1 [eCryptfs][] is an encrypted filesystem for Linux. You'll need to
2 have a kernel with the `ECRYPT_FS` module configured to use eCryptfs.
3 Once you have the kernel setup, install the userspace tools
4 (`sys-fs/ecryptfs-utils` on [[Gentoo]], where you may want to enable
5 the `suid` `USE` flag to [allow non-root users to mount their private
8 $ zcat /proc/config.gz | grep ECRYPT_FS
10 # echo 'sys-fs/ecryptfs-utils suid' >> /etc/portage/package.use/ecryptfs
11 # echo 'sys-fs/ecryptfs-utils ~amd64' >> /etc/portage/package.accept_keywords/ecryptfs
12 # emerge -av sys-fs/ecryptfs-utils
15 eCryptfs is usually used to maintain encrypted home directories, which
16 you can setup with [ecryptfs-setup-private][]. I used `--noautomount`
17 because I'm not using the [PAM module][PAM] for automounting. Other
18 than that, just follow the instructions. This sets up a directory
19 with encrypted data in `~/.Private`, which you mount with
20 [ecryptfs-mount-private][]. Mounting exposes the decrypted filesystem
21 under `~/Private`, which you should use for all of your secret stuff.
22 If you don't like the `~/Private` path, you can tweak
23 `~/.ecryptfs/Private.mnt` as you see fit.
25 $ ecryptfs-setup-private --noautomount
26 $ ecryptfs-mount-private
27 $ mkdir ~/Private/my-secret-stuff
29 To encrypt stuff that is bound to a specific path (e.g. `~/.mozilla`),
30 you can move the source into `~/Private` and add symlinks from the
31 canonical location to the encrypted location:
33 $ mv ~/.mozilla ~/Private/mozilla
34 $ ln -s ~/Private/mozilla ~/.mozilla
36 Encrypting arbitrary directories
37 ================================
39 You can also encrypt arbitrary directories using
40 [mount][mount.ecryptfs]. This is useful if you have private
41 information in a [[PostgreSQL]] database.
43 # /etc/init.d/postgresql-9.2 stop
44 # mv /var/lib/postgresql{,-plain}
45 # mkdir /var/lib/{.,}postgresql
46 # chown postgres:postgres /var/lib/{.,}postgresql
47 # mount -t ecryptfs /var/lib/{.,}postgresql
51 Would you like to proceed with the mount (yes/no)? : yes
52 Would you like to append sig [REDACTED] to
53 [/root/.ecryptfs/sig-cache.txt]
54 in order to avoid this warning in the future (yes/no)? : yes
55 Successfully appended new sig to user sig cache file
57 # mv /var/lib/postgresql{-plain/*,/}
58 # rmdir /var/lib/postgresql-plain
59 # /etc/init.d/postgresql-9.2 start
61 You can also specify mount options explicitly instead of entering them
62 interactively. To figure out the proper incantation, look at the
63 `mtab` entry after an interactive mount:
65 $ grep postgresql /etc/mtab
66 /var/lib/.postgresql /var/lib/postgresql ecryptfs rw,ecryptfs_sig=REDACTED,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs 0 0
68 You should also look over the mount helper options in
69 [ecryptfs(7)][ecryptfs.7]. Then run future mounts with:
71 # mount -t ecryptfs -o rw,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_sig=REDACTED,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs /var/lib/{.,}postgresql
73 You can also add a line like:
75 /var/lib/.postgresql /var/lib/postgresql ecryptfs rw,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_sig=REDACTED,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs,key=passphrase:passphrase_passwd_file=/home/wking/Private/ecryptfs/postgresql,noauto 0 0
77 to your `/etc/fstab`. With a passphrase file containing:
79 passphrase_passwd=[passphrase]
81 Add the `user` option to allow non-root mounts (see “The non-superuser
82 mounts” section in [mount(8)][mount]). Once you've setup your
83 `fstab`, you can mount the directory more intuitively with:
85 # mount /var/lib/postgresql
87 [eCryptfs]: http://ecryptfs.org/
88 [suid]: http://comments.gmane.org/gmane.comp.file-systems.ecryptfs.general/131
89 [ecryptfs-setup-private]: http://manpages.ubuntu.com/manpages/raring/en/man1/ecryptfs-setup-private.1.html
90 [PAM]: http://manpages.ubuntu.com/manpages/raring/en/man8/pam_ecryptfs.8.html
91 [ecryptfs-mount-private]: http://manpages.ubuntu.com/manpages/raring/en/man1/ecryptfs-mount-private.1.html
92 [mount.ecryptfs]: http://manpages.ubuntu.com/manpages/raring/en/man8/mount.ecryptfs.8.html
93 [ecryptfs.7]: http://manpages.ubuntu.com/manpages/raring/en/man7/ecryptfs.7.html
94 [mount]: http://man7.org/linux/man-pages/man8/mount.8.html