ECryptfs
Installation
The following kernel options should be enabled for eCryptfs to work:
CONFIG_KEYS=y # Security options → Enable access key retention support CONFIG_ECRYPT_FS=m # File systems → Miscellaneous filesystems → eCrypt filesystem
Userspace needs the ecryptfs-utils package installed.
Usage
Create a directory where the encrypted content should reside:
$ mkdir -m0700 /mnt/encrypted
Create a directory for the eCrypts container; mount it:
$ mkdir -m0700 /mnt/movies $ mount -t ecryptfs /mnt/encrypted /mnt/movies Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22] Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [6860c372da7bc418]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=6860c372da7bc418 ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=6860c372da7bc418 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [6860c372da7bc418] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Mounted eCryptfs $ mount | tail -1 /mnt/encrypted on /mnt/movies type ecryptfs \ (rw,ecryptfs_sig=6860c372da7bc418,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,\ ecryptfs_fnek_sig=6860c372da7bc418,ecryptfs_unlink_sigs)
Now we can use the filesystem:
$ echo hello > /mnt/movies/foo $ echo world > /mnt/encrypted/bar $ ls -l /mnt/movies /mnt/encrypted /mnt/movies: -rw------- 0 root root 0 Dec 10 18:07 bar -rw------- 1 root root 6 Dec 10 18:01 foo /mnt/encrypted: -rw------- 1 root root 6 Dec 10 18:06 bar -rw------- 1 root root 12288 Dec 10 18:01 ECRYPTFS_FNEK_ENCRYPTED.FWZcMABmqbj24-[...]
Note: we wrote bar directly into the eCryptfs container - this is not how it works and has only been done to demonstrate what would happen: the file bar will show up in our decrypted /mnt/movies but it cannot be read from:
$ cat /mnt/movies/bar Either the lower file is not in a valid eCryptfs format, or the key could not be retrieved. \ Plaintext passthrough mode is not enabled; returning -EIO cat: /mnt/movies/bar: Input/output error
eCryptfs home directory
While support for encrypted home-directories has been added to adduser-3.110ubuntu2 (2009) already, other distributions may not have done so yet. Also, one might decide only later to encrypt her $HOME, so let's just make this our usecase now: encrypt an already existing user home-directory with eCryptfs.
ecryptfs-migrate-home
Note: ecryptfs-migrate-home has some hardcoded defaults[1] which cannot be easily changed. An alternative is to setup an encrypted home directory manually.[2]
root$ apt-get install ecryptfs-utils rsync # ERROR: Please install the rsync package root$ modprobe ecryptfs # ERROR: Cannot get ecryptfs version, ecryptfs kernel module not loaded? root$ ecryptfs-migrate-home -u dummy INFO: Checking disk space, this may take a few moments. Please be patient. INFO: Checking for open files in /home/dummy ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. INFO: Encrypted home has been set up, encrypting files now...this may take a while. ======================================================================== Some Important Notes! 1. The file encryption appears to have completed successfully, however, dummy MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_, TO COMPLETE THE MIGRATION!!! 2. If dummy can log in and read and write their files, then the migration is complete, and you should remove /home/dummy.dxFC9IMD. Otherwise, restore /home/dummy.dxFC9IMD back to /home/dummy. 3. dummy should also run 'ecryptfs-unwrap-passphrase' and record their randomly generated mount passphrase as soon as possible. 4. To ensure the integrity of all encrypted data on this system, you should also encrypted swap space with 'ecryptfs-setup-swap'. ========================================================================
After this, our $HOME is mounted like this:
/home/.ecryptfs/dummy/.Private on /home/dummy type ecryptfs \ (rw,ecryptfs_sig=eb93d01e073c3057,\ ecryptfs_fnek_sig=6898b9d7559b5ec2,\ ecryptfs_cipher=aes,\ ecryptfs_key_bytes=16)
We should obey above's advise and login immediately:
root$ login dummy
Password:
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
Whoops? This did not go too well. If the machine is too busy, it may have run in a timeout. Let's try wait until the machine calms down and try again:
root$ login dummy
Password:
dummy$ df -h .
Filesystem Size Used Avail Use% Mounted on
/home/dummy/.Private 5.5G 4.5G 809M 85% /home/dummy
Our auth.log should record something like this:
Dec 10 01:00:29 alice login[21819]: pam_sm_authenticate: Called Dec 10 01:00:29 alice login[21819]: pam_sm_authenticate: username = [dummy] Dec 10 01:00:34 alice login[21831]: Passphrase file wrapped Dec 10 01:00:50 alice login[21819]: pam_unix(login:session): session opened for user dummy by root(uid=0) Dec 10 01:02:23 alice login[21819]: pam_unix(login:session): session closed for user dummy
Note the delay between "Passphrase file wrapped" and "session opened" - it takes a while to setup the encrypted directory.
We should also follow the 3rd advice and unwrap ("decrypt") the mount passphrase and store it somehwhere safe:
dummy$ ecryptfs-unwrap-passphrase Passphrase: 68db7ab2da772614b220dff4d1fc8434
After logging out and in again (and making sure everything works as expected) we can remove the backup that was created by ecryptfs-migrate-home:
dummy$ rm -rf /home/dummy.dxFC9IMD
Encrypted swap should be already in place, so let's omit this step here.
If we don't want our $HOME to be unmounted every time we logout:
rm ~/.ecryptfs/auto-umount
PAM
To mount the encrypted $HOME directory upon login, the PAM configuration should look something like this:
account required pam_unix.so
auth required pam_unix.so nullok_secure audit
auth optional pam_ecryptfs.so unwrap
password required pam_unix.so obscure sha512
password optional pam_ecryptfs.so
session required pam_unix.so
session optional pam_ecryptfs.so unwrap
- Make sure /home/<USER>/.ecryptfs/auto-mount is in place and /home/<USER>/.ecryptfs is owned by the user.
- ecryptfs-utils needs to be built with pam and suid support - this should be the case for most distributions.
Password change
Be careful with password changes: if neccessary, the user must change her password by herself, so that pam_ecryptfs.so has a chance to update the user's keyring. As root does NOT have access to the the user's ecryptfs passphrase, she can only set the system password, i.e. the password pam_unix.so is dealing with.
SSH: authorized_keys
Since the user's ~/.ssh/authorized_keys is still encrypted until the user has logged in, public key authentication will not work. The server's sshd_config has to be modified so that this will work again, e.g.:
AuthorizedKeysFile /etc/ssh/authorized_keys.%u
Each user's authorized_keys file has to be put in to /etc/ssh/. That is, the authorized_keys file for user "alice" would be found in /etc/ssh/authorized_keys.alice.
NOTE: Since sshd will NOT receive any passwords (because it's operating with keys), eCryptfs will NOT be able to unlock any home directories. One must use ecryptfs-mount-private after logging in to unlock and mount one's home directory. See also: ecryptfs & ssh authentication
Bugs
- Debian #631319 - ecryptfs-insert-wrapped-passphrase-into-keyring: Error attempting to add filename encryption key to user session keyring; rc = [1]
- LaunchPad #842647 - file blocks duplicated at the end of the file
- LaunchPad #870326 - ecryptfs_writepage: Error
- LaunchPad #888360 - Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
- LaunchPad #1203254 - ecryptfs_decrypt_page: Error attempting to read lower page
- LaunchPad #1377924 - ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) / Debian #870126 - ecryptfs-mount-private: mount: No such file or directory. The fix was to add
session optional pam_keyinit.so force revoke
to the PAM configuration. - LaunchPad #1718658 - ecryptfs-mount-private fails to initialize ecryptfs keys
- Workaround: run
ecryptfs-manager
and unlock the key, thenecryptfs-mount-private
should work.
Links
- eCryptfs - Enterprise Cryptographic Filesystem for Linux
- Migrating to an Encrypted Home Directory
- A Long Overdue Introduction: ecryptfs-migrate-home
- Encrypt home directory with ecryptfs
- Ecryptfs:Mount on login
- System Encryption with eCryptfs
- Debian Reference: 9.4. Data encryption tips
- Encrypting you home directory with eCryptfs
- Howto configure encrypted home directories under Linux
- Migrate (encrypt) your home directory (post-install)
- Encrypting file systems using eCryptfs
- Automatically mounting LUKS encrypted partitions with pam_mount