Friday, November 9, 2012

Encrypt Directory in Linux

Encrypt Directory

This article describes basic usage of eCryptfs. It guides us through the process of creating a private and secure encrypted directory within our $HOME directory, where we can store all our sensitive files and private data.

In implementation eCryptfs differs from dm-crypt, which provides a block device encryption layer, while eCryptfs is an actual file-system – a stacked cryptographic file system to be exact.

Preliminary Note

In this wiki, I will encrypt a directory /home/mitesh/Private, which is located in /home partition. i.e. /home/mitesh/Private is an ordinary directory and does not use a partition of its own.

Installing eCryptfs

  • eCryptfs can be installed as following:
    • Debian
      • $ sudo apt-get install ecryptfs-utils
    • Fedora
      • $ sudo yum install ecryptfs-utils

Setup

Setup (Simple)

As a user, run the following command:

$ ecryptfs-setup-private

and follow the instructions.

Setup (Detail)

  • First, we create private directories.
    $ mkdir /home/mitesh/Private
    $ mkdir /home/mitesh/.Private
    $ chmod 700 /home/mitesh/.Private
    $ chmod 500 /home/mitesh/Private
    
  • Let's summarize
    • Actual encrypted data will be stored in ~/.Private directory (lower directory)
    • While mounted, decrypted data will be available in ~/Private directory (upper directory)
      • While not mounted nothing can be written to this directory
      • While mounted it has the same permissions as the lower directory
  • eCryptfs can now be mounted on top of ~/Private.
    $ sudo mount -t ecryptfs /home/mitesh/.Private /home/mitesh/Private
    Passphrase: <-- some_passphrase
    Select cipher:
     1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
     2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
     3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
     4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
     5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
     6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]: <-- ENTER
    Select key bytes:
     1) 16
     2) 32
     3) 24
    Selection [16]: <-- ENTER
    Enable plaintext passthrough (y/n) [n]: <-- ENTER
    Enable filename encryption (y/n) [n]: <-- ENTER
    Attempting to mount with the following options:
      ecryptfs_unlink_sigs
      ecryptfs_key_bytes=16
      ecryptfs_cipher=aes
      ecryptfs_sig=bd28c38da9fc938b
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.
    
    Would you like to proceed with the mount (yes/no)? : <-- yes
    Would you like to append sig [bd28c38da9fc938b] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : <-- yes
    Successfully appended new sig to user sig cache file
    Mounted eCryptfs 
    
  • Remember to take backup of /root/.ecryptfs/sig-cache.txt file, if /root partition gets reformatted
    $ sudo cp -r /root/.ecryptfs /home/mitesh/
    
  • Verifying mounting of eCryptfs
    $ mount | grep -i private
    /home/mitesh/.Private on /home/mitesh/Private type ecryptfs (rw,relatime,ecryptfs_sig=e8d08163d274c68f,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
    
  • Verifying encryption
    $ cat ~/Private/test.txt
    Some secret text
    is present in this file.
    $ sudo umount /home/mitesh/Private
    $ cat ~/Private/test.txt
    cat: /home/mitesh/Private/test.txt: No such file or directory
    $ cat ~/.Private/test.txt
    -#@%!*^(junk characters)^*!%@#-
    
  • Mounting without interaction (so passphrase must be in some removable device like USB pendrive)
    $ sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/.ecryptfs-pass,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n /home/mitesh/.Private /home/mitesh/Private
    $ cat /mnt/usb/.ecryptfs-pass
    passphrase_passwd=ThisIsAWeakPassword
    

Encrypting Other Directory

  • We can encrypt multiple directories, by putting those directories into /home/mitesh/Private and creating soft-links.
    $ mv ~/Documents ~/Private
    $ ln -s ~/Private/Documents ~/Documents
    
  • By following the above 2 steps, we have encrypted directory ~/Documents .

Unmount

$ sudo umount /home/mitesh/Private

No comments: