This article explains how to get a stacked encrypted directory using the ecryptfs Linux kernel driver, and to transparently automount that directory using the ecryptfs PAM module.<\/p>\n
Being \u00e2\u20ac\u0153stacked\u00e2\u20ac\u009d means that the real storage is provided by your existing file system in a nominated directory. That directory is decrypted on the fly once the ecryptfs filesystem is mounted and provides a virtual decrypted view of that storage at the mount point.<\/p>\n
Use of the PAM module means that the encrypted directory is secured on your login password.<\/p>\n
Ecryptfs doesn\u00e2\u20ac\u2122t use your login password as the decryption key (if it did, then root could gain access to it by changing your password to something root knows). Instead the login password is used to decrypt your mount passphrase.<\/p>\n
Three directories are used<\/p>\n
apt-get install ecryptfs-utils\n<\/code><\/pre>\nThis will automatically pull in libecryptfs0. It will also automatically add the PAM module to<\/p>\n
\n- \/etc\/pam.d\/common-account (although this is commented out)<\/li>\n
- \/etc\/pam.d\/common-auth<\/li>\n
- \/etc\/pam.d\/common-password<\/li>\n
- \/etc\/pam.d\/common-session<\/li>\n
- \/etc\/pam.d\/common-session-noninteractive<\/li>\n<\/ul>\n
The auth<\/em> ecryptfs PAM module takes a copy of the password used to log in. The session<\/em> ecryptfs PAM module uses that password to unwrap the mount passphrase for the encrypted directory, and mount the plaintext virtual directory; similarly it unmounts that directory on logout. The password<\/em> module rewraps the mount passphrase when the user changes their own password (note it doesn\u00e2\u20ac\u2122t do this when root changes the user\u00e2\u20ac\u2122s password).<\/p>\nSetup<\/h3>\n
You begin by running the following when logged in with your user account:<\/p>\n
$ ecryptfs-setup-private\nEnter your login passphrase: \nEnter your mount passphrase [leave blank to generate one]: \nEnter your mount passphrase (again): \n\n************************************************************************\nYOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.\n ecryptfs-unwrap-passphrase ~\/.ecryptfs\/wrapped-passphrase\nTHIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.\n************************************************************************\n\n\nDone configuring.\n\nTesting mount\/write\/umount\/read...\nTesting succeeded.\n\nLogout, and log back in to begin using your encrypted directory.\n<\/code><\/pre>\nFirst you enter your login password. ecryptfs will use this to wrap the mount passphrase, which you can also specify should you wish, or leave blank to generate something suitable.<\/p>\n
This process will generate the following:<\/p>\n
Private\/\n|-- Access-Your-Private-Data.desktop -> \/usr\/share\/ecryptfs-utils\/ecryptfs-mount-private.desktop\n`-- README.txt -> \/usr\/share\/ecryptfs-utils\/ecryptfs-mount-private.txt\n.Private\/\n.ecryptfs\/\n|-- auto-mount\n|-- auto-umount\n|-- Private.mnt\n|-- Private.sig\n`-- wrapped-passphrase\n<\/code><\/pre>\nYour mount passphrase is stored in .ecryptfs\/wrapped-passphrase in an encrypted form. You can use your login password to decrypt it, which you enter when prompted:<\/p>\n
$ ecryptfs-unwrap-passphrase .ecryptfs\/wrapped-passphrase \nPassphrase: \nf1da8c3eb8a2d13bd327f74c6fb47c91\n<\/code><\/pre>\nHere I\u00e2\u20ac\u2122ve used a generated mount passphrase as I don\u00e2\u20ac\u2122t expect to ever have to type it, other than under very rare circumstances.<\/p>\n
Next time you log in the PAM module will automatically mount .Private\/ over Private\/ but you can do the same thing manually from the command line like this<\/p>\n
$ ecryptfs-mount-private \nEnter your login passphrase:\nInserted auth tok with sig [551b13b8dcd852e6] into the user session keyring\n<\/code><\/pre>\nThis will hide the real Private\/ directory with an ecryptfs mount<\/p>\n
$ mount\n\/home\/user\/.Private on \/home\/user\/Private type ecryptfs (ecryptfs_sig=551b13b8dcd852e6,ecryptfs_fnek_sig=6a55078f86383f67,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)\n<\/code><\/pre>\nThe directory will be automatically unmounted when you log out, but you can umount manually with:<\/p>\n
$ ecryptfs-umount-private\n<\/code><\/pre>\nNote: that the passphrase is not unwrapped when the administrator tries to log in as you:<\/p>\n
$ sudo su - user\nkeyctl_search: Required key not available\nPerhaps try the interactive 'ecryptfs-mount-private'\n<\/code><\/pre>\nIn this case, because root doesn\u00e2\u20ac\u2122t know the literal password, he is merely using his superuser status to login as \u00e2\u20ac\u0153user\u00e2\u20ac\u009d, the wrapping password isn\u00e2\u20ac\u2122t available so the encrypted directory is not available.<\/p>\n
Updating<\/h3>\n
When you change your login password, the wrapping password should be updated by the password<\/em> module of the PAM ecryptfs driver. However, if it is not automatically changed at the same time, say because the administrator changed your password rather than you personally, you will have to be able to rewrap your mount passphrase manually.<\/p>\nThis is easily done like this:<\/p>\n
$ ecryptfs-rewrap-passphrase ~\/.ecryptfs\/wrapped-passphrase\nOld wrapping passphrase: \nNew wrapping passphrase: \n<\/code><\/pre>\nBe careful typing your new password, you will not be asked for it twice. Note that this is not<\/em> the mount passphrase it is your login password.<\/p>\nWarnings<\/h3>\n
Given that root can do anything on the system, the above is no guarantee of security. It would be trivial for root to install a \u00e2\u20ac\u0153login\u00e2\u20ac\u009d program that simply emailed him a copy of your password, so you still have to have a certain level of trust in your administrator.<\/p>\n
Also be aware that while you are logged in your encrypted directory is visible to your user account. The administrator could choose to assume your identity at that moment and could still see your encrypted data.<\/p>\n
Further, an attacker who gains access to your account while you are logged in can do the same.<\/p>\n
In short: encryption won\u00e2\u20ac\u2122t do much to protect a live attack. It will protect you if your computer is stolen, as the data will be inaccessible without the key phrase.<\/p>\n
Manual Directories<\/h3>\n
Should you wish to make an encrypted directory other than .Private\/ you can do it manually. It\u00e2\u20ac\u2122s simple but not as automated as using ecryptfs-setup-private:<\/p>\n
$ mkdir encrypted-source\n$ chmod 700 encrypted-source\n$ mkdir encrypted-dest\n$ sudo mount -t ecryptfs encrypted-source encrypted-dest\nPassphrase: \nSelect cipher: \n 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)\n 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)\n 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)\n 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)\n 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)\nSelection [aes]: \nSelect key bytes: \n 1) 16\n 2) 32\n 3) 24\nSelection [16]: \nEnable plaintext passthrough (y\/n) [n]: \nEnable filename encryption (y\/n) [n]: y\nAttempting to mount with the following options:\n ecryptfs_unlink_sigs\n ecryptfs_key_bytes=16\n ecryptfs_cipher=aes\n ecryptfs_sig=d7284afb87fef554\nWARNING: Based on the contents of [\/root\/.ecryptfs\/sig-cache.txt],\nit looks like you have never mounted with this key \nbefore. This could mean that you have typed your \npassphrase wrong.\n\nWould you like to proceed with the mount (yes\/no)? : yes\nWould you like to append sig [d7284afb87fef554] to\n[\/root\/.ecryptfs\/sig-cache.txt] \nin order to avoid this warning in the future (yes\/no)? : no\nNot adding sig to user sig cache file; continuing with mount.\nMounted eCryptfs\n<\/code><\/pre>\nNote that defaults were accepts apart from \u00e2\u20ac\u0153Enable filename encryption\u00e2\u20ac\u009d, which you should enable.<\/p>\n
You can, should you wish, use an overlay mount and mount the encrypted directory on itself. This will hide the underlying encrypted directory from the filesystem.<\/p>\n","protected":false},"excerpt":{"rendered":"
This article explains how to get a stacked encrypted directory using the ecryptfs Linux kernel driver, and to transparently automount that directory using the ecryptfs PAM module. Being \u00e2\u20ac\u0153stacked\u00e2\u20ac\u009d means that the real storage is provided by your existing file system in a nominated directory. That directory is decrypted on the fly once the ecryptfs\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[12,13,14,6],"_links":{"self":[{"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts\/272"}],"collection":[{"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=272"}],"version-history":[{"count":4,"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":590,"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions\/590"}],"wp:attachment":[{"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fussylogic.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}