If I have a file with permissions and ownership like:
-rw------- 1 root root
, is this file encrypted?
I am asking this because I am wondering how the file is really protected against being read as plain bytes and then reconstructed by some non-root user, or by an attacker.
No. The file is still what the file is. If someone reboots into a live session the file is visible by ANY user that does the reboot. Same if someone takes out the harddisc and mounts it into another system where they are admin.
An encrypted file would be inaccessible however the method you would use.
All
-rw------- 1 root root
does is make a file readable and writable by a user "root" and not by the group "root" and not by "others". Pretty strict but not good enough if you never want someone to pry into it.The ONLY working method to prevent access by anyone on a system is not storing the file on that system.
No, just because a file is owned by e.g.
root
or a different user than yours does not encrypt it.Depending on the file's permissions set for the owner, group and all others, the system will either grant or deny a user to access the file in a specific way. Of course, this protection only works against other processes, while the system is running and in control of all file I/O. You can read any file by simply booting a different operating system and mounting your disk.
In short, no. File ownership and access permissions are a kind of access control. Encryption and access control are orthogonal (here meaning "independent") concepts. Both are methods to implement/enforce authorization.
Encryption
means that only agents in possession of the decryption key can gain access to the decrypted "plain text" of a file or data object. This access can be (temporarily) extended to other agents, e. g. users of the same system that holds the decryption key in memory.
Access Control
means that an authority, e. g. an operating system running on a computer, decides who gets which kind of access to which resource (which may be a file, data object, or something else).
Why are they independent?
An operating system may know how to decrypt an encrypted data object to gain access to its plain text but that doesn't mean that it extends this access to all its users. It will commonly use access control databases to decide to whom to extend access (if at all).
Conversely, a user may have access to an encrypted dataset but, lacking a valid decryption key, cannot make any sense of it, i. e. cannot access its plain text. (This is not currently possible with any of the file systems and file system tools shipped with Ubuntu but such features are in development for out-of-the-box Ubuntu in the form of new ext4 features and already available in other file systems, e. g. ZFS and NTFS, albeit not necessarily on Linux.)