From Sabayon Wiki
Revision as of 20:49, 18 February 2013 by Dyonisos (Talk | contribs)

Jump to: navigation, search
Work in Progress


eCryptfs is a file system that lets you encrypt files and folders. The main advantage of eCryptfs is that you dont have to encrypt whole partitions. You can instead define a folder on the local file system to be mounted with the eCryptfs file system. All data stored in a folder that is mounted with eCryptfs is gonna be encrypted immediately.

Creating a private folder using eCryptfs

Here I will describe how to create a private (encrypted) folder within your $HOME directory. To start we will need to install the 'ecryptfs-utils' package.

 # equo install ecryptfs-utils 

eCryptfs comes with predefined scripts to setup a private directory. Prerequisit is, that the group 'ecryptfs' is defined and the user who executes the script is a member of this group.

 # groupadd ecryptfs 
 # usermod -G ecryptfs <username> 

After this is done we can run the setup script as user:

 $ ecryptfs-setup-private 

The output should be looking like this:

Enter your login passphrase [<username>]: 
Enter your mount passphrase [leave blank to generate one]: 

  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [e92ed746d5b6af67] into the user session keyring
Inserted auth tok with sig [e5194342fe7d8bf5] into the user session keyring
Inserted auth tok with sig [e92ed332d5b6af67] into the user session keyring
Inserted auth tok with sig [e5948744fe7d8bf5] into the user session keyring
Testing succeeded.

Logout, and log back in to begin using your encrypted directory.

After the setup has completet sucessfully you will find the new direcrories '.Private' and 'Private' in your $HOME. The '.Private' directory contains the encrypted files and is mounted into the 'Private' directory. The setup script creates a shortcut to mount the '.Private' directory and a README file. If this files are present it indicates that the encrypted directory is not mounted yet. So we will have to mount it before we can store our files encrypted. To do that we execute the follwing command:

 $ ecryptfs-mount-private 

Now all the files and folders we create in the 'Private' folder are gonna be encrypted immediately.

You can put the 'ecryptfs-mount-private' to your autostart options in order that the private folder gets mounted on login. In some cases it is necessary to make the script: '/usr/bin/ecryptfs-mount-private' suid root in order to be able to mount the private folder as normal user.

Encrypt the whole $HOME directory using ecryptfs

Encrypting the home directory of a user requires a bit more of manual work. First backup the home directory of the target user:

 # cp -r /home/<username> /home/<username>_backup 

Now we are going to create the encrypted folder that is going to be mounted in the users home directory.

 # mkdir -p /home/.ecryptfs/<username>/.Private 

That done, we can initially mount the directory using eCryptfs.

 # mount -t ecryptfs /home/.ecryptfs/<username>/.Private /home/<username> 

The output should look like this:

Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: y
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [fe678c9b42ee0615] to
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

First eCryptfs asks you for a passphrase for the encrypted file system. Enter a secure password there! Next you are asked about your encryption preferences. NOTE: if you want to enable filname encryption please have in mind, that it can cause problems if you are using long file names. At the first mount a warning is shown that the current signatur cannot be found in the actual signature store. Answer both questions with yes in order to add the current signature!

Next we have to store the mount information into a file since we may need it for auto mount purpose:

 # mount | grep ecryptfs > /root/ecryptfs_mount_options_<username> 

At this point we are done with the preparation of the encrypted folder. The next step is to automatically mount the encrypted folder at login time. But first we have to unmount the encrypted folder.

 # umount /home/<username> 

Auto mount the encrypted $HOME using PAM_MOUN

In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.

 # equo install pam_mount 

Next we copy the signature store to the unmounted user home. Please make sure, that the encrypted folder is not mounted at this time!

 # cp -r /root/.ecryptfs /home/<username> 

To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.

 # ecryptfs-wrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase  

The program will ask you first for the passphrase of the eCryptfs-mount and then for a wrapping passphrase. We will use the login password as wrapping passphrase.