posts:ecryptfs: Add a post on eCryptfs usage

Covering both ~/Private and arbitrary directories.

diff --git a/posts/eCryptfs.mdwn b/posts/eCryptfs.mdwn
new file mode 100644 (file)
index 0000000..3a8f70b
--- /dev/null
+++ b/posts/eCryptfs.mdwn
@@ -0,0 +1,97 @@
+[eCryptfs][] is an encrypted filesystem for Linux.  You'll need to
+have a kernel with the `ECRYPT_FS` module configured to use eCryptfs.
+Once you have the kernel setup, install the userspace tools
+(`sys-fs/ecryptfs-utils` on [[Gentoo]], where you may want to enable
+the `suid` `USE` flag to [allow non-root users to mount their private
+directories][suid]).
+
+    $ zcat /proc/config.gz | grep ECRYPT_FS
+    CONFIG_ECRYPT_FS=m
+    # echo 'sys-fs/ecryptfs-utils suid' >> /etc/portage/package.use/ecryptfs
+    # echo 'sys-fs/ecryptfs-utils ~amd64' >> /etc/portage/package.accept_keywords/ecryptfs
+    # emerge -av sys-fs/ecryptfs-utils
+    # modprobe ecryptfs
+
+eCryptfs is usually used to maintain encrypted home directories, which
+you can setup with [ecryptfs-setup-private][].  I used `--noautomount`
+because I'm not using the [PAM module][PAM] for automounting.  Other
+than that, just follow the instructions.  This sets up a directory
+with encrypted data in `~/.Private`, which you mount with
+[ecryptfs-mount-private][].  Mounting exposes the decrypted filesystem
+under `~/Private`, which you should use for all of your secret stuff.
+If you don't like the `~/Private` path, you can tweak
+`~/.ecryptfs/Private.mnt` as you see fit.
+
+    $ ecryptfs-setup-private --noautomount
+    $ ecryptfs-mount-private
+    $ mkdir ~/Private/my-secret-stuff
+
+To encrypt stuff that is bound to a specific path (e.g. `~/.mozilla`),
+you can move the source into `~/Private` and add symlinks from the
+canonical location to the encrypted location:
+
+    $ mv ~/.mozilla ~/Private/mozilla
+    $ ln -s ~/Private/mozilla ~/.mozilla
+
+Encrypting arbitrary directories
+================================
+
+You can also encrypt arbitrary directories using
+[mount][mount.ecryptfs].  This is useful if you have private
+information in a [[PostgreSQL]] database.
+
+    # /etc/init.d/postgresql-9.2 stop
+    # mv /var/lib/postgresql{,-plain}
+    # mkdir /var/lib/{.,}postgresql
+    # chown postgres:postgres /var/lib/{.,}postgresql
+    # mount -t ecryptfs /var/lib/{.,}postgresql
+    Passphrase: 
+    Select cipher: 
+    …
+    Would you like to proceed with the mount (yes/no)? : yes
+    Would you like to append sig [REDACTED] to
+    [/root/.ecryptfs/sig-cache.txt] 
+    in order to avoid this warning in the future (yes/no)? : yes
+    Successfully appended new sig to user sig cache file
+    Mounted eCryptfs
+    # mv /var/lib/postgresql{-plain/*,/}
+    # rmdir /var/lib/postgresql-plain
+    # /etc/init.d/postgresql-9.2 start
+
+You can also specify mount options explicitly instead of entering them
+interactively.  To figure out the proper incantation, look at the
+`mtab` entry after an interactive mount:
+
+    $ grep postgresql /etc/mtab
+    /var/lib/.postgresql /var/lib/postgresql ecryptfs rw,ecryptfs_sig=REDACTED,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs 0 0
+
+You should also look over the mount helper options in
+[ecryptfs(7)][ecryptfs.7].  Then run future mounts with:
+
+    # mount -t ecryptfs -o rw,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_sig=REDACTED,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs /var/lib/{.,}postgresql
+
+You can also add a line like:
+
+    /var/lib/.postgresql /var/lib/postgresql ecryptfs rw,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_sig=REDACTED,ecryptfs_fnek_sig=REDACTED,ecryptfs_unlink_sigs,key=passphrase:passphrase_passwd_file=/home/wking/Private/ecryptfs/postgresql,noauto 0 0
+
+to your `/etc/fstab`.  With a passphrase file containing:
+
+    passphrase_passwd=[passphrase]
+
+Add the `user` option to allow non-root mounts (see “The non-superuser
+mounts” section in [mount(8)][mount]).  Once you've setup your
+`fstab`, you can mount the directory more intuitively with:
+
+    # mount /var/lib/postgresql
+
+[eCryptfs]: http://ecryptfs.org/
+[suid]: http://comments.gmane.org/gmane.comp.file-systems.ecryptfs.general/131
+[ecryptfs-setup-private]: http://manpages.ubuntu.com/manpages/raring/en/man1/ecryptfs-setup-private.1.html
+[PAM]: http://manpages.ubuntu.com/manpages/raring/en/man8/pam_ecryptfs.8.html
+[ecryptfs-mount-private]: http://manpages.ubuntu.com/manpages/raring/en/man1/ecryptfs-mount-private.1.html
+[mount.ecryptfs]: http://manpages.ubuntu.com/manpages/raring/en/man8/mount.ecryptfs.8.html
+[ecryptfs.7]: http://manpages.ubuntu.com/manpages/raring/en/man7/ecryptfs.7.html
+[mount]: http://man7.org/linux/man-pages/man8/mount.8.html
+
+[[!tag tags/linux]]
+[[!tag tags/tools]]