eCryptfs is a file system that lets you encrypt files and folders. The main advantage of eCryptfs is that you dont have to encrypt whole partitions. You can instead define a folder on the local file system to be mounted with the eCryptfs file system. All data stored in a folder that is mounted with eCryptfs is gonna be encrypted immediately.
Creating a private folder using eCryptfs
Here I will describe how to create a private (encrypted) folder within your $HOME directory. To start we will need to install the 'ecryptfs-utils' package.
# equo install ecryptfs-utils
ecryptfs-utils consists of predefined scripts to setup a private directory. Prerequisit is, that the group 'ecryptfs' is defined and the user who executes the script is a member of this group.
# groupadd ecryptfs
# usermod -G ecryptfs <username>
After this is done we can run the setup script as user:
The output should be looking like this:
Enter your login passphrase [<username>]: Enter your mount passphrase [leave blank to generate one]: ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. Testing mount/write/umount/read... Inserted auth tok with sig [e92ed746d5b6af67] into the user session keyring Inserted auth tok with sig [e5194342fe7d8bf5] into the user session keyring Inserted auth tok with sig [e92ed332d5b6af67] into the user session keyring Inserted auth tok with sig [e5948744fe7d8bf5] into the user session keyring Testing succeeded. Logout, and log back in to begin using your encrypted directory.
After the setup has completed sucessfully you will find the new direcrories '.Private' and 'Private' in your $HOME. The '.Private' directory contains the encrypted files and is mounted into the 'Private' directory. The setup script creates a shortcut to mount the '.Private' directory and a README file. If this files are present in the 'Private' directory, it indicates that the encrypted directory is not mounted yet. So we will have to mount it before we can store our files encrypted. To do that we execute the follwing command:
Now all the files and folders we create in the 'Private' folder are gonna be encrypted immediately.
You can put the 'ecryptfs-mount-private' to your autostart options in order that the private folder gets mounted on login. In some cases it is necessary to make the script: '/usr/bin/ecryptfs-mount-private' suid root in order to be able to mount the private folder as normal user.
Encrypt the whole $HOME directory using ecryptfs
Encrypting the home directory of a user requires a bit more of manual work. First backup the home directory of the target user:
# cp -r /home/<username> /home/<username>_backup
Now we are going to create the encrypted folder that is going to be mounted in the users home directory.
# mkdir -p /home/.ecryptfs/<username>/.Private
With that done, we can initially mount the directory using eCryptfs.
# mount -t ecryptfs /home/.ecryptfs/<username>/.Private /home/<username>
The output should look like this:
passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection : Enable plaintext passthrough (y/n) [n]: y Enable filename encryption (y/n) [n]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_passthrough ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=fe465c9b42ee0999 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [fe465c9b42ee0999] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Mounted eCryptfs
First eCryptfs asks a passphrase for the encrypted file system. Enter a secure password there! Next you are asked about your encryption preferences. NOTE: if you want to enable filname encryption please have in mind, that it can cause problems if you are using long file names. At the first mount a warning is shown that the current signature cannot be found in the actual signature store. Answer both questions with yes in order to add the current signature!
Next we have to store the mount information into a file since we may need it for auto mount purpose:
# mount | grep ecryptfs > /root/ecryptfs_mount_options_<username>
At this point we are done with the preparation of the encrypted folder. The next step is to automatically mount the encrypted folder at login time. But first we have to unmount the encrypted folder.
# umount /home/<username>
Auto mount the encrypted $HOME using PAM_MOUNT
In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.
# equo install pam_mount
We copy the signature store to the unmounted user home. Please make sure, that the encrypted folder is not mounted at this time!
# cp -r /root/.ecryptfs /home/<username>
To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.
# ecryptfs-wrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase
The program will ask you first for the passphrase of the eCryptfs-mount and then for a wrapping passphrase. We will use the login password as wrapping passphrase.
Now we create an auto mount file in the .ecryptfs directory of the user.
# touch /home/<username>/.ecryptfs/auto-mount
And of course we have to make sure, that the user is the owner of its .ecryptfs directory.
# chown -R <username>:<username> /home/<username>/.ecryptfs
In the next step we have to configure pam to use the eCryptfs and pam_mount at login time. To do that we have to add some lines to the '/etc/pam.d/system-auth' file. Pleas take care about the order of the entries!
[...] auth required pam_unix.so [...] auth optional pam_ecryptfs.so unwrap auth optional pam_permit.so auth optional pam_mount.so [...] password required pam_unix.so [...] password optional pam_ecryptfs.so [...] session required pam_unix.so [...] session optional pam_mount.so
Now we have to configure pam_mount to auto mount our encrypted directory. First we have to add the 'luserconf' parameter in order to tell pam_mount to use user defined configuration files which can be found at the root of their home directory. Second we will have to define the mount command that is used for lclmount. A typical pam_mount.conf.xml can look like this:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="0" /> <luserconf name=".pam_mount.conf.xml" /> <mntoptions allow="verbosity,users,noauto,rw,exec,nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,ecryptfs_key_bytes,ecryptfs_cipher,ecryptfs_fnek_sig,ecryptfs_unlink_sigs,ecryptfs_sig" /> <mntoptions require="" /> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait="0" hup="0" term="0" kill="0" /> <lclmount>/bin/mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount> </pam_mount>
And finally we define the user entry for pam_mount
<pam_mount> <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<username>/.Private" mountpoint="/home/<username>"/> </pam_mount>
We are almost ready. Now just we have to decide in which way we let the common user mount a file system. Normally only root can mount hence under this conditions we would get a permission error. One way would be to make the mount command suid root. But I dont prefer this approach since I consider it a security risk. Another approach would be to use sudo and define the lclmount command in the /etc/security/pam_mount.conf.xml. The approach I use is simply an entry in the /etc/fstab with user flag to allow the user to mount his file system.
We remember the /root/ecryptfs_mount_options_<username> that we created before. Now we are gonna need it. The content of this file should look something like:
/home/.ecryptfs/<username>/.Private on /home/<username> type ecryptfs (rw,ecryptfs_sig=fe848c9b42ee0999,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs)
Now we have to change this line in order to fit the fstab syntax and we also have to add the user and noauto option. If you want to execute files in your home directory you may also add the exec option. So our final entry in /etc/fstab should look like this:
/home/.ecryptfs/<username>/.Private /home/<username> ecryptfs noauto,user,exec,rw,ecryptfs_sig=fe848c9b42ee0999,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0
If you have done everything correct, the next time that the user logs in the new encrypted file system should be present. If not you will still see the .ecryptfs configuration directory.
If everything works well you can copy back the home backup folder into the home folder.