ecryptfs and Input/output error

I set up ecryptfs to test it and see how well it worked. These are the steps that I took to set it up. I am using Fedora so I used yum to install ecryptf.  You should use whatever your particular Linux distribution uses to install software.

# yum install  ecryptfs-utils.x86_64

There are certainly different ways to backup the target directory. But, the key point is, you must back it up and then restore it to the encrypted directory.

# move /home/mystuffdir /home/mystuffdir.old 
# mkdir /home/mystuffdir 
# chown mystuffguy:mystuffguy /home/mystuffdir

As root:

# mount -t ecryptfs /home/mystuff /home/mystuffdir
Select key type to use for newly created files:
1) openssl
2) passphrase
3) pkcs11-helper
4) tspi
Selection: 2
Passphrase: <= input a good passphrase
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y <= I encrypt everything including file names
Filename Encryption Key (FNEK) Signature [abcdef12345678]: <=Enter
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=abcdef12345678
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=abcdef12345678
Mounted eCryptfs

verify:

# mount
/home/mystuffdir on /home/mystuffdir 
type ecryptfs (rw,relatime,ecryptfs_fnek_sig=abcdef12345678 ,
ecryptfs_sig=abcdef12345678,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,
ecryptfs_unlink_sigs)

Now while the encrypted directory  is mounted you have to restore the original files. If you try to restore to the directory while it is not mounted, and then you mount it with encryption accessing the files will result in an Input/output error.

I used cpio to restore. considering I used a move method to back it up I could certainly use the mv command to move it back. This would be faster. But I’ll use a copy method just in case my encryption went wrong somewhere. I can always remove the original files.

# cd /home/mystuffdir.old 
# find . -depth -print | cpio -pamvd /home/mystuffdir

You must always have the volume mounted with encryption while you are doing any work on it. This should avoid the input/output error that would result. The fact that you have encrypted the files within the /home/mystuffdir directory will immediately let you know that it is or is not encrypted, assuming you are actually working and viewing in the encrypted directory.

verify

umount /home/mystuffdir
cd /home/mystuffdir

you should see a lot of encrypted file names and accessing any of them should give you a binary mess. Now remount it using the first mount command above, answer all the questions in a similar fashion and you should be able to see all the files as expected.

Now we want to set it up to be as automatic as possible. So we create a file in the root owners directory  called

/root/.ecryptfsrc

The following is found from the output of the first mount. see above.

key=passphrase:passphrase_passwd_file=/media/keys/keys.txt
ecryptfs_sig=abcdef12345678
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=y
ecryptfs_fnek_sig=abcdef12345678

/media/keys/keys.txt is a file found on a USB file system. Depending upon what method you used to mount the USB key,  the USB file system may be in a different location then what you specified in the “.encryptfsrc” file. This might cause the following error when you attempt to mount your encrypted file system:

Error attempting to evaluate mount options: [-2] No such file or directory
Check your system logs for details on why this happened.
Try updating your ecryptfs-utils package, and/or
submit a bug report on https://bugs.launchpad.net/ecryptfs

It does not really help to encrypt anything if anyone can get to the keys. So the USB files systems where the key exist is also encrypted.  I am using a fedora system so I used the fedora “Disk Utility”  to format, mount and encrypt the USB file system. This is a graphical interface for dealing with disks. There are plenty of instructions on the internet providing information on how to encrypt a file system from the command line. The “Disk Utility” is pretty easy to use and should pose no problem.

Here is a quick synopsis of out to mount the USB file system from the command line. The name of the file system is “keys”. Find the raw device first.

# fdisk -l

or use something that is easier to read.

# parted
(parted) print list all
   Model: USB NAND FLASH DISK (scsi)
   Disk /dev/sdg: 32.8MB
   Sector size (logical/physical): 512B/512B
   Partition Table: msdos

   Number  Start   End     Size    Type     File system  Flags
    1      16.4kB  32.8MB  32.8MB  primary               lba

(parted) quit

Now unlock the USB device:

# cryptsetup -v luksOpen /dev/sdg1 keys
Enter passphrase for /dev/sdg1: Enter passphrase
Key slot 0 unlocked.
Command successful.

Now find the device and mount  it as a file system.

fdisk -l
. . . . . . .
Disk /dev/mapper/keys doesn't contain a valid partition table
# mount /dev/mapper/keys /mnt 
      #or somewhere appropriate like /media/keys/. 
      # mkdir /media/keys if you have too

and it is mounted and readable.

Note:
Use the following to close the mapping and discover other information.

# cryptsetup luksClose /dev/mapper/keys
$ man cryptsetup

You can set up /etc/fstab to automatically mount on reboot. But this is a directory not an entire file system.

For ease of use, testing and documentation  I set up the following in my fstab but commented it out after the testing was done. I’ll print it here for reference. I think trying to mount things automatically in this sense is asking for trouble. Don’t mess up any fields in your /etc/fstab file or your system may fail to boot.

# encrypted partition
/dev/sdf1              /media/keys        vfat     ro         0 0
/home/mystuffdir       /home/mystuffdir     ecryptfs defaults   0 0

I use KeePassX to keep track of passwords. This makes mounting it and un-mounting it fairly easy. And I am not rebooting  often so this does not seem to me to be a serious  operational issue considering I am getting full encryption on a specific directory, not a file system.

Note:
If you see this error

mount: wrong fs type, bad option, bad superblock on /home/msimoni2,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

you may have to install encryptfs.

========================================================================================
 Package                 Arch            Version                  Repository       Size
========================================================================================
Installing:
 ecryptfs-utils          x86_64          103-2.fc19               fedora          181 k
Installing for dependencies:
 trousers                x86_64          0.3.10-3.fc19            fedora          284 k

Transaction Summary
========================================================================================

 


Leave a Reply