Difference between revisions of "EncFS"
(intro) |
(→Mount at login using pam_encfs: Single password) |
||
Line 42: | Line 42: | ||
* https://wiki.edubuntu.org/EncryptedHomeFolder | * https://wiki.edubuntu.org/EncryptedHomeFolder | ||
* http://code.google.com/p/pam-encfs/ | * http://code.google.com/p/pam-encfs/ | ||
+ | |||
+ | ====Single password==== | ||
+ | Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use [[SHA password hashes]] (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password). | ||
====/etc/pam.d/==== | ====/etc/pam.d/==== | ||
− | Note that when you are using ''' | + | Note that when you are using '''try_first_pass''' parameter to '''pam_unix.so''' then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords. |
=====login===== | =====login===== | ||
I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console. | I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console. | ||
Line 53: | Line 56: | ||
auth requisite pam_nologin.so | auth requisite pam_nologin.so | ||
auth sufficient pam_encfs.so | auth sufficient pam_encfs.so | ||
− | auth required pam_unix.so nullok | + | auth required pam_unix.so nullok try_first_pass |
#auth required pam_unix.so nullok | #auth required pam_unix.so nullok | ||
auth required pam_tally.so onerr=succeed file=/var/log/faillog | auth required pam_tally.so onerr=succeed file=/var/log/faillog | ||
Line 81: | Line 84: | ||
auth required pam_env.so | auth required pam_env.so | ||
auth sufficient pam_encfs.so | auth sufficient pam_encfs.so | ||
− | auth required pam_unix.so | + | auth required pam_unix.so try_first_pass |
auth optional pam_gnome_keyring.so | auth optional pam_gnome_keyring.so | ||
account required pam_unix.so | account required pam_unix.so |
Revision as of 05:25, 10 June 2011
EncFS is a userspace stackable cryptographic file-system similar to eCryptFS, and aims to secure data with the minimum hassle. It uses FUSE to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as TrueCrypt and dm-crypt.
EncFS is definetely the simplest software if you want to try disk encryption on Linux.
This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.
This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.
This particular method of securing data is obviously not perfect, but there are situations in which it is useful.
Comparison to eCryptFS
eCryptFS is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you don't have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there's no overhead caused by context switching (between kernel and userspace).
Installation
Install the Template:Package Official package using pacman:
# pacman -S encfs
Usage
To create a secured repository, type:
$ encfs ~/.DIRNAME ~/DIRNAME
This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at Template:Filename, and their unencrypted versions in Template:Filename.
To unmount the file-system, type:
$ fusermount -u ~/DIRNAME
To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.
User friendly mounting
Mount using CryptKeeper trayicon
Quite simple app, just install from AUR and add to your X session:
Mount at login using pam_encfs
Pam module
- http://aur.archlinux.org/packages.php?ID=2759
- http://pam-encfs.googlecode.com/svn/trunk/README
- http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf
- https://wiki.edubuntu.org/EncryptedHomeFolder
- http://code.google.com/p/pam-encfs/
Single password
Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use SHA password hashes (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password).
/etc/pam.d/
Note that when you are using try_first_pass parameter to pam_unix.so then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords.
login
I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console.
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth sufficient pam_encfs.so auth required pam_unix.so nullok try_first_pass #auth required pam_unix.so nullok auth required pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog account required pam_access.so account required pam_time.so account required pam_unix.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so md5 shadow use_authtok session required pam_unix.so session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/spool/mail standard session optional pam_lastlog.so session optional pam_loginuid.so -session optional pam_ck_connector.so nox11 #Automatic unmount (optional): #session required pam_encfs.so
Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active (that's why i don't use pam_encfs on console).
gdm
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so auth sufficient pam_encfs.so auth required pam_unix.so try_first_pass auth optional pam_gnome_keyring.so account required pam_unix.so session required pam_limits.so session required pam_unix.so session optional pam_gnome_keyring.so auto_start password required pam_unix.so session required pam_encfs.so
Mount at Gnome startup using gnome-encfs
Mount when USB drive with EncFS folders is inserted using fsniper
Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We'll use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).
- http://aur.archlinux.org/packages.php?ID=16677
- https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)
HOWTO
- (you need USB automount working for this - like thunar or nautilus does)
- make encrypted folder on your drive, eg.: encfs /media/USB/somename /media/USB/somename.plain (and then unmount everything)
- install fsniper and git from aur
- configure fsniper:
# ~/.config/fsniper/config # You can get fsniper at http://code.l3ib.org/?p=fsniper.git watch { /etc/ { mtab { # %% is replaced with the filename of the new file handler = encfs-automount.sh %%; } } }
- install helper script:
#!/bin/sh # ~/.config/fsniper/scripts/encfs-automount.sh # Quick & dirty script for automounting EncFS USB drives # TODO: # - Unmounting!!! # ASKPASS="/usr/lib/git-core/git-gui--askpass" lock=/tmp/fsniper_encfs.lock lpid=$(cat "$lock" 2>/dev/null) && ps "$lpid" | grep "$lpid" >/dev/null && { echo "Another instance of fsniper_encfs is running" exit; } echo $BASHPID > "$lock"; sleep 2; echo echo ==== EncFS automount script for fsniper ==== list_mounts() { cat /proc/mounts | cut -d ' ' -f 2 } list_mounts | while read mount; do config="$mount"'/*/.encfs*'; echo Looking for "$config" config="$(echo $config)" [ -r "$config" ] && { cyphertext="$(dirname "$config")"; plaintext="$cyphertext".plain echo Found config: "$config"; echo Trying to mount: "$cyphertext to $plaintext"; list_mounts | grep "$plaintext" >/dev/null && { echo Already mounted: "$plaintext" } || { echo WOOHOO Will mount "$cyphertext to $plaintext" "$ASKPASS" "EncFS $cyphertext to $plaintext" | encfs --stdinpass "$cyphertext" "$plaintext" } } done echo rm "$lock" 2>/dev/null
- Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that's why you need git package - but you can adjust the helper script)
- try fsniper --log-to-stdout in terminal (askpass should appear when USB drive is inserted)
- add fsniper --daemon to your session
- don't forget to unmount encfs before removing drive