Difference between revisions of "ECryptfs"

From ArchWiki
Jump to: navigation, search
m (Fixed a typo)
(rm note; previous revision reference moved to where it may be still be useful with https://wiki.archlinux.org/index.php?title=ECryptfs&diff=425599&oldid=422889)
 
(215 intermediate revisions by 31 users not shown)
Line 1: Line 1:
 
{{Lowercase title}}
 
{{Lowercase title}}
[[Category:Security]]
+
[[Category:Encryption]]
 
[[Category:File systems]]
 
[[Category:File systems]]
 
[[fr:Encryption avec eCryptfs]]
 
[[fr:Encryption avec eCryptfs]]
 
[[it:System Encryption with eCryptfs]]
 
[[it:System Encryption with eCryptfs]]
[[ru:System Encryption with eCryptfs]]
+
[[ja:ECryptfs]]
{{Article summary start}}
+
[[ru:ECryptfs]]
{{Article summary text|Setup and usage of eCryptfs}}
+
{{Related articles start}}
{{Article summary heading|Related}}
+
{{Related|Disk encryption}}
{{Article summary wiki|Disk Encryption}}
+
{{Related articles end}}
{{Article summary end}}
+
This article describes basic usage of [https://launchpad.net/ecryptfs eCryptfs]. It guides you through the process of creating a private and secure encrypted directory within your {{ic|$HOME}} directory to store sensitive files and private data.
  
This article describes basic usage of [https://launchpad.net/ecryptfs eCryptfs]. It guides you through the process of creating a private and secure encrypted directory within your ''$HOME'' directory, where you can store all your sensitive files and private data.
+
In implementation eCryptfs differs from [[dm-crypt]], which provides a ''block device encryption layer'', while eCryptfs is an actual file-system – a [[wikipedia:Cryptographic_filesystems|stacked cryptographic file system]]. For comparison of the two you can refer to [http://ksouedu.com/doc/ecryptfs-utils/ecryptfs-faq.html#compare this table] and the [[Disk encryption#Comparison table]]. One distinguished feature is that the encryption is stacked on an existing filesystem; eCryptfs can be mounted onto any single existing directory and does not require a separate partition (or size pre-allocation).  
  
In implementation eCryptfs differs from dm-crypt, which provides a ''block device encryption layer'', while eCryptfs is an actual file-system – a [http://en.wikipedia.org/wiki/Cryptographic_filesystems stacked cryptographic file system] to be exact. For comparison of the two you can refer to [http://ecryptfs.sourceforge.net/ecryptfs-faq.html#compare this table ].
+
== Basics ==
  
The summary is that it doesn't require special on-disk storage allocation effort, such as separate partitions, you can mount eCryptfs on top of any single directory to protect it. That includes e.g. your entire $HOME and network file systems (i.e. having encrypted NFS shares). All cryptographic metadata is stored in the headers of files, so encrypted data can be easily moved, stored for backup and recovered. There are other advantages, but there are also drawbacks, for instance eCryptfs is not suitable for encrypting complete partitions which also means you can't protect your swap space with it (instead you can combine it with dm-crypt).
+
As mentioned in the summary eCryptfs does not require special on-disk storage allocation effort, such as a separate partition or pre-allocated space. Instead, you can mount eCryptfs on top of any single directory to protect it. That includes, for example, a user's entire {{ic|$HOME}} directory or single dedicated directories within it. All cryptographic metadata is stored in the headers of files, so encrypted data can be easily moved, stored for backup and recovered. There are other advantages, but there are also drawbacks, for instance eCryptfs is not suitable for encrypting complete partitions which also means you cannot protect swap space with it (but you can, of course, combine it with [[Dm-crypt/Swap encryption]]). If you are just starting to set up disk encryption, swap encryption and other points to consider are covered in [[Disk encryption#Preparation]].
  
For more details on how eCryptfs compares to other disk encryption solutions, see [[Disk Encryption#Comparison table]].  
+
To familiarize with eCryptfs a few points:
 +
* As a stacked filesystem, a mounting of an eCryptfs directory refers to mounting a (stacked) encrypted directory to another '''un'''encrypted mount point (directory) at Linux kernel runtime.
 +
* It is possible to share an encrypted directory between users. However, the encryption is linked to one passphrase so this must be shared as well. It is also possible to share a directory with differently encrypted files (different passphrases).
 +
* A number of eCryptfs acronyms are used throughout the documentation:
 +
** The encrypted directory is referred to as the '''lower''' and the unencrypted as the '''upper''' directory throughout the eCryptfs documentation and this article. While not relevant for this article, the "overlay" filesystem introduced with Linux 3.18 uses (and [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/overlayfs.txt explains]) the same upper/lower nomenclatura for the stacking of filesystems.
 +
** the '''mount''' passphrase (or key) is what gives access to the encrypted files, i.e. unlocks the encryption. eCryptfs uses the term '''wrapped''' passphrase to refer to the cryptographically secured mount passphrase.
 +
** a {{ic|FEFEK}} refers to a '''F'''ile's '''E'''ncryption key '''E'''ncryption '''Key''' (see [https://www.kernel.org/doc/Documentation/security/keys-ecryptfs.txt kernel documentation]).
 +
** a {{ic|FNEK}} refers to a '''F'''ile '''N'''ame '''E'''ncryption '''K'''ey, a key to (optionally) encrypt the filenames stored in the encrypted directory.
  
== Deficiencies ==
+
Before using eCryptfs, the following disadvantages should be checked for applicability.
  
Before you make any big decisions like encrypting your $HOME you should know that eCyptfs does not handle sparse files well. For most intents and purposes that shouldn't concern us, however one very popular use case are torrents. Right now eCryptfs tries to encrypt the whole sparse file allocated space right away, which can lead to starving the system of resources in case of big files (remember torrents can easily be 10GB or bigger). You can track progress of this bug in this Launchpad report: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/431975
+
=== Deficiencies ===
  
Simple workaround, for now, is to create a '''.Public''' folder (as '''.Private''' folder is used for encrypted data later in the article) and use that for torrents, unencrypted and symlinked to a directory like ''~/Downloads/torrents''. For some people this of course defeats the whole purpose of encryption, for others who are protecting their data from theft it doesn't.
+
* Hard-coded variables 
 +
:The best usability of eCryptfs is achieved by relying on the so-called "Ubuntu tools" of the {{Pkg|ecryptfs-utils}} package. A considerable downside is that a lot of variables (encryption options, lower directory path) are hard-coded into the tools. Changing them infers considerable manual configuration to achieve similar integration.
 +
* Network storage mounts
 +
:eCryptfs has long-standing [https://bugs.launchpad.net/ecryptfs/+bug/277578 bugs] and/or feature requests relating to networked storage. Replicating a content backup of an encrypted directory to a network backup storage is always possible. However, if you want to employ ecryptfs to store the encrypted directory directly on a network storage and mount it locally, you should search for working solutions of the respective network tools (NFS, Samba, etc.) first. If in doubt, [[EncFS]] may be a better choice for such application.
  
=== Login password ===
+
* Sparse files
 +
:eCryptfs does not handle [[wikipedia:Sparse_file|sparse files]]. This is sometimes referred to as a bug, but likewise is a consequence of the design as a [[Disk encryption#Stacked filesystem encryption|stacked filesystem encryption]]. For example, in an eCryptfs directory a {{ic|truncate -s 1G file.img}} creates 1GB encrypted data and passes it to the underlying filesystem to store; with the corresponding resource (disk space, data throughput) requirements. Unencrypted, the same file can be allocated efficiently as sparse file space by the filesystem; with a [[Disk_encryption#Block device encryption|block device encryption]] only the respective filesystem output would be encrypted.
  
{{note|1= With {{pkg|shadow}} 4.1.4.3-3 ''sha512'' is the default for new passwords (see [https://bugs.archlinux.org/task/13591#comment85993 bug 13591] and corresponding [https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/shadow&id=98001501a8306ef5a0df55d1cffc048851894940 commit]).}}
+
:This should be considered before encrypting large portions of the directory structure. For most intents and purposes this deficiency does not pose a problem. One workaround is to place sparse files in an unencrypted {{ic|.Public}} directory (as opposed to the standard eCryptfs {{ic|.Private}} directory, explained below). Another method is to use a ''dm-crypt'' [[Dm-crypt/Encrypting_a_non-root_file_system#Loop_device|container]] in {{ic|.Public}} for such.
  
If you are encrypting your whole home, with auto-mounting you should use a strong password and consider changing the hash algorithm for ''/etc/shadow'' from '''md5''' to stronger ones like '''sha512/bcrypt''' that helps to protect your password against rainbow-table attacks. See https://wiki.archlinux.org/index.php/SHA_password_hashes for more information.
+
== Setup example overview ==
  
== Basics ==
+
The following [[#Setup & mounting]] section describes alternatives using eCryptfs to encrypt a data directory. The alternatives start with [[#Using the Ubuntu tools]], which make eCryptfs usage particularly easy and also safe against user errors. This also applies to [[#Encrypting a home directory]] with the tools. During setup, instructions are given on the console by the scripts. The [[#Using ecryptfs-simple]] section then introduces an alternative package to aide using eCryptfs. The [[#Manual setup]] section then describes the setup using the {{ic|ecryptfs}} filesystem directly. The first subsection ([[#With ecryptfs-utils]]) still uses one more script and is suggested to read to familiarize with the setup of the manual options before using them [[#Without ecryptfs-utils]].  
eCryptfs is a part of Linux since version 2.6.19. But to work with it you will need the userspace tools provided by the package {{pkg|ecryptfs-utils}} available in the [[Official Repositories]].
+
  
Once you have installed that package you can load the ecryptfs module and continue with the setup:
+
The alternatives include 
 +
# the setup step for the encrypted directory structures
 +
# the setup to mount, unmount the directory at runtime manually and/or automatically at user login
 +
Each of the described alternative examples can be removed after setup very easily, so do not refrain from testing which suits your needs best.
 +
 
 +
== Setup & mounting ==
 +
 
 +
eCryptfs is a part of Linux since version 2.6.19. But to work with it you will need the userspace tools provided by the package {{pkg|ecryptfs-utils}} available in the [[Official repositories]].
 +
 
 +
Once you have installed that package you can load the {{ic|ecryptfs}} module and continue with the setup:
 
  # modprobe ecryptfs
 
  # modprobe ecryptfs
  
The ecryptfs-utils package is distributed with a few helper scripts which will help you with key management and similar tasks. Some were written to automate this whole process of setting up encrypted directories (''ecryptfs-setup-private'') or help you combine eCryptfs with dm-crypt to protect swap space (''ecryptfs-setup-swap''). Despite those scripts we will go trough the process manually so you get a better understanding of what is really being done.
+
Before starting, check the eCryptfs documentation. It is distributed with a very good and complete set of [http://ecryptfs.org/documentation.html manual pages].
  
Before we say anything else it's advised that you check the eCryptfs documentation. It is distributed with a very good and complete set of manual pages.
+
{{Tip|If you use {{Pkg|linux-grsec}}, auto-loading of cryptographic modules may fail when executing the {{ic|ecryptfs-mount-private}} wrapper (as of November 2014). As a work-around, load the mentioned module manually; for example {{ic|modprobe md5}} as root and [[Modprobe.d#Loading|configure]] the system to load it at next boot.}}
  
=== Setup (simple) ===
+
=== Using the Ubuntu tools ===
  
As a user run
+
Most of the user-friendly convenience tools installed by the ''ecryptfs-utils'' package assume a very specific eCryptfs setup, namely the one that is officially used by Ubuntu (where it can be selected as an option during distro installation). Unfortunately, these choices are not just default options but are actually hard-coded in the tools. If this set-up does not suit your needs, then you can not use the convenience tools and will have to follow the steps at [[#Manual setup]] instead.
ecryptfs-setup-private
+
and follow the instructions.
+
  
=== Setup (in detail) ===
+
The set-up used by these tools is as follows:
  
First create your private directories, in this example we will call them exactly that: Private
+
* each user can have '''only one encrypted directory''' that is managed by these tools:
$ su -
+
** either full {{ic|$HOME}} directory encryption, or
# mkdir -m 700 /home/username/.Private
+
** a single encrypted data directory (by default {{ic|~/Private/}}, but this can be customized).
# mkdir -m 500 /home/username/Private
+
* the '''lower directory''' for each user is always {{ic|~/.Private/}}<br><small>(in the case of full home dir encryption, this will be a symlink to the actual location at {{ic|/home/.ecryptfs/$USER/.Private/}})</small>
# chown username:username /home/username/{.Private,Private}
+
* the '''encryption options''' used are:
 +
** ''cipher:'' AES
 +
** ''key length:'' 16 bytes (128 bits)
 +
** ''key management scheme:'' passphrase
 +
** ''plaintext passthrough:'' enabled
 +
* the '''configuration / control info''' for the encrypted directory is stored in a bunch of files at {{ic|~/.ecryptfs/}}:<br><small>(in the case of full home dir encryption, this will be a symlink to the actual location at {{ic|/home/.ecryptfs/$USER/.ecryptfs/}})</small>
 +
** {{ic|Private.mnt}} ''[plain text file]'' - contains the path where the upper directory should be mounted (e.g. {{ic|/home/lucy}} or {{ic|/home/lucy/Private}})
 +
** {{ic|Private.sig}} ''[plain text file]'' - contains the signature used to identify the mount passphrase in the kernel keyring
 +
** {{ic|wrapped-passphrase}} ''[binary file]'' - the mount passphrase, encrypted with the login passphrase
 +
** {{ic|auto-mount}}, {{ic|auto-umount}} ''[empty files]'' - if they exist, the {{ic|pam_ecryptfs.so}} module will (assuming it is loaded) automatically mount/unmount this encrypted directory when the user logs in/out
  
Let's summarize
+
==== Encrypting a data directory ====
* Actual encrypted data will be stored in ~/.Private directory (so-called ''lower'' directory)
+
For a full {{ic|$HOME}} directory encryption see [[#Encrypting a home directory]]
* While mounted, decrypted data will be available in ~/Private directory (so-called ''upper'' directory)
+
** While not mounted nothing can be written to this directory
+
** While mounted it has the same permissions as the lower directory
+
  
eCryptfs can now be mounted on top of ~/Private.
+
Before the data directory encryption is setup, decide whether it should later be mounted manually or automatically with the user log-in.  
# mount -t ecryptfs /home/username/.Private /home/username/Private
+
  
You will need to answer a few questions and provide a passphrase which should be used to mount this directory in the future. However you can also have different keys encrypting different data (more about this below). For convenience we will limit this guide to only one key and passphrase. Let's see an example:
+
To encrypt a single data directory as a user and mount it manually later, run:
  Key type: passphrase
+
  $ ecryptfs-setup-private --nopwcheck --noautomount
Passphrase: ThisIsAVeryWeakPassphrase
+
Cipher: aes
+
Key byte: 16
+
Plaintext passtrough: no
+
Filename encryption: no
+
Add signature to cache: yes
+
  
Let's summarize
+
and follow the instructions. The option {{ic|--nopwcheck}} enables you to choose a passphrase different to the user login passphrase and the option {{ic|--noautomount}} is self-explanatory. So, if you want to setup the encrypted directory automatically on log-in later, just ''leave out'' both options right away.  
* The passphrase is your '''mount passphrase''' which will be salted, hashed and loaded into the kernel keyring.
+
** In eCryptfs terms, this salted, hashed passphrase is your "file encryption key, encryption key", or '''fekek'''.
+
* eCryptfs supports a few different ciphers (AES, blowfish, twofish...). You can read about them on Wikipedia.
+
* Plaintext passtrough enables you to store and work with '''un-encrypted''' files stored in the lower directory.
+
* Filename encryption is available since Linux 2.6.29
+
** In eCryptfs terms the key used to protect filenames is known as "filename encryption key", or '''fnek'''.
+
* The signature of the key(s) will be stored in {{ic|/root/.ecryptfs/sig-cache.txt}}.
+
  
Since our later goal is to be able to mount without root privileges, we will now move the eCryptfs configuration directory to your own home and transfer the ownership to you:
+
The script will automatically create the {{ic|~/.Private/}} and {{ic|~/.ecryptfs/}} directory structures as described in the box above. It will also ask for two passphrases:
# mv /root/.ecryptfs /home/username
+
# chown username:username /home/username/.ecryptfs
+
  
Your setup is now complete and directory is mounted. You can place any file in the '''~/Private''' directory and it will get encrypted in '''~/.Private'''.
+
;'''login passphrase''': This is the password you will have to enter each time you want to mount the encrypted directory. If you want auto-mounting on login to work, it has to be the same password you use to login to your user account.  
  
Now copy a few files to your new private directory, and then un-mount it. If you inspect the files you will see that they are unreadable &ndash; encrypted. That was cool you say, but how do I get them back... and that brings us to:
+
;'''mount passphrase''': This is used to derive the actual file encryption master key. Thus, you should not enter a custom one unless you know what you are doing - instead press Enter to let it auto-generate a secure random one. It will be encrypted using the login passphrase and stored in this encrypted form in {{ic|~/.ecryptfs/wrapped-passphrase}}. Later it will automatically be decrypted ("unwrapped") again in RAM when needed, so you never have to enter it manually. Make sure this file does not get lost, otherwise you can never access your encrypted folder again! You may want to run {{ic|ecryptfs-unwrap-passphrase}} to see the mount passphrase in unencrypted form, write it down on a piece of paper, and keep it in a safe (or similar), so you can use it to recover your encrypted data in case the ''wrapped-passphrase'' file is accidentally lost/corrupted or in case you forget the login passphrase.
  
==== Extra Notes ====
+
The mount point ("upper directory") for the encrypted folder will be at {{ic|~/Private}} by default, however you can manually change this right after the setup command has finished running, by doing:
  
Above is detailed the simplest way to setup the mount point, but '''ecryptfs-setup-private''' runs through some extra steps.
+
$ mv ~/Private /path/to/new/folder
 +
$ echo /path/to/new/folder > ~/.ecryptfs/Private.mnt
  
* The above '''mount passphrase''' is derived from the passphrase you type in. This is not considered very [http://ecryptfs.sourceforge.net/ecryptfs-faq.html#pubkey-about secure], so the setup script grabs some characters from {{ic|/dev/random}} for safety:
+
To actually use your encrypted folder, you will have to mount it - see [[#Mounting]] below.
  
od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+
==== Encrypting a home directory ====
  
* '''ecryptfs-setup-private''' also takes the resulting mount passphrase and wraps it with your login passphrase (pasword) and stores this in '''~/.ecryptfs/wrapped-passphrase'''. You can replicate this with:
+
The wrapper script {{ic|ecryptfs-migrate-home}} will set up an encrypted home directory for a user and take care of migrating any existing files they have in their not yet encrypted home directory.
  
$ ecryptfs-wrap-passphrase ~/.ecryptfs/wrapped-passphrase
+
To run it, the user in question must be logged out and own no processes. The best way to achieve this is to log the user out, log into a console as the root user, and check that {{ic|ps -U ''username''}} returns no output.  You also need to ensure that you have {{pkg|rsync}} and {{pkg|lsof}} installed. Once the prerequisites have been met, run:
  Passphrase to wrap:
+
  Wrapping passphrase:
+
  
=== Mounting (the hard way) ===
+
# modprobe ecryptfs
Whenever you need your files available you can repeat the above mount procedure, using the same passphrase and options if you want to access your previously encrypted files or using a different passphrase (and possibly options) if for some reason you want to have different keys protecting different data (imagine having a publicly shared directory where different data is encrypted by different users, and their keys).
+
# ecryptfs-migrate-home -u ''username''
  
In any case going trough those questions every time could be a bit tedious.
+
and follow the instructions. After the wrapper script is complete, follow the instructions for auto-mounting - see [[#Auto-mounting]] below. It is imperative that the user logs in ''before'' the next reboot, to complete the process.
  
One solution would be to create an entry in the '''{{ic|/etc/fstab}}''' file for this mount point:
+
Once everything is working, the unencrypted backup of the users home directory, which is saved to {{ic|/home/''username''.''random_characters''}}, can and should be deleted.
  
/home/user/.Private /home/user/Private ecryptfs [... user ... ecryptfs_sig=XY,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecrypfs_unlink_sigs 0 0
+
==== Mounting ====
  
* You will notice that we defined the '''user''' option, it enables you to mount the directory as a user (if it does not works as a normal user, you may need to setuid mount.ecryptfs by running as root: ''chmod +s /sbin/mount.ecryptfs'')
+
===== Manually =====
* Notice the '''ecryptfs_sig''' option, replace ''XY'' with your own key signature (as seen in the '''mtab''' line earlier and in {{ic|sig-cache.txt}})
+
* If you enabled filename encryption then pass an additional mount option: '''ecryptfs_fnek_sig'''=''XY'', where ''XY'' is the same signature you provide with the '''ecryptfs_sig''' option.
+
* Last option '''ecrypfs_unlink_sigs''' ensures that your keyring is cleared every time the directory is un-mounted
+
  
Since your key was deleted from the kernel keyring when you un-mounted, in order to mount you need to insert it into the keyring again. You can use the '''ecryptfs-add-passphrase''' utility or the '''ecryptfs-manager''' to do it:
+
Executing the wrapper
 +
$ ecryptfs-mount-private
 +
and entering the passphrase is all needed to mount the encrypted directory to the [[#Using_the_Ubuntu_tools|above]] described ''upper directory'' {{ic|~/Private}}.
  
When the key is inserted you can mount the directory:
+
Likewise, executing
  $ ecryptfs-add-passphrase
+
  $ ecryptfs-umount-private
  Passphrase: ThisIsAVeryWeakPassphrase
+
will unmount it again.
+
$ mount -i /home/username/Private
+
  
You will notice that we used the '''{{Ic|-i}}''' option this time. It disables invoking the mount helper. Speaking of which, using {{Ic|-i}} by default mounts with: '''nosuid, noexec''' and '''nodev'''. If you want to have at least executable files in your private directory you can add the '''exec''' option to the fstab line.
+
{{Tip|If it is not required to access the private data permanently during a user session, maybe define an [[alias]] to speed the manual step up.}}
  
This would be a good place to mention the '''keyctl''' utility from the (earlier installed) ''keyutils'' package. It can be used for any advanced key management tasks. Following examples show how to list your keyring contents and how to clear them:
+
The tools include another script that can be very handy to access an encrypted {{ic|.Private}} data or home directory. Executing  {{ic|ecryptfs-recover-private}} as root will search the system (or an optional specific path) for the directory, interactively query the passphrase for it and mount the directory. It can, for example, be used from a live-CD or different system to access the encrypted data in case of a recovery. Note that if booting from an Arch Linux ISO you must first install the {{pkg|ecryptfs-utils}} to it. Further, it will only be able to mount {{ic|.Private}} directories created with the Ubuntu tools.
$ keyctl list @u
+
$ keyctl clear @u
+
  
{{Note|However, one should remember that /etc/fstab is for system-wide partitions only and should not be used for user-specific mounts}}
+
===== Auto-mounting =====
  
=== Auto-mounting (the easy way) ===
+
The default way to auto-mount an encrypted directory is via [[Pam_mount|PAM]]. See {{ic|man pam_ecryptfs}} and - for more details - 'PAM MODULE' in:
A better way is to use PAM directly, see:
+
 
  /usr/share/doc/ecryptfs-utils/README
 
  /usr/share/doc/ecryptfs-utils/README
  
1. Open '''/etc/pam.d/login''' and add
+
For auto-mounting it is required that the passphrase to access the encrypted directory is synchronised with the user log-in.  
auth required pam_ecryptfs.so unwrap
+
after the line containing '''auth ... pam_unix.so''', and
+
session optional pam_ecryptfs.so unwrap
+
after the line '''session ... pam_unix.so'''.
+
  
2. Check if '''~/.ecryptfs/auto-mount''' and '''~/.ecryptfs/wrapped-passphrase''' (these are automatically created by '''ecryptfs-setup-private''') exist.
+
The following steps set it up:
  
3. Relogin and check output of '''mount''' which should now contain a mountpoint
+
1. Check if {{ic|~/.ecryptfs/auto-mount}}, {{ic|~/.ecryptfs/auto-umount}} and {{ic|~/.ecryptfs/wrapped-passphrase}} exist (these are automatically created by ''ecryptfs-setup-private'').
/home/user/.Private...
+
  
=== Usage ===
+
2. Add ''ecryptfs'' to the pam-stack exactly as following to allow transparent unwrapping of the passphrase on login:
Besides using your private directory as storage for sensitive files, and private data, you can also use it to protect application data. Take ''Firefox'' for an example, not only does it have an internal password manager but the browsing history and cache can also be sensitive. Protecting it is easy:
+
  $ mv ~/.mozilla ~/Private/mozilla
+
  $ ln -s ~/Private/mozilla ~/.mozilla
+
  
=== Removal ===
+
Open {{ic|/etc/pam.d/system-auth}} and ''after'' the line containing {{ic|auth required pam_unix.so}} add:
If you want to move a file out of the private directory just move it to it's new destination while ~/Private is mounted. Also note that there are no special steps involved if you want to remove your private directory. Make sure it is un-mounted and delete ~/.Private, along with all the files.
+
auth    required    pam_ecryptfs.so unwrap
 +
Next, ''above'' the line containing {{ic|password required pam_unix.so}} insert:
 +
password    optional    pam_ecryptfs.so
 +
And finally, ''after'' the line {{ic|session required pam_unix.so}} add:
 +
session    optional    pam_ecryptfs.so unwrap
  
=== Backup ===
+
3. Re-login and check output of ''mount'' which should now contain a mountpoint, e.g.:
Setup explained here separates the directory with encrypted data from the mount point, so the encrypted data is available for backup at any time. With an overlay mount (i.e. ''~/Secret'' mounted over ''~/Secret'') the lower, encrypted, data is harder to get to. Today when cronjobs and other automation software do automatic backups the risk of leaking your sensitive data is higher.
+
/home/$USER/.Private on /home/$USER/Private type ecryptfs (...)
 +
for the user's encrypted directory. It should be perfectly readable at {{ic|~$HOME/Private/}}.  
  
We explained earlier that all cryptographic metadata is stored in the headers of files. You can easily do backups, or incremental backups, of your '''~/.Private''' directory, treating it like any other directory.
+
The latter should be automatically unmounted and made unavailable when the user logs off.  
  
== Advanced ==
+
{{Warning|1=Unfortunately the automatic unmounting is susceptible to [https://bbs.archlinux.org/viewtopic.php?id=194509 break] with systemd and bugs are filed against it.[https://bugs.freedesktop.org/show_bug.cgi?id=72759] [https://nwrickert2.wordpress.com/2013/12/16/systemd-user-manager-ecryptfs-and-opensuse-13-1/] [https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/313812/comments/43] [http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-October/004088.html]
This wiki article covers only the basic setup of a private encrypted directory. There is however another article about eCryptfs on Arch Linux, which covers encryption of your entire $HOME and encrypting swap space without breaking hibernation (suspend to disk).
+
If you experience this problem, you can test it by commenting out {{ic|-session  optional  pam_systemd.so}} in {{ic|/etc/pam.d/system-login}}. However, this is no solution because commenting out will break other systemd functionalities.}}
  
That article includes many more steps (i.e. using PAM modules and automatic mounting) and the author was opposed to replicating it here, because there is just no single "right" way to do it. The author proposes some solutions and discusses the security implications, but they are his solutions and as such might not be the best nor are they endorsed by the eCryptfs project in any way.
+
=== Using ecryptfs-simple ===
  
Article: [http://sysphere.org/~anrxc/j/articles/ecryptfs/index.html eCryptfs and $HOME] by Adrian C. (anrxc).
+
Use [http://xyne.archlinux.ca/projects/ecryptfs-simple/ ecryptfs-simple] if you just want to use eCryptfs to mount arbitrary directories the way you can with [[EncFS]]. ecryptfs-simple does not require root privileges or entries in {{ic|/etc/fstab}}, nor is it limited to hard-coded directories such as {{ic|~/.Private}}. The package is available to be [[installed]] as {{AUR|ecryptfs-simple}} and from [http://xyne.archlinux.ca/repos/ Xyne's repos].
  
Consider that ''Chromium OS'', as released by Google, is using eCryptfs to protect devices that are, and will be, powered by it. Some implementation details are available and they make excellent reading. You can read them [http://www.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data here], they could help a lot as you're coming up with your own strategy.
+
As the name implies, usage is simple:
 +
# simple mounting
 +
ecryptfs-simple /path/to/foo /path/to/bar
 +
 
 +
# automatic mounting: prompts for options on the first mount of a directory then reloads them next time
 +
ecryptfs-simple -a /path/to/foo /path/to/bar
 +
 
 +
# unmounting by source directory
 +
ecryptfs-simple -u /path/to/foo
 +
 
 +
# unmounting by mountpoint
 +
ecryptfs-simple -u /path/to/bar
 +
 
 +
=== Manual setup ===
 +
 
 +
The following details instructions to set up eCryptfs encrypted directories manually. The first section still relies on one extra script from the {{Pkg|ecryptfs-utils}} package. It may be an easier start and can be tried without any root rights. The [[#Without ecryptfs-utils|second]] then sets up an encrypted directory with other encryption options than the default tools. 
 +
 
 +
{{Tip|The following examples use an encrypted directory ({{ic|.secret}}) different to the default, hard-coded {{ic|.Private}} in the Ubuntu tools. This is on purpose to avoid problems of erroneous [[#Auto-mounting]] when the system has PAM setup for it, as well as problems with other tools using the hard-coded defaults.}}
 +
 
 +
==== With ecryptfs-utils ====
 +
 
 +
Alternatively to using the scripts {{ic|ecryptfs-setup-private}} and {{ic|ecryptfs-mount-private}} to setup and mount eCryptfs, the same can be done directly with the binaries (which those scripts use) {{ic|ecryptfs-add-passphrase}} and {{ic|mount.ecryptfs_private}} from the {{Pkg|ecryptfs-utils}} package. Those binaries require no root privileges to work by default.
 +
 
 +
First choose an ALIAS as you like. Through this section, ALIAS will be {{ic|secret}}. Create the required directories/files:
 +
$ mkdir ~/.secret ~/secret ~/.ecryptfs
 +
$ touch ~/.ecryptfs/secret.conf ~/.ecryptfs/secret.sig
 +
 
 +
The {{ic|~/.secret}} directory will hold the encrypted data. The {{ic|~/secret}} directory is the mount point where {{ic|~/.secret}} will be mounted as an ecryptfs filesystem.
 +
 
 +
In the next command, replace USER with the name of the current user's home directory. Note that you should write full paths to {{ic|~/.ecryptfs/secret.conf}}. Its format looks like the one in {{ic|/etc/fstab}} without the mount options:
 +
$ echo "/home/USER/.secret /home/USER/secret ecryptfs" > ~/.ecryptfs/secret.conf
 +
 
 +
A mount passphrase must be added to the keyring:
 +
$ ecryptfs-add-passphrase
 +
Passphrase:
 +
Inserted auth tok with sig [78c6f0645fe62da0] into the user session keyring
 +
 
 +
Write the output signature ({{ic|ecryptfs_sig}}) from the previous command to {{ic|~/.ecryptfs/secret.sig}}:
 +
$ echo 78c6f0645fe62da0 > ~/.ecryptfs/secret.sig
 +
 
 +
A second passphrase for filename encryption may be used. If you choose so, add it to the keyring:
 +
$ ecryptfs-add-passphrase
 +
Passphrase:
 +
Inserted auth tok with sig [326a6d3e2a5d444a] into the user session keyring
 +
 
 +
If you run the command above, '''append''' its output signature ({{ic|ecryptfs_fnek_sig}}) to {{ic|~/.ecryptfs/secret.sig}}:
 +
  $ echo 326a6d3e2a5d444a >> ~/.ecryptfs/secret.sig
 +
 
 +
Finally, to mount {{ic|~/.secret}} on {{ic|~/secret}}:
 +
$ mount.ecryptfs_private secret
 +
 
 +
An eCryptfs filesystem will be mounted with the following options:
 +
rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=326a6d3e2a5d444a,ecryptfs_sig=78c6f0645fe62da0,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs
 +
 
 +
Except for {{ic|ecryptfs_sig}} and {{ic|ecryptfs_fnek_sig}}, the options are hard-coded. {{ic|ecryptfs_fnek_sig}} will exist only if you choose filename encryption.
 +
 
 +
To unmount {{ic|~/.secret}}:
 +
$ umount.ecryptfs_private secret
 +
 
 +
==== Without ecryptfs-utils ====
 +
 
 +
The ecryptfs-utils package is distributed with a few helper scripts which will help you with key management and similar tasks. If one wants, for example, make a choice about the encryption cipher, some of those scripts cannot be used. In this section we setup an encrypted data directory diverting from those defaults.
 +
 
 +
First create your private directories, in this example we will call them analogous to the previous section: {{ic|secret}}
 +
$ mkdir -m 700 /home/username/{.secret,.ecryptfs}
 +
$ mkdir -m 500 /home/username/secret
 +
 
 +
To summarize:
 +
* Actual encrypted data will be stored in the lower {{ic|~/.secret}} directory
 +
* While mounted, decrypted data will be available in {{ic|~/secret}} directory
 +
** While not mounted nothing can be written to this directory
 +
** While mounted it has the same permissions as the lower directory
 +
 
 +
Second we create the mount-passphrase ("file encryption key, encryption key", or '''fekek''') for the directory. It has to be very secure and cannot be changed easily. The ''ecryptfs-setup-private'' script offers the option to generate it from {{ic|/dev/urandom}}. In the following we do a generation similar to the [http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/utils/ecryptfs-setup-private#L96 source] and then use ''ecryptfs-wrap-passphrase'' to wrap it with an extra password ("Arch"):
 +
 
 +
$ printf "%s\n%s" $(od -x -N 100 --width=30 /dev/random | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g") "Arch" | ecryptfs-wrap-passphrase /home/username/.ecryptfs/wrapped-passphrase
 +
 
 +
The advantages of the above step are: the mount passphrase is generated from a random source and secured by extra hashing before it is stored on disk. Further, the wrap-passphrase can be changed later.
 +
 
 +
Next, we test the passphrase by loading it into the kernel keyring:
 +
 
 +
$ printf "%s" "Arch" | ecryptfs-insert-wrapped-passphrase-into-keyring /home/username/.ecryptfs/wrapped-passphrase -
 +
Inserted auth tok with sig [7c5d3dd8a1b49db0] into the user session keyring
 +
and manually copy the signature into the configuration:
 +
$ echo "7c5d3dd8a1b49db0" > ~/.ecryptfs/secret.sig
 +
 
 +
Now we continue to setup the encryption options for the directory and prepare an user-mountable entry for {{ic|/etc/fstab}}. If you already know the eCryptfs options to use in it, you can skip the following ''mount'' and create an entry with the above signature already.
 +
 
 +
The ''mount.ecryptfs'' command needs root and does not allow for piping the passphrase unfortunately. The mount helper will ask questions about the options we want to choose ("Key type": passphrase - choose any, we only do this to generate the options to use), but let it mount:
 +
 
 +
# mount -t ecryptfs /home/username/.secret /home/username/secret
 +
Passphrase: yes
 +
Cipher: aes
 +
Key byte: 32
 +
Plaintext passtrough: no
 +
Filename encryption: no
 +
Add signature to cache: yes
 +
 
 +
To summarize the parameters:
 +
* The above chosen {{ic|32}} "key bytes" result in a 256 bit AES encryption (the helper scripts are hard-coded to AES with 128 bit).
 +
* Plaintext passtrough enables to store and work with '''un-encrypted''' files stored in the lower directory.
 +
* In eCryptfs terms the key used to protect filenames is known as "filename encryption key", or '''fnek'''
 +
* '''fekek''' and '''fnek''' can be the same key or different ones at choice
 +
 
 +
To create the mount point for the user in [[fstab]], find the current mount and copy it. For example ({{ic|XY}} are placeholders here):
 +
 
 +
{{hc|# mount|2=/home/username/.secret on /home/username/secret type ecryptfs (... ecryptfs_fnek_sig=XY,ecryptfs_sig=XY,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs, user)}}
 +
 
 +
Or, alternatively, append it into {{ic|/etc/fstab}} to edit it:
 +
 
 +
# mount | grep secret >> /etc/fstab
 +
 
 +
Before continuing, we can already un-mount the temporary mount we used to generate the options: 
 +
# umount /home/username/secret
 +
 
 +
Now the mount line has to be edited into the correct format, the mount options {{ic|nosuid,nodev,noexec,relatime}} before the first ''ecryptfs'' option are default and can be left out. But what we need to add is the correct signatures for the passphrases to replace the ones of the current mount:
 +
# cat /home/username/.ecryptfs/secret.sig
 +
7c5d3dd8a1b49db0
 +
 
 +
We also need to add the options {{ic|user}} and {{ic|noauto}}. After the edit, the entry will look similar to (bold entries added):
 +
 
 +
{{hc|/etc/fstab|2=/home/username/.secret /home/username/secret ecryptfs '''noauto''','''user''',ecryptfs_fnek_sig='''7c5d3dd8a1b49db0''',ecryptfs_sig='''7c5d3dd8a1b49db0''',ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs '''0 0'''}}
 +
 
 +
Some options to note:
 +
* The {{ic|ecryptfs_fnek_sig}} option will be only listed if you enabled filename encryption
 +
* The second last option {{ic|ecryptfs_unlink_sigs}} ensures that the keyring is cleared every time the directory is un-mounted
 +
* The bold options have been added:
 +
** The {{ic|user}} option enables to mount the directory as a user
 +
** The {{ic|noauto}} option is important, because otherwise systemd will error trying to mount the entry directly on boot.
 +
* The user mount will default to option {{ic|noexec}}. If you want to have at least executable files in your private directory, you can add {{ic|exec}} to the fstab options.
 +
 
 +
The setup is now complete and directory should be mountable by the user.
 +
 
 +
===== Mounting =====
 +
 
 +
To mount the encrypted directory as the user, the passphrase must be unwrapped and made available in the user's keyring. Following above section example:
 +
 
 +
$ ecryptfs-insert-wrapped-passphrase-into-keyring /home/username/.ecryptfs/wrapped-passphrase
 +
Passphrase:
 +
Inserted auth tok with sig [7c5d3dd8a1b49db0] into the user session keyring
 +
 
 +
Now the directory can be mounted without the mount helper questions:
 +
$ mount -i /home/username/secret
 +
 
 +
and files be placed into the {{ic|secret}} directory. The above two steps are necessary every time to mount the directory manually.  
 +
 
 +
To unmount it again:
 +
 
 +
$ umount /home/username/secret
 +
 
 +
To finalize, the preliminary passphrase to wrap the encryption passphrase may be changed:
 +
$ ecryptfs-rewrap-passphrase /home/username/.ecryptfs/wrapped-passphrase
 +
Old wrapping passphrase:
 +
New wrapping passphrase:
 +
New wrapping passphrase (again):
 +
 
 +
The un-mounting should also clear the keyring, to check the user's keyring or clear it manually: 
 +
$ keyctl list @u
 +
$ keyctl clear @u
 +
 
 +
{{Note|One should remember that {{ic|/etc/fstab}} is for system-wide partitions only and should not generally be used for user-specific mounts}}
 +
 
 +
===== Auto-mounting =====
 +
 
 +
Different methods can be employed to automount the previously defined user-mount in {{ic|/etc/fstab}} on login. As a first general step, follow point (1) and (2) of [[#Auto-mounting]].
 +
 
 +
Then, if you login via console, a simple way is to specify the [[#Mounting_2|user-interactive]] ''mount'' and ''umount'' in the user's shell configuration files, for example [[Bash#Configuration files]].  
  
=== PAM Mount ===
+
{{Accuracy|<br>- the section should be more generic than it is now<br>
 +
- the described method does not work for users, for encountered problems:|section=#Automounting}}
  
The above "''eCryptfs and $HOME''" article uses a shell init file to mount the home directory. The same can be done using [[pam_mount]] with the added benefit that home is un-mounted when all sessions are logged out. Add the following lines to {{ic|/etc/security/pam_mount.conf.xml}}:
+
Another method is to automount the eCryptfs directory on user login using [[pam_mount]]. To configure this method, add the following lines to {{ic|/etc/security/pam_mount.conf.xml}}:
 
   
 
   
 
  <luserconf name=".pam_mount.conf.xml" />
 
  <luserconf name=".pam_mount.conf.xml" />
Line 181: Line 345:
 
Please prefer writing manually these lines instead of simply copy/pasting them (especially the lclmount line), otherwise you might get some corrupted characters.
 
Please prefer writing manually these lines instead of simply copy/pasting them (especially the lclmount line), otherwise you might get some corrupted characters.
 
Explanation:
 
Explanation:
* the first line indicates where the user-based configuration file is located (here {{ic|~/.pam_mount.conf.xml}}) ;
+
* the first line indicates where the user-based configuration file is located (here {{ic|~/.pam_mount.conf.xml}})
* the second line overwrites the default required mount options which are unnecessary ("nosuid,nodev") ;
+
* the second line overwrites the default required mount options which are unnecessary ("nosuid,nodev")
 
* the last line indicates which mount command to run (eCryptfs needs the {{Ic|-i}} switch).
 
* the last line indicates which mount command to run (eCryptfs needs the {{Ic|-i}} switch).
  
 
Then set the volume definition, preferably to {{ic|~/.pam_mount.conf.xml}}:
 
Then set the volume definition, preferably to {{ic|~/.pam_mount.conf.xml}}:
 
  <pam_mount>
 
  <pam_mount>
     <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/user/.Private/" mountpoint="/home/user/"/>
+
     <volume noroot="1" fstype="ecryptfs" path="/home/user/.secret/" mountpoint="/home/user/secret/"/>
 
  </pam_mount>
 
  </pam_mount>
  
"noroot" is needed because the encryption key will be added to the user's keyring
+
"noroot" is needed because the encryption key will be added to the user's keyring.
  
 
Finally, edit {{ic|/etc/pam.d/login}} as described in [[pam_mount]]'s article.
 
Finally, edit {{ic|/etc/pam.d/login}} as described in [[pam_mount]]'s article.
  
==== Optional step ====
+
====== Optional step ======
  
 
To avoid wasting time needlessly unwrapping the passphrase you can create a script that will check ''pmvarrun'' to see the number of open sessions:
 
To avoid wasting time needlessly unwrapping the passphrase you can create a script that will check ''pmvarrun'' to see the number of open sessions:
Line 208: Line 372:
 
The article suggests adding these to {{ic|/etc/pam.d/login}}, but the changes will need to be added to all other places you login, such as {{ic|/etc/pam.d/kde}}.
 
The article suggests adding these to {{ic|/etc/pam.d/login}}, but the changes will need to be added to all other places you login, such as {{ic|/etc/pam.d/kde}}.
  
=== PAM mount by eCryptfs module ===
+
== Usage ==
To use the eCryptfs PAM module it self for mounting you should know it depends on some hard-coded Ubuntu defaults. Like using AES cipher with a 16 byte key. As described in this BBS post [https://bbs.archlinux.org/viewtopic.php?pid=727422#p727422] you have to do the following steps:
+
  
1) For your understanding and preparation, read the guide mentioned above. [http://sysphere.org/~anrxc/j/articles/ecryptfs/index.html]
+
{{Expansion|Content that still may to be covered:
 +
- point to the above "Setup & Mounting" section for how to mount and unmount [this section here will cover all other (i.e. setup-independent) usage info]<br>
 +
- reference ecryptfs tools not used/mentioned in the prior sections (e.g. with a short link to the online manpages and mention of the other tools usage, as it seems useful (not covered yet are, e.g. ecryptfs-stat, ecryptfs-find, ecryptfs-rewrite-file.) <br>
 +
- mention the options to share an encrypted folder between users and to place non-encrypted files or folders in the encrypted container ("pass-through")
 +
(references for the points: [https://wiki.archlinux.org/index.php?title&61;Talk:ECryptfs&oldid&61;347981] and (maybe) [https://wiki.archlinux.org/index.php?title&61;ECryptfs&oldid&61;291214])
 +
|section=Major_restructuring/rewrite}}
  
2)  Install [https://www.archlinux.org/packages/core/x86_64/keyutils/ keyutils] and [https://www.archlinux.org/packages/community/x86_64/ecryptfs-utils/ ecryptfs-utils] from the official Repos.
+
=== Symlinking into the encrypted directory ===
  
'''[Do the following steps as root!]'''
+
Besides using your private directory as storage for sensitive files, and private data, you can also use it to protect application data. [[Firefox]] for example has an internal password manager, but the browsing history and cache can also be sensitive. Protecting it is easy:
 +
  $ mv ~/.mozilla ~/Private/mozilla
 +
  $ ln -s ~/Private/mozilla ~/.mozilla
  
3) Make a "ecryptfs" Group:
+
=== Removal of encryption ===
groupadd ecryptfs
+
4) Add the user to it:
+
usermod -aG ecryptfs user
+
5) Load the ecryptfs module
+
modprobe ecryptfs
+
6) Change your /etc/pam.d/system-auth to look something like this (lines to add are bold):
+
#%PAM-1.0
+
+
auth      required  pam_env.so
+
auth      required  pam_unix.so    try_first_pass nullok
+
'''auth      required  pam_ecryptfs.so unwrap'''
+
auth      optional  pam_permit.so
+
+
account  required  pam_unix.so
+
account  optional  pam_permit.so
+
account  required  pam_time.so
+
+
'''password  required  pam_ecryptfs.so'''
+
password  required  pam_unix.so    try_first_pass nullok sha512 shadow
+
password  optional  pam_permit.so
+
+
'''session  required  pam_ecryptfs.so unwrap'''
+
session  required  pam_limits.so
+
session  required  pam_env.so
+
session  required  pam_unix.so
+
session  optional  pam_permit.so
+
  
 +
There are no special steps involved, if you want to remove your private directory. Make sure it is un-mounted and delete the respective lower directory (e.g. {{ic|~/.Private}}), along with all the encrypted files. After also removing the related encryption signatures and configuration in {{ic|~/.ecryptfs}}, all is gone.
  
6a) When using [[GDM]] < 3.2 to log in, edit /etc/pam.d/gdm like this:
+
If you were [[#Using the Ubuntu tools]] to setup a single directory encryption, you can directly follow the steps detailed by:  
#%PAM-1.0
+
auth            requisite      pam_nologin.so
+
auth            required        pam_env.so
+
auth            required        pam_unix.so
+
'''auth            optional        pam_ecryptfs.so unwrap'''
+
auth            optional        pam_gnome_keyring.so
+
account        required        pam_unix.so
+
session        required        pam_limits.so
+
session        required        pam_unix.so
+
'''session        optional        pam_ecryptfs.so unwrap'''
+
session        optional        pam_gnome_keyring.so auto_start
+
password        required        pam_unix.so
+
'''password        optional        pam_ecryptfs.so'''
+
  
6b) For [[GDM]] >= 3.2, make the following changes to /etc/pam.d/gdm-password (thanks to grawity for [https://bbs.archlinux.org/viewtopic.php?pid=998061#p998061 this]):
+
  $ ecryptfs-setup-private --undo
  #%PAM-1.0
+
auth            requisite      pam_nologin.so
+
auth            required        pam_env.so
+
auth            requisite      pam_unix.so nullok
+
'''auth            optional        pam_ecryptfs.so unwrap'''
+
auth            optional        pam_gnome_keyring.so
+
auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
+
auth            required        pam_deny.so
+
account        required        pam_unix.so
+
password        required        pam_unix.so
+
'''password        optional        pam_ecryptfs.so'''
+
session        required        pam_loginuid.so
+
-session        optional        pam_systemd.so
+
session        optional        pam_keyinit.so '''force''' revoke
+
session        required        pam_limits.so
+
session        required        pam_unix.so
+
'''session        optional        pam_ecryptfs.so unwrap'''
+
session        optional        pam_gnome_keyring.so auto_start
+
  
6c) For [[KDM]], make the following changes to /etc/pam.d/kde:
+
and follow the instructions.
  
#%PAM-1.0
+
=== Backup ===
auth            required        pam_unix.so
+
'''auth            optional        pam_ecryptfs.so unwrap'''
+
auth            required        pam_nologin.so
+
account        required        pam_unix.so
+
'''password        optional        pam_ecryptfs.so'''
+
password        required        pam_unix.so
+
session        required        pam_unix.so
+
'''session        optional        pam_ecryptfs.so unwrap'''
+
session        required        pam_limits.so
+
  
6d) For [[LXDM]], make the following changes to /etc/pam.d/lxdm:
+
If you want to move a file out of the private directory just move it to the new destination while {{ic|~/Private}} is mounted.  
  
#%PAM-1.0
+
With eCryptfs the cryptographic metadata is stored in the header of the files. Setup variants explained in this article separate the directory with encrypted data from the mount point. The unencrypted mount point is fully transparent and available for a backup. Obviously this has to be considered for automated backups, if one has to avoid leaking sensitive unencrypted data into a backup.  
auth            requisite      pam_nologin.so
+
auth            required        pam_env.so
+
auth            required        pam_unix.so
+
'''auth            optional        pam_ecryptfs.so unwrap'''
+
account        required        pam_unix.so
+
session        required        pam_limits.so
+
session        required        pam_unix.so
+
'''session        optional        pam_ecryptfs.so unwrap'''
+
password        required        pam_unix.so
+
'''password        optional        pam_ecryptfs.so'''
+
  
6e) For [[LightDM]], make the following changes to /etc/pam.d/lightdm
+
You can do backups, or incremental backups, of the encrypted (e.g. {{ic|~/.Private}}) directory, treating it like any other directory.
  
#%PAM-1.0
+
Further points to note:
auth      required pam_nologin.so
+
auth      required pam_env.so
+
auth      required pam_unix.so
+
'''auth      optional pam_ecryptfs.so unwrap'''
+
account  required pam_unix.so
+
'''password  optional pam_ecryptfs.so'''
+
password  required pam_unix.so
+
session  required pam_unix.so
+
'''session  optional pam_ecryptfs.so unwrap'''
+
  
7) To be able to automatically mount your encrypted home directory on login using SSH, edit /etc/pam.d/sshd:
+
* If you used the Ubuntu tools for [[#Encrypting a home directory]], be aware the location of the lower directory with the encrypted files is ''outside'' the regular user's {{ic|$HOME}} at {{ic|/home/.ecryptfs/$USER/.Private}}.  
#%PAM-1.0
+
#auth          required        pam_securetty.so        #Disable remote root
+
auth            required        pam_unix.so
+
'''auth            optional        pam_ecryptfs.so unwrap'''
+
auth            required        pam_env.so
+
account        required        pam_nologin.so
+
account        required        pam_unix.so
+
account        required        pam_time.so
+
password        required        pam_unix.so
+
password        optional        pam_ecryptfs.so
+
'''session        optional        pam_ecryptfs.so unwrap'''
+
session        required        pam_unix_session.so
+
session        required        pam_limits.so
+
session        optional        pam_ck_connector.so nox11
+
  
8) Using Ubuntu defaults
+
* It should be ensured to include the eCryptfs setup files (located in {{ic|~/.ecryptfs}} usually) into the regular or a separate backup.
  
There's a method to automatically setup your HOME with AES and a 16 byte key. You could execute (it can take some while, it automatically encrypts your home files)
+
* If you use special filesystem mount options, for example {{ic|ecryptfs_xattr}}, do extra checks on restore integrity.
    ecryptfs-migrate-home -u user
+
  
...and follow the on screen instructions (Delete backup afterwards (/home/user.XXXXX) / Record the passphrase generated by ecryptfs -> ecryptfs-unwrap-passphrase / ...)
+
== See Also ==
  
9) Log in and check if everything worked correctly.
+
* [http://ecryptfs.org/documentation.html eCryptfs] - Manpages and project home
 
+
* [https://defuse.ca/audits/ecryptfs.htm Security audit] of eCryptfs by Taylor Hornby (January 22, 2014).
This is a working solution and ecryptfs is exactly used as in Ubuntu (10.04/10.10) - and is easy to set up.
+
* [http://sysphere.org/~anrxc/j/articles/ecryptfs/index.html eCryptfs and $HOME] by Adrian C. (anrxc) - Article with installation instructions and discussion of eCryptfs usage
Besides this, it has the advantage of auto-unmount at log-out, which shell profile files (ie. ~/.bash_logout) could have trouble doing, because there could still be open file-descriptors by the shell at the time of umount. To encrypt swap see: [[System_Encryption_with_LUKS#Encrypting_the_Swap_partition]] (some of the tools provided by ecryptfs, such as ecryptfs-setup-swap, only work in ubuntu).
+
* [http://www.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data Chromium data protection] (November 2009) - Design document detailing encryption options for Chromium OS, including explanation on its eCryptfs usage
 
+
* [http://ecryptfs.sourceforge.net/ecryptfs.pdf eCryptfs design] by Michael Halcrow (May 2005) - Original design document detailing and discussing eCryptfs
== Simple ==
+
Use [http://xyne.archlinux.ca/projects/ecryptfs-simple/ ecryptfs-simple] if you just want to use eCryptfs to mount arbitrary directories the way you can with EncFS. ecryptfs-simple does not require root privileges or entries in fstab, nor is it limited to hard-coded directories such as ~/.Private. The package is available in the [https://aur.archlinux.org/packages.php?ID=59612 AUR] and in [http://xyne.archlinux.ca/repos/ Xyne's repos].
+
 
+
As the name implies, usage is simple:
+
# simple mounting
+
ecryptfs-simple /path/to/foo /path/to/bar
+
 
+
# automatic mounting: prompts for options on the first mount of a directory then reloads them next time
+
ecryptfs-simple -a /path/to/foo /path/to/bar
+
 
+
# unmounting by source directory
+
ecryptfs-simple -u /path/to/foo
+
 
+
# unmounting by mountpoint
+
ecryptfs-simple -u /path/to/bar
+

Latest revision as of 10:26, 13 March 2016

Related articles

This article describes basic usage of eCryptfs. It guides you through the process of creating a private and secure encrypted directory within your $HOME directory to store sensitive files and private data.

In implementation eCryptfs differs from dm-crypt, which provides a block device encryption layer, while eCryptfs is an actual file-system – a stacked cryptographic file system. For comparison of the two you can refer to this table and the Disk encryption#Comparison table. One distinguished feature is that the encryption is stacked on an existing filesystem; eCryptfs can be mounted onto any single existing directory and does not require a separate partition (or size pre-allocation).

Basics

As mentioned in the summary eCryptfs does not require special on-disk storage allocation effort, such as a separate partition or pre-allocated space. Instead, you can mount eCryptfs on top of any single directory to protect it. That includes, for example, a user's entire $HOME directory or single dedicated directories within it. All cryptographic metadata is stored in the headers of files, so encrypted data can be easily moved, stored for backup and recovered. There are other advantages, but there are also drawbacks, for instance eCryptfs is not suitable for encrypting complete partitions which also means you cannot protect swap space with it (but you can, of course, combine it with Dm-crypt/Swap encryption). If you are just starting to set up disk encryption, swap encryption and other points to consider are covered in Disk encryption#Preparation.

To familiarize with eCryptfs a few points:

  • As a stacked filesystem, a mounting of an eCryptfs directory refers to mounting a (stacked) encrypted directory to another unencrypted mount point (directory) at Linux kernel runtime.
  • It is possible to share an encrypted directory between users. However, the encryption is linked to one passphrase so this must be shared as well. It is also possible to share a directory with differently encrypted files (different passphrases).
  • A number of eCryptfs acronyms are used throughout the documentation:
    • The encrypted directory is referred to as the lower and the unencrypted as the upper directory throughout the eCryptfs documentation and this article. While not relevant for this article, the "overlay" filesystem introduced with Linux 3.18 uses (and explains) the same upper/lower nomenclatura for the stacking of filesystems.
    • the mount passphrase (or key) is what gives access to the encrypted files, i.e. unlocks the encryption. eCryptfs uses the term wrapped passphrase to refer to the cryptographically secured mount passphrase.
    • a FEFEK refers to a File's Encryption key Encryption Key (see kernel documentation).
    • a FNEK refers to a File Name Encryption Key, a key to (optionally) encrypt the filenames stored in the encrypted directory.

Before using eCryptfs, the following disadvantages should be checked for applicability.

Deficiencies

  • Hard-coded variables
The best usability of eCryptfs is achieved by relying on the so-called "Ubuntu tools" of the ecryptfs-utils package. A considerable downside is that a lot of variables (encryption options, lower directory path) are hard-coded into the tools. Changing them infers considerable manual configuration to achieve similar integration.
  • Network storage mounts
eCryptfs has long-standing bugs and/or feature requests relating to networked storage. Replicating a content backup of an encrypted directory to a network backup storage is always possible. However, if you want to employ ecryptfs to store the encrypted directory directly on a network storage and mount it locally, you should search for working solutions of the respective network tools (NFS, Samba, etc.) first. If in doubt, EncFS may be a better choice for such application.
  • Sparse files
eCryptfs does not handle sparse files. This is sometimes referred to as a bug, but likewise is a consequence of the design as a stacked filesystem encryption. For example, in an eCryptfs directory a truncate -s 1G file.img creates 1GB encrypted data and passes it to the underlying filesystem to store; with the corresponding resource (disk space, data throughput) requirements. Unencrypted, the same file can be allocated efficiently as sparse file space by the filesystem; with a block device encryption only the respective filesystem output would be encrypted.
This should be considered before encrypting large portions of the directory structure. For most intents and purposes this deficiency does not pose a problem. One workaround is to place sparse files in an unencrypted .Public directory (as opposed to the standard eCryptfs .Private directory, explained below). Another method is to use a dm-crypt container in .Public for such.

Setup example overview

The following #Setup & mounting section describes alternatives using eCryptfs to encrypt a data directory. The alternatives start with #Using the Ubuntu tools, which make eCryptfs usage particularly easy and also safe against user errors. This also applies to #Encrypting a home directory with the tools. During setup, instructions are given on the console by the scripts. The #Using ecryptfs-simple section then introduces an alternative package to aide using eCryptfs. The #Manual setup section then describes the setup using the ecryptfs filesystem directly. The first subsection (#With ecryptfs-utils) still uses one more script and is suggested to read to familiarize with the setup of the manual options before using them #Without ecryptfs-utils.

The alternatives include

  1. the setup step for the encrypted directory structures
  2. the setup to mount, unmount the directory at runtime manually and/or automatically at user login

Each of the described alternative examples can be removed after setup very easily, so do not refrain from testing which suits your needs best.

Setup & mounting

eCryptfs is a part of Linux since version 2.6.19. But to work with it you will need the userspace tools provided by the package ecryptfs-utils available in the Official repositories.

Once you have installed that package you can load the ecryptfs module and continue with the setup:

# modprobe ecryptfs

Before starting, check the eCryptfs documentation. It is distributed with a very good and complete set of manual pages.

Tip: If you use linux-grsec, auto-loading of cryptographic modules may fail when executing the ecryptfs-mount-private wrapper (as of November 2014). As a work-around, load the mentioned module manually; for example modprobe md5 as root and configure the system to load it at next boot.

Using the Ubuntu tools

Most of the user-friendly convenience tools installed by the ecryptfs-utils package assume a very specific eCryptfs setup, namely the one that is officially used by Ubuntu (where it can be selected as an option during distro installation). Unfortunately, these choices are not just default options but are actually hard-coded in the tools. If this set-up does not suit your needs, then you can not use the convenience tools and will have to follow the steps at #Manual setup instead.

The set-up used by these tools is as follows:

  • each user can have only one encrypted directory that is managed by these tools:
    • either full $HOME directory encryption, or
    • a single encrypted data directory (by default ~/Private/, but this can be customized).
  • the lower directory for each user is always ~/.Private/
    (in the case of full home dir encryption, this will be a symlink to the actual location at /home/.ecryptfs/$USER/.Private/)
  • the encryption options used are:
    • cipher: AES
    • key length: 16 bytes (128 bits)
    • key management scheme: passphrase
    • plaintext passthrough: enabled
  • the configuration / control info for the encrypted directory is stored in a bunch of files at ~/.ecryptfs/:
    (in the case of full home dir encryption, this will be a symlink to the actual location at /home/.ecryptfs/$USER/.ecryptfs/)
    • Private.mnt [plain text file] - contains the path where the upper directory should be mounted (e.g. /home/lucy or /home/lucy/Private)
    • Private.sig [plain text file] - contains the signature used to identify the mount passphrase in the kernel keyring
    • wrapped-passphrase [binary file] - the mount passphrase, encrypted with the login passphrase
    • auto-mount, auto-umount [empty files] - if they exist, the pam_ecryptfs.so module will (assuming it is loaded) automatically mount/unmount this encrypted directory when the user logs in/out

Encrypting a data directory

For a full $HOME directory encryption see #Encrypting a home directory

Before the data directory encryption is setup, decide whether it should later be mounted manually or automatically with the user log-in.

To encrypt a single data directory as a user and mount it manually later, run:

$ ecryptfs-setup-private --nopwcheck --noautomount 

and follow the instructions. The option --nopwcheck enables you to choose a passphrase different to the user login passphrase and the option --noautomount is self-explanatory. So, if you want to setup the encrypted directory automatically on log-in later, just leave out both options right away.

The script will automatically create the ~/.Private/ and ~/.ecryptfs/ directory structures as described in the box above. It will also ask for two passphrases:

login passphrase
This is the password you will have to enter each time you want to mount the encrypted directory. If you want auto-mounting on login to work, it has to be the same password you use to login to your user account.
mount passphrase
This is used to derive the actual file encryption master key. Thus, you should not enter a custom one unless you know what you are doing - instead press Enter to let it auto-generate a secure random one. It will be encrypted using the login passphrase and stored in this encrypted form in ~/.ecryptfs/wrapped-passphrase. Later it will automatically be decrypted ("unwrapped") again in RAM when needed, so you never have to enter it manually. Make sure this file does not get lost, otherwise you can never access your encrypted folder again! You may want to run ecryptfs-unwrap-passphrase to see the mount passphrase in unencrypted form, write it down on a piece of paper, and keep it in a safe (or similar), so you can use it to recover your encrypted data in case the wrapped-passphrase file is accidentally lost/corrupted or in case you forget the login passphrase.

The mount point ("upper directory") for the encrypted folder will be at ~/Private by default, however you can manually change this right after the setup command has finished running, by doing:

$ mv ~/Private /path/to/new/folder
$ echo /path/to/new/folder > ~/.ecryptfs/Private.mnt

To actually use your encrypted folder, you will have to mount it - see #Mounting below.

Encrypting a home directory

The wrapper script ecryptfs-migrate-home will set up an encrypted home directory for a user and take care of migrating any existing files they have in their not yet encrypted home directory.

To run it, the user in question must be logged out and own no processes. The best way to achieve this is to log the user out, log into a console as the root user, and check that ps -U username returns no output. You also need to ensure that you have rsync and lsof installed. Once the prerequisites have been met, run:

# modprobe ecryptfs
# ecryptfs-migrate-home -u username

and follow the instructions. After the wrapper script is complete, follow the instructions for auto-mounting - see #Auto-mounting below. It is imperative that the user logs in before the next reboot, to complete the process.

Once everything is working, the unencrypted backup of the users home directory, which is saved to /home/username.random_characters, can and should be deleted.

Mounting

Manually

Executing the wrapper

$ ecryptfs-mount-private 

and entering the passphrase is all needed to mount the encrypted directory to the above described upper directory ~/Private.

Likewise, executing

$ ecryptfs-umount-private

will unmount it again.

Tip: If it is not required to access the private data permanently during a user session, maybe define an alias to speed the manual step up.

The tools include another script that can be very handy to access an encrypted .Private data or home directory. Executing ecryptfs-recover-private as root will search the system (or an optional specific path) for the directory, interactively query the passphrase for it and mount the directory. It can, for example, be used from a live-CD or different system to access the encrypted data in case of a recovery. Note that if booting from an Arch Linux ISO you must first install the ecryptfs-utils to it. Further, it will only be able to mount .Private directories created with the Ubuntu tools.

Auto-mounting

The default way to auto-mount an encrypted directory is via PAM. See man pam_ecryptfs and - for more details - 'PAM MODULE' in:

/usr/share/doc/ecryptfs-utils/README

For auto-mounting it is required that the passphrase to access the encrypted directory is synchronised with the user log-in.

The following steps set it up:

1. Check if ~/.ecryptfs/auto-mount, ~/.ecryptfs/auto-umount and ~/.ecryptfs/wrapped-passphrase exist (these are automatically created by ecryptfs-setup-private).

2. Add ecryptfs to the pam-stack exactly as following to allow transparent unwrapping of the passphrase on login:

Open /etc/pam.d/system-auth and after the line containing auth required pam_unix.so add:

auth    required    pam_ecryptfs.so unwrap

Next, above the line containing password required pam_unix.so insert:

password    optional    pam_ecryptfs.so

And finally, after the line session required pam_unix.so add:

session    optional    pam_ecryptfs.so unwrap

3. Re-login and check output of mount which should now contain a mountpoint, e.g.:

/home/$USER/.Private on /home/$USER/Private type ecryptfs (...)

for the user's encrypted directory. It should be perfectly readable at ~$HOME/Private/.

The latter should be automatically unmounted and made unavailable when the user logs off.

Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it.[1] [2] [3] [4] If you experience this problem, you can test it by commenting out -session optional pam_systemd.so in /etc/pam.d/system-login. However, this is no solution because commenting out will break other systemd functionalities.

Using ecryptfs-simple

Use ecryptfs-simple if you just want to use eCryptfs to mount arbitrary directories the way you can with EncFS. ecryptfs-simple does not require root privileges or entries in /etc/fstab, nor is it limited to hard-coded directories such as ~/.Private. The package is available to be installed as ecryptfs-simpleAUR and from Xyne's repos.

As the name implies, usage is simple:

# simple mounting
ecryptfs-simple /path/to/foo /path/to/bar
# automatic mounting: prompts for options on the first mount of a directory then reloads them next time
ecryptfs-simple -a /path/to/foo /path/to/bar
# unmounting by source directory
ecryptfs-simple -u /path/to/foo
# unmounting by mountpoint
ecryptfs-simple -u /path/to/bar

Manual setup

The following details instructions to set up eCryptfs encrypted directories manually. The first section still relies on one extra script from the ecryptfs-utils package. It may be an easier start and can be tried without any root rights. The second then sets up an encrypted directory with other encryption options than the default tools.

Tip: The following examples use an encrypted directory (.secret) different to the default, hard-coded .Private in the Ubuntu tools. This is on purpose to avoid problems of erroneous #Auto-mounting when the system has PAM setup for it, as well as problems with other tools using the hard-coded defaults.

With ecryptfs-utils

Alternatively to using the scripts ecryptfs-setup-private and ecryptfs-mount-private to setup and mount eCryptfs, the same can be done directly with the binaries (which those scripts use) ecryptfs-add-passphrase and mount.ecryptfs_private from the ecryptfs-utils package. Those binaries require no root privileges to work by default.

First choose an ALIAS as you like. Through this section, ALIAS will be secret. Create the required directories/files:

$ mkdir ~/.secret ~/secret ~/.ecryptfs
$ touch ~/.ecryptfs/secret.conf ~/.ecryptfs/secret.sig

The ~/.secret directory will hold the encrypted data. The ~/secret directory is the mount point where ~/.secret will be mounted as an ecryptfs filesystem.

In the next command, replace USER with the name of the current user's home directory. Note that you should write full paths to ~/.ecryptfs/secret.conf. Its format looks like the one in /etc/fstab without the mount options:

$ echo "/home/USER/.secret /home/USER/secret ecryptfs" > ~/.ecryptfs/secret.conf

A mount passphrase must be added to the keyring:

$ ecryptfs-add-passphrase
Passphrase: 
Inserted auth tok with sig [78c6f0645fe62da0] into the user session keyring

Write the output signature (ecryptfs_sig) from the previous command to ~/.ecryptfs/secret.sig:

$ echo 78c6f0645fe62da0 > ~/.ecryptfs/secret.sig

A second passphrase for filename encryption may be used. If you choose so, add it to the keyring:

$ ecryptfs-add-passphrase
Passphrase: 
Inserted auth tok with sig [326a6d3e2a5d444a] into the user session keyring

If you run the command above, append its output signature (ecryptfs_fnek_sig) to ~/.ecryptfs/secret.sig:

 $ echo 326a6d3e2a5d444a >> ~/.ecryptfs/secret.sig

Finally, to mount ~/.secret on ~/secret:

$ mount.ecryptfs_private secret

An eCryptfs filesystem will be mounted with the following options:

rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=326a6d3e2a5d444a,ecryptfs_sig=78c6f0645fe62da0,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs

Except for ecryptfs_sig and ecryptfs_fnek_sig, the options are hard-coded. ecryptfs_fnek_sig will exist only if you choose filename encryption.

To unmount ~/.secret:

$ umount.ecryptfs_private secret

Without ecryptfs-utils

The ecryptfs-utils package is distributed with a few helper scripts which will help you with key management and similar tasks. If one wants, for example, make a choice about the encryption cipher, some of those scripts cannot be used. In this section we setup an encrypted data directory diverting from those defaults.

First create your private directories, in this example we will call them analogous to the previous section: secret

$ mkdir -m 700 /home/username/{.secret,.ecryptfs}
$ mkdir -m 500 /home/username/secret

To summarize:

  • Actual encrypted data will be stored in the lower ~/.secret directory
  • While mounted, decrypted data will be available in ~/secret directory
    • While not mounted nothing can be written to this directory
    • While mounted it has the same permissions as the lower directory

Second we create the mount-passphrase ("file encryption key, encryption key", or fekek) for the directory. It has to be very secure and cannot be changed easily. The ecryptfs-setup-private script offers the option to generate it from /dev/urandom. In the following we do a generation similar to the source and then use ecryptfs-wrap-passphrase to wrap it with an extra password ("Arch"):

$ printf "%s\n%s" $(od -x -N 100 --width=30 /dev/random | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g") "Arch" | ecryptfs-wrap-passphrase /home/username/.ecryptfs/wrapped-passphrase

The advantages of the above step are: the mount passphrase is generated from a random source and secured by extra hashing before it is stored on disk. Further, the wrap-passphrase can be changed later.

Next, we test the passphrase by loading it into the kernel keyring:

$ printf "%s" "Arch" | ecryptfs-insert-wrapped-passphrase-into-keyring /home/username/.ecryptfs/wrapped-passphrase -
Inserted auth tok with sig [7c5d3dd8a1b49db0] into the user session keyring

and manually copy the signature into the configuration:

$ echo "7c5d3dd8a1b49db0" > ~/.ecryptfs/secret.sig

Now we continue to setup the encryption options for the directory and prepare an user-mountable entry for /etc/fstab. If you already know the eCryptfs options to use in it, you can skip the following mount and create an entry with the above signature already.

The mount.ecryptfs command needs root and does not allow for piping the passphrase unfortunately. The mount helper will ask questions about the options we want to choose ("Key type": passphrase - choose any, we only do this to generate the options to use), but let it mount:

# mount -t ecryptfs /home/username/.secret /home/username/secret
Passphrase: yes
Cipher: aes
Key byte: 32
Plaintext passtrough: no
Filename encryption: no
Add signature to cache: yes 

To summarize the parameters:

  • The above chosen 32 "key bytes" result in a 256 bit AES encryption (the helper scripts are hard-coded to AES with 128 bit).
  • Plaintext passtrough enables to store and work with un-encrypted files stored in the lower directory.
  • In eCryptfs terms the key used to protect filenames is known as "filename encryption key", or fnek
  • fekek and fnek can be the same key or different ones at choice

To create the mount point for the user in fstab, find the current mount and copy it. For example (XY are placeholders here):

# mount
/home/username/.secret on /home/username/secret type ecryptfs (... ecryptfs_fnek_sig=XY,ecryptfs_sig=XY,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs, user)

Or, alternatively, append it into /etc/fstab to edit it:

# mount | grep secret >> /etc/fstab 

Before continuing, we can already un-mount the temporary mount we used to generate the options:

# umount /home/username/secret

Now the mount line has to be edited into the correct format, the mount options nosuid,nodev,noexec,relatime before the first ecryptfs option are default and can be left out. But what we need to add is the correct signatures for the passphrases to replace the ones of the current mount:

# cat /home/username/.ecryptfs/secret.sig 
7c5d3dd8a1b49db0 

We also need to add the options user and noauto. After the edit, the entry will look similar to (bold entries added):

/etc/fstab
/home/username/.secret /home/username/secret ecryptfs noauto,user,ecryptfs_fnek_sig=7c5d3dd8a1b49db0,ecryptfs_sig=7c5d3dd8a1b49db0,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs 0 0

Some options to note:

  • The ecryptfs_fnek_sig option will be only listed if you enabled filename encryption
  • The second last option ecryptfs_unlink_sigs ensures that the keyring is cleared every time the directory is un-mounted
  • The bold options have been added:
    • The user option enables to mount the directory as a user
    • The noauto option is important, because otherwise systemd will error trying to mount the entry directly on boot.
  • The user mount will default to option noexec. If you want to have at least executable files in your private directory, you can add exec to the fstab options.

The setup is now complete and directory should be mountable by the user.

Mounting

To mount the encrypted directory as the user, the passphrase must be unwrapped and made available in the user's keyring. Following above section example:

$ ecryptfs-insert-wrapped-passphrase-into-keyring /home/username/.ecryptfs/wrapped-passphrase
Passphrase: 
Inserted auth tok with sig [7c5d3dd8a1b49db0] into the user session keyring 

Now the directory can be mounted without the mount helper questions:

$ mount -i /home/username/secret

and files be placed into the secret directory. The above two steps are necessary every time to mount the directory manually.

To unmount it again:

$ umount /home/username/secret

To finalize, the preliminary passphrase to wrap the encryption passphrase may be changed:

$ ecryptfs-rewrap-passphrase /home/username/.ecryptfs/wrapped-passphrase
Old wrapping passphrase: 
New wrapping passphrase: 
New wrapping passphrase (again):

The un-mounting should also clear the keyring, to check the user's keyring or clear it manually:

$ keyctl list @u
$ keyctl clear @u
Note: One should remember that /etc/fstab is for system-wide partitions only and should not generally be used for user-specific mounts
Auto-mounting

Different methods can be employed to automount the previously defined user-mount in /etc/fstab on login. As a first general step, follow point (1) and (2) of #Auto-mounting.

Then, if you login via console, a simple way is to specify the user-interactive mount and umount in the user's shell configuration files, for example Bash#Configuration files.

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason:
- the section should be more generic than it is now
- the described method does not work for users, for encountered problems: (Discuss in Talk:ECryptfs##Automounting)

Another method is to automount the eCryptfs directory on user login using pam_mount. To configure this method, add the following lines to /etc/security/pam_mount.conf.xml:

<luserconf name=".pam_mount.conf.xml" />
<mntoptions require="" /> 
<lclmount>mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount> 

Please prefer writing manually these lines instead of simply copy/pasting them (especially the lclmount line), otherwise you might get some corrupted characters. Explanation:

  • the first line indicates where the user-based configuration file is located (here ~/.pam_mount.conf.xml)
  • the second line overwrites the default required mount options which are unnecessary ("nosuid,nodev")
  • the last line indicates which mount command to run (eCryptfs needs the -i switch).

Then set the volume definition, preferably to ~/.pam_mount.conf.xml:

<pam_mount>
    <volume noroot="1" fstype="ecryptfs" path="/home/user/.secret/" mountpoint="/home/user/secret/"/>
</pam_mount>

"noroot" is needed because the encryption key will be added to the user's keyring.

Finally, edit /etc/pam.d/login as described in pam_mount's article.

Optional step

To avoid wasting time needlessly unwrapping the passphrase you can create a script that will check pmvarrun to see the number of open sessions:

#!/bin/sh
#
#    /usr/local/bin/doecryptfs

exit $(/usr/sbin/pmvarrun -u$PAM_USER -o0)

With the following line added before the eCryptfs unwrap module in your PAM stack:

auth    [success=ignore default=1]    pam_exec.so     quiet /usr/local/bin/doecryptfs
auth    required                      pam_ecryptfs.so unwrap

The article suggests adding these to /etc/pam.d/login, but the changes will need to be added to all other places you login, such as /etc/pam.d/kde.

Usage

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Content that still may to be covered:

- point to the above "Setup & Mounting" section for how to mount and unmount [this section here will cover all other (i.e. setup-independent) usage info]
- reference ecryptfs tools not used/mentioned in the prior sections (e.g. with a short link to the online manpages and mention of the other tools usage, as it seems useful (not covered yet are, e.g. ecryptfs-stat, ecryptfs-find, ecryptfs-rewrite-file.)
- mention the options to share an encrypted folder between users and to place non-encrypted files or folders in the encrypted container ("pass-through") (references for the points: [5] and (maybe) [6])

(Discuss in Talk:ECryptfs#Major_restructuring/rewrite)

Symlinking into the encrypted directory

Besides using your private directory as storage for sensitive files, and private data, you can also use it to protect application data. Firefox for example has an internal password manager, but the browsing history and cache can also be sensitive. Protecting it is easy:

 $ mv ~/.mozilla ~/Private/mozilla
 $ ln -s ~/Private/mozilla ~/.mozilla

Removal of encryption

There are no special steps involved, if you want to remove your private directory. Make sure it is un-mounted and delete the respective lower directory (e.g. ~/.Private), along with all the encrypted files. After also removing the related encryption signatures and configuration in ~/.ecryptfs, all is gone.

If you were #Using the Ubuntu tools to setup a single directory encryption, you can directly follow the steps detailed by:

$ ecryptfs-setup-private --undo

and follow the instructions.

Backup

If you want to move a file out of the private directory just move it to the new destination while ~/Private is mounted.

With eCryptfs the cryptographic metadata is stored in the header of the files. Setup variants explained in this article separate the directory with encrypted data from the mount point. The unencrypted mount point is fully transparent and available for a backup. Obviously this has to be considered for automated backups, if one has to avoid leaking sensitive unencrypted data into a backup.

You can do backups, or incremental backups, of the encrypted (e.g. ~/.Private) directory, treating it like any other directory.

Further points to note:

  • If you used the Ubuntu tools for #Encrypting a home directory, be aware the location of the lower directory with the encrypted files is outside the regular user's $HOME at /home/.ecryptfs/$USER/.Private.
  • It should be ensured to include the eCryptfs setup files (located in ~/.ecryptfs usually) into the regular or a separate backup.
  • If you use special filesystem mount options, for example ecryptfs_xattr, do extra checks on restore integrity.

See Also

  • eCryptfs - Manpages and project home
  • Security audit of eCryptfs by Taylor Hornby (January 22, 2014).
  • eCryptfs and $HOME by Adrian C. (anrxc) - Article with installation instructions and discussion of eCryptfs usage
  • Chromium data protection (November 2009) - Design document detailing encryption options for Chromium OS, including explanation on its eCryptfs usage
  • eCryptfs design by Michael Halcrow (May 2005) - Original design document detailing and discussing eCryptfs