eCryptfs is a file system that lets you encrypt files and folders. The main advantage of eCryptfs is that you dont have to encrypt whole partitions. You can instead define a folder on the local file system to be mounted with the eCryptfs file system. All data stored in a folder that is mounted with eCryptfs is gonna be encrypted immediately.
Creating a private folder using eCryptfs
Here I will describe how to create a private (encrypted) folder within your $HOME directory. To start we will need to install the 'ecryptfs-utils' package.
# equo install ecryptfs-utils
eCryptfs comes with predefined scripts to setup a private directory. Prerequisit is, that the group 'ecryptfs' is defined and the user who executes the script is a member of this group.
# groupadd ecryptfs
# usermod -G ecryptfs <username>
After this is done we can run the setup script as user:
The output should be looking like this:
Enter your login passphrase [<username>]: Enter your mount passphrase [leave blank to generate one]: ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. Testing mount/write/umount/read... Inserted auth tok with sig [e92ed746d5b6af67] into the user session keyring Inserted auth tok with sig [e5194342fe7d8bf5] into the user session keyring Inserted auth tok with sig [e92ed332d5b6af67] into the user session keyring Inserted auth tok with sig [e5948744fe7d8bf5] into the user session keyring Testing succeeded. Logout, and log back in to begin using your encrypted directory.
After the setup has completet sucessfully you will find the new direcrories '.Private' and 'Private' in your $HOME. The '.Private' directory contains the encrypted files and is mounted into the 'Private' directory. The setup script creates a shortcut to mount the '.Private' directory and a README file. If this files are present it indicates that the encrypted directory is not mounted yet. So we will have to mount it before we can store our files encrypted. To do that we execute the follwing command:
Now all the files and folders we create in the 'Private' folder are gonna be encrypted immediately.
You can put the 'ecryptfs-mount-private' to your autostart options in order that the private folder gets mounted on login. In some cases it is necessary to make the script: '/usr/bin/ecryptfs-mount-private' suid root in order to be able to mount the private folder as normal user.
Encrypt the whole $HOME directory using ecryptfs
Encrypting the home directory of a user requires a bit more of manual work. First backup the home directory of the target user:
# cp -r /home/<username> /home/<username>_backup
Now we are going to create the encrypted folder that is going to be mounted in the users home directory.
# mkdir -p /home/.ecryptfs/<username>/.Private
That done, we can initially mount the directory using eCryptfs.
# mount -t ecryptfs /home/.ecryptfs/<username>/.Private /home/<username>
The output should look like this:
passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection : Enable plaintext passthrough (y/n) [n]: y Enable filename encryption (y/n) [n]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_passthrough ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=fe678c9b42ee0615 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [fe678c9b42ee0615] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Mounted eCryptfs
First eCryptfs asks you for a passphrase for the encrypted file system. Enter a secure password there! Next you are asked about your encryption preferences. NOTE: if you want to enable filname encryption please have in mind, that it can cause problems if you are using long file names. At the first mount a warning is shown that the current signatur cannot be found in the actual signature store. Answer both questions with yes in order to add the current signature!
Next we have to store the mount information into a file since we may need it for auto mount purpose:
# mount | grep ecryptfs > /root/ecryptfs_mount_options_<username>
At this point we are done with the preparation of the encrypted folder. The next step is to automatically mount the encrypted folder at login time. But first we have to unmount the encrypted folder.
# umount /home/<username>
Auto mount the encrypted $HOME using PAM_MOUN
In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.
# equo install pam_mount
Next we copy the signature store to the unmounted user home. Please make sure, that the encrypted folder is not mounted at this time!
# cp -r /root/.ecryptfs /home/<username>
To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.
# ecryptfs-wrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase
The program will ask you first for the passphrase of the eCryptfs-mount and then for a wrapping passphrase. We will use the login password as wrapping passphrase.