I set up ecryptfs to test it and see how well it worked. These are the steps that I took to set it up. I am using Fedora so I used yum to install ecryptf. You should use whatever your particular Linux distribution uses to install software.
# yum install ecryptfs-utils.x86_64
There are certainly different ways to backup the target directory. But, the key point is, you must back it up and then restore it to the encrypted directory.
# move /home/mystuffdir /home/mystuffdir.old # mkdir /home/mystuffdir # chown mystuffguy:mystuffguy /home/mystuffdir
As root:
# mount -t ecryptfs /home/mystuff /home/mystuffdir Select key type to use for newly created files: 1) openssl 2) passphrase 3) pkcs11-helper 4) tspi Selection: 2 Passphrase: <= input a good passphrase Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: y <= I encrypt everything including file names Filename Encryption Key (FNEK) Signature [abcdef12345678]: <=Enter Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=abcdef12345678 ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=abcdef12345678 Mounted eCryptfs
verify:
# mount
/home/mystuffdir on /home/mystuffdir type ecryptfs (rw,relatime,ecryptfs_fnek_sig=abcdef12345678 , ecryptfs_sig=abcdef12345678,ecryptfs_cipher=aes,ecryptfs_key_bytes=16, ecryptfs_unlink_sigs)
Now while the encrypted directory is mounted you have to restore the original files. If you try to restore to the directory while it is not mounted, and then you mount it with encryption accessing the files will result in an Input/output error.
I used cpio to restore. considering I used a move method to back it up I could certainly use the mv command to move it back. This would be faster. But I’ll use a copy method just in case my encryption went wrong somewhere. I can always remove the original files.
# cd /home/mystuffdir.old # find . -depth -print | cpio -pamvd /home/mystuffdir
You must always have the volume mounted with encryption while you are doing any work on it. This should avoid the input/output error that would result. The fact that you have encrypted the files within the /home/mystuffdir directory will immediately let you know that it is or is not encrypted, assuming you are actually working and viewing in the encrypted directory.
verify
umount /home/mystuffdir cd /home/mystuffdir
you should see a lot of encrypted file names and accessing any of them should give you a binary mess. Now remount it using the first mount command above, answer all the questions in a similar fashion and you should be able to see all the files as expected.
Now we want to set it up to be as automatic as possible. So we create a file in the root owners directory called
/root/.ecryptfsrc
The following is found from the output of the first mount. see above.
key=passphrase:passphrase_passwd_file=/media/keys/keys.txt ecryptfs_sig=abcdef12345678 ecryptfs_cipher=aes ecryptfs_key_bytes=16 ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=y ecryptfs_fnek_sig=abcdef12345678
/media/keys/keys.txt is a file found on a USB file system. Depending upon what method you used to mount the USB key, the USB file system may be in a different location then what you specified in the “.encryptfsrc” file. This might cause the following error when you attempt to mount your encrypted file system:
Error attempting to evaluate mount options: [-2] No such file or directory Check your system logs for details on why this happened. Try updating your ecryptfs-utils package, and/or submit a bug report on https://bugs.launchpad.net/ecryptfs
It does not really help to encrypt anything if anyone can get to the keys. So the USB files systems where the key exist is also encrypted. I am using a fedora system so I used the fedora “Disk Utility” to format, mount and encrypt the USB file system. This is a graphical interface for dealing with disks. There are plenty of instructions on the internet providing information on how to encrypt a file system from the command line. The “Disk Utility” is pretty easy to use and should pose no problem.
Here is a quick synopsis of out to mount the USB file system from the command line. The name of the file system is “keys”. Find the raw device first.
# fdisk -l
or use something that is easier to read.
# parted
(parted) print list all
Model: USB NAND FLASH DISK (scsi)
Disk /dev/sdg: 32.8MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 16.4kB 32.8MB 32.8MB primary lba
(parted) quit
Now unlock the USB device:
# cryptsetup -v luksOpen /dev/sdg1 keys
Enter passphrase for /dev/sdg1: Enter passphrase
Key slot 0 unlocked.
Command successful.
Now find the device and mount it as a file system.
fdisk -l
. . . . . . .
Disk /dev/mapper/keys doesn't contain a valid partition table
# mount /dev/mapper/keys /mnt
#or somewhere appropriate like /media/keys/.
# mkdir /media/keys if you have too
and it is mounted and readable.
Note:
Use the following to close the mapping and discover other information.
# cryptsetup luksClose /dev/mapper/keys $ man cryptsetup
You can set up /etc/fstab to automatically mount on reboot. But this is a directory not an entire file system.
For ease of use, testing and documentation I set up the following in my fstab but commented it out after the testing was done. I’ll print it here for reference. I think trying to mount things automatically in this sense is asking for trouble. Don’t mess up any fields in your /etc/fstab file or your system may fail to boot.
# encrypted partition /dev/sdf1 /media/keys vfat ro 0 0 /home/mystuffdir /home/mystuffdir ecryptfs defaults 0 0
I use KeePassX to keep track of passwords. This makes mounting it and un-mounting it fairly easy. And I am not rebooting often so this does not seem to me to be a serious operational issue considering I am getting full encryption on a specific directory, not a file system.
Note:
If you see this error
mount: wrong fs type, bad option, bad superblock on /home/msimoni2, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so.
you may have to install encryptfs.
======================================================================================== Package Arch Version Repository Size ======================================================================================== Installing: ecryptfs-utils x86_64 103-2.fc19 fedora 181 k Installing for dependencies: trousers x86_64 0.3.10-3.fc19 fedora 284 k Transaction Summary ========================================================================================