Encrypt Directory in Linux

• Encrypt Directory
  • Preliminary Note
  • Installing eCryptfs
  • Setup
    • Setup (Simple)
    • Setup (Detail)
  • Encrypting Other Directory
  • Unmount

Encrypt Directory

This article describes basic usage of eCryptfs. It guides us through the process of creating a private and secure encrypted directory within our $HOME directory, where we can store all our sensitive files and private data.

In implementation eCryptfs differs from dm-crypt, which provides a block device encryption layer, while eCryptfs is an actual file-system – a stacked cryptographic file system to be exact.

• References
  • eCryptfs on Debian squeeze
  • eCryptfs on Arch
  • eCryptfs on Gentoo

Preliminary Note

In this wiki, I will encrypt a directory /home/mitesh/Private, which is located in /home partition. i.e. /home/mitesh/Private is an ordinary directory and does not use a partition of its own.

Installing eCryptfs

• eCryptfs can be installed as following:
  • Debian
    • $ sudo apt-get install ecryptfs-utils
  • Fedora
    • $ sudo yum install ecryptfs-utils

Setup

Setup (Simple)

As a user, run the following command:

$ ecryptfs-setup-private

and follow the instructions.

Setup (Detail)

• First, we create private directories.

  $ mkdir /home/mitesh/Private
  $ mkdir /home/mitesh/.Private
  $ chmod 700 /home/mitesh/.Private
  $ chmod 500 /home/mitesh/Private
  

• Let's summarize
  • Actual encrypted data will be stored in ~/.Private directory (lower directory)
  • While mounted, decrypted data will be available in ~/Private directory (upper directory)
    • While not mounted nothing can be written to this directory
    • While mounted it has the same permissions as the lower directory

• eCryptfs can now be mounted on top of ~/Private.

  $ sudo mount -t ecryptfs /home/mitesh/.Private /home/mitesh/Private
  Passphrase: <-- some_passphrase
  Select cipher:
   1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
   3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
   4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
  Selection [aes]: <-- ENTER
  Select key bytes:
   1) 16
   2) 32
   3) 24
  Selection [16]: <-- ENTER
  Enable plaintext passthrough (y/n) [n]: <-- ENTER
  Enable filename encryption (y/n) [n]: <-- ENTER
  Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=bd28c38da9fc938b
  WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
  it looks like you have never mounted with this key
  before. This could mean that you have typed your
  passphrase wrong.
  
  Would you like to proceed with the mount (yes/no)? : <-- yes
  Would you like to append sig [bd28c38da9fc938b] to
  [/root/.ecryptfs/sig-cache.txt]
  in order to avoid this warning in the future (yes/no)? : <-- yes
  Successfully appended new sig to user sig cache file
  Mounted eCryptfs 
  

• Remember to take backup of /root/.ecryptfs/sig-cache.txt file, if /root partition gets reformatted

  $ sudo cp -r /root/.ecryptfs /home/mitesh/
  

• Verifying mounting of eCryptfs

  $ mount | grep -i private
  /home/mitesh/.Private on /home/mitesh/Private type ecryptfs (rw,relatime,ecryptfs_sig=e8d08163d274c68f,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
  

• Verifying encryption

  $ cat ~/Private/test.txt
  Some secret text
  is present in this file.
  $ sudo umount /home/mitesh/Private
  $ cat ~/Private/test.txt
  cat: /home/mitesh/Private/test.txt: No such file or directory
  $ cat ~/.Private/test.txt
  -#@%!*^(junk characters)^*!%@#-
  

• Mounting without interaction (so passphrase must be in some removable device like USB pendrive)

  $ sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/.ecryptfs-pass,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n /home/mitesh/.Private /home/mitesh/Private
  $ cat /mnt/usb/.ecryptfs-pass
  passphrase_passwd=ThisIsAWeakPassword
  

Encrypting Other Directory

• We can encrypt multiple directories, by putting those directories into /home/mitesh/Private and creating soft-links.

  $ mv ~/Documents ~/Private
  $ ln -s ~/Private/Documents ~/Documents
  

• By following the above 2 steps, we have encrypted directory ~/Documents .

Unmount

$ sudo umount /home/mitesh/Private