Difference between revisions of "ECryptfs"

From Sabayon Wiki
Jump to: navigation, search
m
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Warning| '''Work in Progress'''}}
 
 
 
==Summary==
 
==Summary==
  
Line 89: Line 87:
 
   ecryptfs_key_bytes=16
 
   ecryptfs_key_bytes=16
 
   ecryptfs_cipher=aes
 
   ecryptfs_cipher=aes
   ecryptfs_sig=fe678c9b42ee0615
+
   ecryptfs_sig=fe465c9b42ee0999
 
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
 
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
 
it looks like you have never mounted with this key  
 
it looks like you have never mounted with this key  
Line 96: Line 94:
  
 
Would you like to proceed with the mount (yes/no)? : yes
 
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [fe678c9b42ee0615] to
+
Would you like to append sig [fe465c9b42ee0999] to
 
[/root/.ecryptfs/sig-cache.txt]  
 
[/root/.ecryptfs/sig-cache.txt]  
 
in order to avoid this warning in the future (yes/no)? : yes
 
in order to avoid this warning in the future (yes/no)? : yes
Line 113: Line 111:
 
{{Console| <pre class="clear"> # umount /home/<username> </pre>}}
 
{{Console| <pre class="clear"> # umount /home/<username> </pre>}}
  
==Auto mount the encrypted $HOME using PAM_MOUN==
+
==Auto mount the encrypted $HOME using PAM_MOUNT==
  
 
In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.
 
In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.
Line 124: Line 122:
  
 
To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.
 
To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.
 +
 +
{{Console| <pre class="clear"> # ecryptfs-wrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase  </pre>}}
 +
 +
The program will ask you first for the passphrase of the eCryptfs-mount and then for a wrapping passphrase. We will use the login password as wrapping passphrase.
 +
 +
Now we create an auto mount file in the .ecryptfs directory of the user.
 +
 +
{{Console| <pre class="clear"> # touch /home/<username>/.ecryptfs/auto-mount  </pre>}}
 +
 +
And of course we have to make sure, that the user is the owner of its .ecryptfs directory.
 +
 +
{{Console| <pre class="clear"> # chown -R <username>:<username> /home/<username>/.ecryptfs  </pre>}}
 +
 +
In the next step we have to configure pam to use the eCryptfs and pam_mount at login time. To do that we have to add some lines to the '/etc/pam.d/system-auth' file. Pleas take care about the order of the entries!
 +
 +
{{File| /etc/pam.d/system-auth|<pre class="clear">[...]
 +
auth required pam_unix.so [...]
 +
auth optional pam_ecryptfs.so unwrap
 +
auth optional pam_permit.so
 +
auth optional pam_mount.so
 +
 +
[...]
 +
 +
password required pam_unix.so [...]
 +
password optional pam_ecryptfs.so
 +
 +
[...]
 +
session required pam_unix.so
 +
[...]
 +
session optional pam_mount.so</pre>}}
 +
 +
Now we have to configure pam_mount to auto mount our encrypted directory. First we have to add the 'luserconf' parameter in order to tell pam_mount to use user defined configuration files which can be found at the root of their home directory. Second we will have to define the mount command that is used for lclmount. A typical pam_mount.conf.xml can look like this:
 +
 +
{{File| /etc/security/pam_mount.conf.xml|<pre class="clear"><?xml version="1.0" encoding="utf-8" ?>
 +
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 +
 +
<pam_mount>
 +
 +
<debug enable="0" />
 +
 +
<luserconf name=".pam_mount.conf.xml" />
 +
 +
<mntoptions allow="verbosity,users,noauto,rw,exec,nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,ecryptfs_key_bytes,ecryptfs_cipher,ecryptfs_fnek_sig,ecryptfs_unlink_sigs,ecryptfs_sig" />
 +
<mntoptions require="" />
 +
 +
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
 +
 +
<logout wait="0" hup="0" term="0" kill="0" />
 +
 +
<lclmount>/bin/mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount>
 +
 +
</pam_mount></pre>}}
 +
 +
And finally we define the user entry for pam_mount
 +
 +
{{File| /home/<username>/.pam_mount.conf.xml|<pre class="clear"><pam_mount>
 +
<volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<username>/.Private" mountpoint="/home/<username>"/>
 +
</pam_mount></pre>}}
 +
 +
We are almost ready. Now just we have to decide in which way we let the common user mount a file system. Normally only root can mount hence under this conditions we would get a permission error. One way would be to make the mount command suid root. But I dont prefer this approach since I consider it a security risk. Another approach would be to use sudo and define the lclmount command in the /etc/security/pam_mount.conf.xml. The approach I use is simply an entry in the /etc/fstab with user flag to allow the user to mount his file system.
 +
 +
We remember the /root/ecryptfs_mount_options_<username> that we created before. Now we are gonna need it. The content of this file should look something like:
 +
 +
{{File| /root/ecryptfs_mount_options_<username>|<pre class="clear">/home/.ecryptfs/<username>/.Private on /home/<username> type ecryptfs (rw,ecryptfs_sig=fe848c9b42ee0999,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs)</pre>}}
 +
 +
Now we have to change this line in order to fit the fstab syntax and we also have to add the user and noauto option. If you want to execute files in your home directory you may also add the exec option. So our final entry in /etc/fstab should look like this:
 +
 +
{{File| /etc/fstab|<pre class="clear">/home/.ecryptfs/<username>/.Private /home/<username> ecryptfs noauto,user,exec,rw,ecryptfs_sig=fe848c9b42ee0999,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0</pre>}}
 +
 +
If you have done everything correct, the next time that the user logs in the new encrypted file system should be present. If not you will still see the .ecryptfs configuration directory.
 +
 +
If everything works well you can copy back the home backup folder into the home folder.
 +
 +
==Sources==
 +
 +
[http://en.gentoo-wiki.com/wiki/Encrypt_home_directory_with_ecryptfs Encrypt home directory with ecryptfs in the Gentoo wiki]
 +
 +
[http://wiki.archlinux.org/index.php/ECryptfs ArchWiki - eCryptfs]
 +
 +
 +
[[Category:HOWTOs| En]]

Revision as of 08:25, 24 February 2013

Summary

eCryptfs is a file system that lets you encrypt files and folders. The main advantage of eCryptfs is that you dont have to encrypt whole partitions. You can instead define a folder on the local file system to be mounted with the eCryptfs file system. All data stored in a folder that is mounted with eCryptfs is gonna be encrypted immediately.

Creating a private folder using eCryptfs

Here I will describe how to create a private (encrypted) folder within your $HOME directory. To start we will need to install the 'ecryptfs-utils' package.

 # equo install ecryptfs-utils 

eCryptfs comes with predefined scripts to setup a private directory. Prerequisit is, that the group 'ecryptfs' is defined and the user who executes the script is a member of this group.

 # groupadd ecryptfs 
 # usermod -G ecryptfs <username> 

After this is done we can run the setup script as user:

 $ ecryptfs-setup-private 

The output should be looking like this:

Enter your login passphrase [<username>]: 
Enter your mount passphrase [leave blank to generate one]: 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************


Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [e92ed746d5b6af67] into the user session keyring
Inserted auth tok with sig [e5194342fe7d8bf5] into the user session keyring
Inserted auth tok with sig [e92ed332d5b6af67] into the user session keyring
Inserted auth tok with sig [e5948744fe7d8bf5] into the user session keyring
Testing succeeded.

Logout, and log back in to begin using your encrypted directory.

After the setup has completet sucessfully you will find the new direcrories '.Private' and 'Private' in your $HOME. The '.Private' directory contains the encrypted files and is mounted into the 'Private' directory. The setup script creates a shortcut to mount the '.Private' directory and a README file. If this files are present it indicates that the encrypted directory is not mounted yet. So we will have to mount it before we can store our files encrypted. To do that we execute the follwing command:

 $ ecryptfs-mount-private 

Now all the files and folders we create in the 'Private' folder are gonna be encrypted immediately.

You can put the 'ecryptfs-mount-private' to your autostart options in order that the private folder gets mounted on login. In some cases it is necessary to make the script: '/usr/bin/ecryptfs-mount-private' suid root in order to be able to mount the private folder as normal user.

Encrypt the whole $HOME directory using ecryptfs

Encrypting the home directory of a user requires a bit more of manual work. First backup the home directory of the target user:

 # cp -r /home/<username> /home/<username>_backup 

Now we are going to create the encrypted folder that is going to be mounted in the users home directory.

 # mkdir -p /home/.ecryptfs/<username>/.Private 

That done, we can initially mount the directory using eCryptfs.

 # mount -t ecryptfs /home/.ecryptfs/<username>/.Private /home/<username> 

The output should look like this:

passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: y
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_passthrough
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=fe465c9b42ee0999
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [fe465c9b42ee0999] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

First eCryptfs asks you for a passphrase for the encrypted file system. Enter a secure password there! Next you are asked about your encryption preferences. NOTE: if you want to enable filname encryption please have in mind, that it can cause problems if you are using long file names. At the first mount a warning is shown that the current signatur cannot be found in the actual signature store. Answer both questions with yes in order to add the current signature!

Next we have to store the mount information into a file since we may need it for auto mount purpose:

 # mount | grep ecryptfs > /root/ecryptfs_mount_options_<username> 

At this point we are done with the preparation of the encrypted folder. The next step is to automatically mount the encrypted folder at login time. But first we have to unmount the encrypted folder.

 # umount /home/<username> 

Auto mount the encrypted $HOME using PAM_MOUNT

In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.

 # equo install pam_mount 

Next we copy the signature store to the unmounted user home. Please make sure, that the encrypted folder is not mounted at this time!

 # cp -r /root/.ecryptfs /home/<username> 

To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.

 # ecryptfs-wrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase  

The program will ask you first for the passphrase of the eCryptfs-mount and then for a wrapping passphrase. We will use the login password as wrapping passphrase.

Now we create an auto mount file in the .ecryptfs directory of the user.

 # touch /home/<username>/.ecryptfs/auto-mount  

And of course we have to make sure, that the user is the owner of its .ecryptfs directory.

 # chown -R <username>:<username> /home/<username>/.ecryptfs  

In the next step we have to configure pam to use the eCryptfs and pam_mount at login time. To do that we have to add some lines to the '/etc/pam.d/system-auth' file. Pleas take care about the order of the entries!

File: /etc/pam.d/system-auth
[...]
auth		required	pam_unix.so [...]
auth		optional	pam_ecryptfs.so unwrap
auth		optional	pam_permit.so
auth		optional	pam_mount.so

[...]

password	required	pam_unix.so [...]
password	optional	pam_ecryptfs.so

[...]
session		required	pam_unix.so
[...]
session		optional	pam_mount.so

Now we have to configure pam_mount to auto mount our encrypted directory. First we have to add the 'luserconf' parameter in order to tell pam_mount to use user defined configuration files which can be found at the root of their home directory. Second we will have to define the mount command that is used for lclmount. A typical pam_mount.conf.xml can look like this:

File: /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<pam_mount>

<debug enable="0" />

<luserconf name=".pam_mount.conf.xml" />

<mntoptions allow="verbosity,users,noauto,rw,exec,nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,ecryptfs_key_bytes,ecryptfs_cipher,ecryptfs_fnek_sig,ecryptfs_unlink_sigs,ecryptfs_sig" />
<mntoptions require="" />

<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />

<lclmount>/bin/mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount>

</pam_mount>

And finally we define the user entry for pam_mount

File: /home/<username>/.pam_mount.conf.xml
<pam_mount>
<volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<username>/.Private" mountpoint="/home/<username>"/>
</pam_mount>

We are almost ready. Now just we have to decide in which way we let the common user mount a file system. Normally only root can mount hence under this conditions we would get a permission error. One way would be to make the mount command suid root. But I dont prefer this approach since I consider it a security risk. Another approach would be to use sudo and define the lclmount command in the /etc/security/pam_mount.conf.xml. The approach I use is simply an entry in the /etc/fstab with user flag to allow the user to mount his file system.

We remember the /root/ecryptfs_mount_options_<username> that we created before. Now we are gonna need it. The content of this file should look something like:

File: /root/ecryptfs_mount_options_<username>
/home/.ecryptfs/<username>/.Private on /home/<username> type ecryptfs (rw,ecryptfs_sig=fe848c9b42ee0999,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs)

Now we have to change this line in order to fit the fstab syntax and we also have to add the user and noauto option. If you want to execute files in your home directory you may also add the exec option. So our final entry in /etc/fstab should look like this:

File: /etc/fstab
/home/.ecryptfs/<username>/.Private /home/<username> ecryptfs noauto,user,exec,rw,ecryptfs_sig=fe848c9b42ee0999,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0

If you have done everything correct, the next time that the user logs in the new encrypted file system should be present. If not you will still see the .ecryptfs configuration directory.

If everything works well you can copy back the home backup folder into the home folder.

Sources

Encrypt home directory with ecryptfs in the Gentoo wiki

ArchWiki - eCryptfs