ECryptfs

From Segfault
Jump to navigation Jump to search

Installation

The following kernel options should be enabled for eCryptfs to work:

CONFIG_KEYS=y                  # Security optionsEnable access key retention support
CONFIG_ECRYPT_FS=m             # File systemsMiscellaneous filesystemseCrypt filesystem

Userspace needs the ecryptfs-utils package installed.

Usage

Create a directory where the encrypted content should reside:

$ mkdir -m0700 /mnt/encrypted

Create a directory for the eCrypts container; mount it:

$ mkdir -m0700 /mnt/movies

$ mount -t ecryptfs /mnt/encrypted /mnt/movies
Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
Passphrase: 

Select cipher: 
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 

Select key bytes: 
1) 16
2) 32
3) 24
Selection [16]: 

Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [6860c372da7bc418]: 
Attempting to mount with the following options:
 ecryptfs_unlink_sigs
 ecryptfs_fnek_sig=6860c372da7bc418
 ecryptfs_key_bytes=16
 ecryptfs_cipher=aes
 ecryptfs_sig=6860c372da7bc418
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key before.
This could mean that you have typed your passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [6860c372da7bc418] to [/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes

Successfully appended new sig to user sig cache file
Mounted eCryptfs

$ mount | tail -1
/mnt/encrypted on /mnt/movies type ecryptfs \
     (rw,ecryptfs_sig=6860c372da7bc418,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,\
    ecryptfs_fnek_sig=6860c372da7bc418,ecryptfs_unlink_sigs)

Now we can use the filesystem:

$ echo hello > /mnt/movies/foo
$ echo world > /mnt/encrypted/bar

$ ls -l /mnt/movies /mnt/encrypted
/mnt/movies:
-rw------- 0 root root 0 Dec 10 18:07 bar
-rw------- 1 root root 6 Dec 10 18:01 foo

/mnt/encrypted:
-rw------- 1 root root     6 Dec 10 18:06 bar
-rw------- 1 root root 12288 Dec 10 18:01 ECRYPTFS_FNEK_ENCRYPTED.FWZcMABmqbj24-[...]

Note: we wrote bar directly into the eCryptfs container - this is not how it works and has only been done to demonstrate what would happen: the file bar will show up in our decrypted /mnt/movies but it cannot be read from:

$ cat /mnt/movies/bar 
Either the lower file is not in a valid eCryptfs format, or the key could not be retrieved. \
Plaintext passthrough mode is not enabled; returning -EIO
cat: /mnt/movies/bar: Input/output error

eCryptfs home directory

While support for encrypted home-directories has been added to adduser-3.110ubuntu2 (2009) already, other distributions may not have done so yet. Also, one might decide only later to encrypt her $HOME, so let's just make this our usecase now: encrypt an already existing user home-directory with eCryptfs.

ecryptfs-migrate-home

Note: ecryptfs-migrate-home has some hardcoded defaults[1] which cannot be easily changed. An alternative is to setup an encrypted home directory manually.[2]

root$ apt-get install ecryptfs-utils rsync        # ERROR:  Please install the rsync package
root$ modprobe ecryptfs                           # ERROR:  Cannot get ecryptfs version, ecryptfs kernel module not loaded?

root$ ecryptfs-migrate-home -u dummy
INFO:  Checking disk space, this may take a few moments.  Please be patient.
INFO:  Checking for open files in /home/dummy
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
INFO:  Encrypted home has been set up, encrypting files now...this may take a while.

========================================================================
Some Important Notes!

 1. The file encryption appears to have completed successfully, however,
    dummy MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
    TO COMPLETE THE MIGRATION!!!

 2. If dummy can log in and read and write their files, then the migration is complete,
    and you should remove /home/dummy.dxFC9IMD.
    Otherwise, restore /home/dummy.dxFC9IMD back to /home/dummy.

 3. dummy should also run 'ecryptfs-unwrap-passphrase' and record
    their randomly generated mount passphrase as soon as possible.

 4. To ensure the integrity of all encrypted data on this system, you
    should also encrypted swap space with 'ecryptfs-setup-swap'.
========================================================================

After this, our $HOME is mounted like this:

 /home/.ecryptfs/dummy/.Private on /home/dummy type ecryptfs \
         (rw,ecryptfs_sig=eb93d01e073c3057,\
        ecryptfs_fnek_sig=6898b9d7559b5ec2,\
          ecryptfs_cipher=aes,\
       ecryptfs_key_bytes=16)

We should obey above's advise and login immediately:

root$ login dummy
Password: 
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'

Whoops? This did not go too well. If the machine is too busy, it may have run in a timeout. Let's try wait until the machine calms down and try again:

root$ login dummy
Password:

dummy$ df -h .
Filesystem            Size  Used Avail Use% Mounted on
/home/dummy/.Private  5.5G  4.5G  809M  85% /home/dummy

Our auth.log should record something like this:

Dec 10 01:00:29 alice login[21819]: pam_sm_authenticate: Called
Dec 10 01:00:29 alice login[21819]: pam_sm_authenticate: username = [dummy]
Dec 10 01:00:34 alice login[21831]: Passphrase file wrapped
Dec 10 01:00:50 alice login[21819]: pam_unix(login:session): session opened for user dummy by root(uid=0)
Dec 10 01:02:23 alice login[21819]: pam_unix(login:session): session closed for user dummy

Note the delay between "Passphrase file wrapped" and "session opened" - it takes a while to setup the encrypted directory.

We should also follow the 3rd advice and unwrap ("decrypt") the mount passphrase and store it somehwhere safe:

dummy$ ecryptfs-unwrap-passphrase
Passphrase: 
68db7ab2da772614b220dff4d1fc8434

After logging out and in again (and making sure everything works as expected) we can remove the backup that was created by ecryptfs-migrate-home:

dummy$ rm -rf /home/dummy.dxFC9IMD

Encrypted swap should be already in place, so let's omit this step here.

If we don't want our $HOME to be unmounted every time we logout:

rm ~/.ecryptfs/auto-umount

PAM

To mount the encrypted $HOME directory upon login, the PAM configuration should look something like this:

 account  required  pam_unix.so
 
 auth     required  pam_unix.so nullok_secure audit
 auth     optional  pam_ecryptfs.so unwrap
 
 password required  pam_unix.so obscure sha512
 password optional  pam_ecryptfs.so
 
 session  required  pam_unix.so 
 session  optional  pam_ecryptfs.so unwrap
  • Make sure /home/<USER>/.ecryptfs/auto-mount is in place and /home/<USER>/.ecryptfs is owned by the user.
  • ecryptfs-utils needs to be built with pam and suid support - this should be the case for most distributions.

Password change

Be careful with password changes: if neccessary, the user must change her password by herself, so that pam_ecryptfs.so has a chance to update the user's keyring. As root does NOT have access to the the user's ecryptfs passphrase, she can only set the system password, i.e. the password pam_unix.so is dealing with.

SSH: authorized_keys

Since the user's ~/.ssh/authorized_keys is still encrypted until the user has logged in, public key authentication will not work. The server's sshd_config has to be modified so that this will work again, e.g.:

 AuthorizedKeysFile /etc/ssh/authorized_keys.%u

Each user's authorized_keys file has to be put in to /etc/ssh/. That is, the authorized_keys file for user "alice" would be found in /etc/ssh/authorized_keys.alice.

NOTE: Since sshd will NOT receive any passwords (because it's operating with keys), eCryptfs will NOT be able to unlock any home directories. One must use ecryptfs-mount-private after logging in to unlock and mount one's home directory. See also: ecryptfs & ssh authentication

Bugs

  • Debian #631319 - ecryptfs-insert-wrapped-passphrase-into-keyring: Error attempting to add filename encryption key to user session keyring; rc = [1]
  • LaunchPad #842647 - file blocks duplicated at the end of the file
  • LaunchPad #870326 - ecryptfs_writepage: Error
  • LaunchPad #888360 - Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
  • LaunchPad #1203254 - ecryptfs_decrypt_page: Error attempting to read lower page
  • LaunchPad #1377924 - ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) / Debian #870126 - ecryptfs-mount-private: mount: No such file or directory. The fix was to add session optional pam_keyinit.so force revoke to the PAM configuration.
  • LaunchPad #1718658 - ecryptfs-mount-private fails to initialize ecryptfs keys
Workaround: run ecryptfs-manager and unlock the key, then ecryptfs-mount-private should work.

Links

References