From 78cbeb6d7efffd8d5f844ca8068409e1dae526f6 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Mon, 28 Oct 2013 16:36:15 -0700 Subject: [PATCH] posts:ecryptfs: Add a post on eCryptfs usage Covering both ~/Private and arbitrary directories. --- posts/eCryptfs.mdwn | 97 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 posts/eCryptfs.mdwn diff --git a/posts/eCryptfs.mdwn b/posts/eCryptfs.mdwn new file mode 100644 index 0000000..3a8f70b --- /dev/null +++ b/posts/eCryptfs.mdwn @@ -0,0 +1,97 @@ +[eCryptfs][] is an encrypted filesystem for Linux. You'll need to +have a kernel with the `ECRYPT_FS` module configured to use eCryptfs. +Once you have the kernel setup, install the userspace tools +(`sys-fs/ecryptfs-utils` on [[Gentoo]], where you may want to enable +the `suid` `USE` flag to [allow non-root users to mount their private +directories][suid]). + + $ zcat /proc/config.gz | grep ECRYPT_FS + CONFIG_ECRYPT_FS=m + # echo 'sys-fs/ecryptfs-utils suid' >> /etc/portage/package.use/ecryptfs + # echo 'sys-fs/ecryptfs-utils ~amd64' >> /etc/portage/package.accept_keywords/ecryptfs + # emerge -av sys-fs/ecryptfs-utils + # modprobe ecryptfs + +eCryptfs is usually used to maintain encrypted home directories, which +you can setup with [ecryptfs-setup-private][]. I used `--noautomount` +because I'm not using the [PAM module][PAM] for automounting. Other +than that, just follow the instructions. This sets up a directory +with encrypted data in `~/.Private`, which you mount with +[ecryptfs-mount-private][]. Mounting exposes the decrypted filesystem +under `~/Private`, which you should use for all of your secret stuff. +If you don't like the `~/Private` path, you can tweak +`~/.ecryptfs/Private.mnt` as you see fit. + + $ ecryptfs-setup-private --noautomount + $ ecryptfs-mount-private + $ mkdir ~/Private/my-secret-stuff + +To encrypt stuff that is bound to a specific path (e.g. `~/.mozilla`), +you can move the source into `~/Private` and add symlinks from the +canonical location to the encrypted location: + + $ mv ~/.mozilla ~/Private/mozilla + $ ln -s ~/Private/mozilla ~/.mozilla + +Encrypting arbitrary directories +================================ + +You can also encrypt arbitrary directories using +[mount][mount.ecryptfs]. This is useful if you have private +information in a [[PostgreSQL]] database. + + # /etc/init.d/postgresql-9.2 stop + # mv /var/lib/postgresql{,-plain} + # mkdir /var/lib/{.,}postgresql + # chown postgres:postgres /var/lib/{.,}postgresql + # mount -t ecryptfs /var/lib/{.,}postgresql + Passphrase: + Select cipher: + … + Would you like to proceed with the mount (yes/no)? : yes + Would you like to append sig [REDACTED] to + [/root/.ecryptfs/sig-cache.txt] + in order to avoid this warning in the future (yes/no)? : yes + Successfully appended new sig to user sig cache file + Mounted eCryptfs + # mv /var/lib/postgresql{-plain/*,/} + # rmdir /var/lib/postgresql-plain + # /etc/init.d/postgresql-9.2 start + +You can also specify mount options explicitly instead of entering them +interactively. To figure out the proper incantation, look at the +`mtab` entry after an interactive mount: + + $ grep postgresql /etc/mtab + /var/lib/.postgresql /var/lib/postgresql ecryptfs rw,ecryptfs_sig=REDACTED,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs 0 0 + +You should also look over the mount helper options in +[ecryptfs(7)][ecryptfs.7]. Then run future mounts with: + + # mount -t ecryptfs -o rw,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_sig=REDACTED,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs /var/lib/{.,}postgresql + +You can also add a line like: + + /var/lib/.postgresql /var/lib/postgresql ecryptfs rw,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_sig=REDACTED,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs,key=passphrase:passphrase_passwd_file=/home/wking/Private/ecryptfs/postgresql,noauto 0 0 + +to your `/etc/fstab`. With a passphrase file containing: + + passphrase_passwd=[passphrase] + +Add the `user` option to allow non-root mounts (see “The non-superuser +mounts” section in [mount(8)][mount]). Once you've setup your +`fstab`, you can mount the directory more intuitively with: + + # mount /var/lib/postgresql + +[eCryptfs]: http://ecryptfs.org/ +[suid]: http://comments.gmane.org/gmane.comp.file-systems.ecryptfs.general/131 +[ecryptfs-setup-private]: http://manpages.ubuntu.com/manpages/raring/en/man1/ecryptfs-setup-private.1.html +[PAM]: http://manpages.ubuntu.com/manpages/raring/en/man8/pam_ecryptfs.8.html +[ecryptfs-mount-private]: http://manpages.ubuntu.com/manpages/raring/en/man1/ecryptfs-mount-private.1.html +[mount.ecryptfs]: http://manpages.ubuntu.com/manpages/raring/en/man8/mount.ecryptfs.8.html +[ecryptfs.7]: http://manpages.ubuntu.com/manpages/raring/en/man7/ecryptfs.7.html +[mount]: http://man7.org/linux/man-pages/man8/mount.8.html + +[[!tag tags/linux]] +[[!tag tags/tools]] -- 2.26.2