So I need to unlock an encfs directory (not home), with the user's password, when the user connects to the device via SMB.
The user has no other access - no SSH, GUI, etc. This would (almost certainly) need to be done via a server-side shell script that gets invoked by Samba, when the user logs on to Samba.
I know there may be sincere expressions of concern over security and best-practices, so just to head those off and not get sidetracked, let me say (or skip these bullets if you just want to answer the question as-asked):
- Thank you.
- I know this may not be "safe" standard IT client/server practice, as it could involve easily exploitable weaknesses (eg a script to hack).
- I know that encfs is riddled with known weaknesses, and the release version is not well-maintained.
- This is for a narrow, particular embedded use case - and a proof-of-concept at that. The gate - and only goal - here is to have Samba unlock (or trigger doing so) a transparent stacked file-based encryption, with no user intervention other than connecting with valid Samba credentials.
- Encfs or similar per-file stacked encryption-as-normal-files is a hard requirement. Whether that's EncFS, eCryptFS, CryFS, gocryptfs - in-kernel or user-space FUSE - doesn't matter at this point. (I'm aware that eCryptFS is abandonware, and that they all have pros, cons, weaknesses - as does stacked per-file encryption in general.) It just can't be LUKS, VeraCrypt - any loopback container - ZFS, etc.
If there's also a way to capture samba disconnect or timeout event at the server-side that would also be great, but not a deal-breaker.
The server is Ubuntu 22.04 Server. The client is any SMB3-capable client.
Thanks!
