Untested, but given a common service account with a GPG key pair, a user with a GPG key pair, and the EncFS encrypted with a password, the user could encrypt a password with their own private key and the service account's public key, and leave it alongside the EncFS.
If the service account is monitoring a common area for new files, it can grab the EncFS and the doubly-encrypted password, decrypt the password with its own private key and the user's public key, unlock the EncFS, and run the job. Afterwards, the service account can re-lock the EncFS and let the user unlock it for viewing final results. From: slurm-users <slurm-users-boun...@lists.schedmd.com> on behalf of Michał Kadlof <m.kad...@mini.pw.edu.pl> Date: Friday, December 17, 2021 at 4:41 PM To: slurm-users@lists.schedmd.com <slurm-users@lists.schedmd.com> Subject: Re: [slurm-users] work with sensitive data External Email Warning This email originated from outside the university. Please use caution when opening attachments, clicking links, or responding to requests. ________________________________ On 15.12.2021 10:29, Hermann Schwärzler wrote: We are currently looking into telling our users to use EncFS (https://en.wikipedia.org/wiki/EncFS<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FEncFS&data=04%7C01%7Crenfro%40tntech.edu%7Ca5763ca46a8149d6969508d9c1ae6816%7C66fecaf83dc04d2cb8b8eff0ddea46f0%7C1%7C0%7C637753777130163381%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=freMlGppVnMMf5r6usGv6F3fJP%2BUFnXYD3VEF1RQRyY%3D&reserved=0>) for this. This looks good to me. However it looks like it still require interactive job to provide password manually. Would be great if anyone could point out how to decrypt it with "sbatch". Do you know what happens with "decrypted" mount point after job run out of time, or is killed for other reason? Is it then unmounted automatically? Is it remain safe when left mounted permanently (for example on access node)? -- best regards Michał Kadlof
