[slurm-users] work with sensitive data

Renfro, Michael Renfro at tntech.edu
Fri Dec 17 23:32:23 UTC 2021


Untested, but given a common service account with a GPG key pair, a user with a GPG key pair, and the EncFS encrypted with a password, the user could encrypt a password with their own private key and the service account's public key, and leave it alongside the EncFS.

If the service account is monitoring a common area for new files, it can grab the EncFS and the doubly-encrypted password, decrypt the password with its own private key and the user's public key, unlock the EncFS, and run the job.

Afterwards, the service account can re-lock the EncFS and let the user unlock it for viewing final results.

From: slurm-users <slurm-users-bounces at lists.schedmd.com> on behalf of Michał Kadlof <m.kadlof at mini.pw.edu.pl>
Date: Friday, December 17, 2021 at 4:41 PM
To: slurm-users at lists.schedmd.com <slurm-users at lists.schedmd.com>
Subject: Re: [slurm-users] work with sensitive data

External Email Warning

This email originated from outside the university. Please use caution when opening attachments, clicking links, or responding to requests.

________________________________

On 15.12.2021 10:29, Hermann Schwärzler wrote:
We are currently looking into telling our users to use EncFS (https://en.wikipedia.org/wiki/EncFS<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FEncFS&data=04%7C01%7Crenfro%40tntech.edu%7Ca5763ca46a8149d6969508d9c1ae6816%7C66fecaf83dc04d2cb8b8eff0ddea46f0%7C1%7C0%7C637753777130163381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=freMlGppVnMMf5r6usGv6F3fJP%2BUFnXYD3VEF1RQRyY%3D&reserved=0>) for this.

This looks good to me. However it looks like it still require interactive job to provide password manually. Would be great if anyone could point out how to decrypt it with "sbatch".

Do you know what happens with "decrypted" mount point after job run out of time, or is killed for other reason? Is it then unmounted automatically? Is it remain safe when left mounted permanently (for example on access node)?
--
best regards
Michał Kadlof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20211217/872ca914/attachment.htm>


More information about the slurm-users mailing list