(This is not about restricting client access, for which ext3 permissions do the trick)
I'd like to encrypt the data on my NAS drive (Buffalo LinkStation Pro with SSH access enabled, if that matters) in a user-friendly way. Currently, a truecrypt container has to be manually mounted via SSH and also unmounted again (unless you solve my timeout question). Using a passwordless (but EFS encrypted) SSH key this is reduced to two PuTTY desktop shortcuts and entering the truecrypt password (until simplified further) for mounting.
However, the ideal solution would be transparent. I first thought about trying to somehow have the share allow for EFS encryption, but that would probably involve more work and EFS for multiple users without an Active Directory server seems to be troublesome.
But now my idea is an automated mount of e.g. an EncFS encrypted directory triggered automatically by a samba access from authorized users (using Windows clients). How can that be achieved? (Bonus points for displaying a honeypot share for unauthorized users…)
Best Answer
I'm seeing a sketch of a solution using Samba "logon scripts" - client-side code that runs after a samba login - but a complete solution needs to complete the sketch with details. Also related are "preexec scripts" - server-side code that runs during a samba login.
Referencing the smb.conf man page
and also
In your case, though, you really want logon scripts (unencrypted form is mounted on the client), so a solution sketch might involve:
configure smb.conf so that the relevant users run the logon script. e.g. something like
logon script = runencfs.bat
For bonus points, your logon script might automate / prompt installation of Encfs (from the samba share) and only run the mount if it's installed!
Client-side scripts, though, are bound to give you headaches because of the cmd language, ensuring installation of encfs, and working around windows gotchas, like Windows 8.1 and up not running the logon scripts till five minutes later unless otherwise configured.