "subset of the 15G", I would say all as we usually
>> don't know which part is really sensitive and which part is not.
>>
>> I will look at truecrypt first .... truecrypt on CVMFS would be great :-)
>>
>> Best,
>> Jerome
>>
>> Le 17/07/2014 12:56, Sam Skipsey a écrit :
>>> That said, Stephen's quite right that the "obvious" way to do it is to
>>> do the usual UNIX-groups permissions system.
>>>
>>> (I think a more robust system would probably be to use cgroups to
>>> create different mount namespaces for different VOMS roles, but we
>>> definitely can't do that generically with grid middleware as it
>>> stands.)
>>>
>>> Given that CVMFS is world readable... would encrypted binaries work?
>>> (I guess it depends on what subset of the 15G of software needs to be
>>> restricted...)
>>>
>>> Sam
>>>
>>> On 17 July 2014 11:46, Catalin Condurache
>>> <[log in to unmask]> wrote:
>>>> With a CVMFS approach (which I'd also encourage to look into for
>>>> your first
>>>> request) it is not possible to restrict access (your second
>>>> request) for
>>>> anyone. CVMFS filespace is publicly readable.
>>>>
>>>>
>>>>
>>>> Catalin
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: Michel Jouvin [mailto:[log in to unmask]]
>>>> Sent: 17 July 2014 11:17
>>>> To: [log in to unmask]
>>>> Subject: Re: [LCG-ROLLOUT] Grid software management and protected
>>>> software
>>>>
>>>>
>>>>
>>>> This seems an appropriate use case for CVMFS... This should help
>>>> with the SW
>>>> distribution. This will not help with restricting access to the SW
>>>> but I
>>>> think that this is something that must be handled by the SW itself
>>>> (have a
>>>> list of legitimate users and refuse to start with a user outside
>>>> this list).
>>>>
>>>> Cheers,
>>>>
>>>> Michel
>>>>
>>>> Le 17/07/2014 11:45, Daniela Bauer a écrit :
>>>>
>>>> Hi,
>>>>
>>>> Can you not just put the software in the software area for your VO ?
>>>> I can't
>>>> imagine 15 GB (or even 100 or so) being an issue anywhere.
>>>>
>>>> I don't think there's a mechanism to restrict software to a specific
>>>> subset
>>>> of users, I guess you could add something to your software that
>>>> checks for a
>>>> certain role in the proxy and only runs if the user's proxy has that
>>>> role,
>>>> but otherwise you are probably out of luck.
>>>>
>>>> Cheers,
>>>>
>>>> Daniela
>>>>
>>>>
>>>>
>>>> On 17 July 2014 08:29, Jérôme Revillard <[log in to unmask]> wrote:
>>>>
>>>> Dear all,
>>>>
>>>> In the vo.neugrid.eu VO, we install a couple of huge software into the
>>>> sites. Some (most) of these software are bigger than 15Gb so you can
>>>> easely
>>>> imagine that every user cannot download it for every single job that
>>>> he want
>>>> to run.
>>>>
>>>> A new constraint comes into the picture a couple of weeks ago.
>>>> Indeed, some
>>>> of the softwares that we have to install must be restricted to a
>>>> sub-part of
>>>> the VO users but we don't know actually how to achieve it using the
>>>> Grid
>>>> software management framework....
>>>>
>>>> Is there a way to do that still without having to download the soft for
>>>> every job (even from the local SE)?
>>>>
>>>> Best,
>>>> Jerome
>>>>
>>>> --
>>>> =====================================================
>>>> Dr Jérôme Revillard
>>>> CTO MAAT/GNUBILA France
>>>> www.gnubila.fr
>>>>
>>>> 174 Impasse des Prés d'en Bas
>>>> 74370 Argonay (France)
>>>>
>>>> Mob. 0033 676 108 185
>>>> Tel. 0033 450 685 601
>>>> =====================================================
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Sent from the pit of despair
>>>>
>>>> -----------------------------------------------------------
>>>> [log in to unmask]
>>>> HEP Group/Physics Dep
>>>> Imperial College
>>>> London, SW7 2BW
>>>> Tel: +44-(0)20-75947810
>>>> http://www.hep.ph.ic.ac.uk/~dbauer/
>>>>
>>>>
>>
>
|