linux poison RSS
linux poison Email

How to use eCryptfs (Cryptographic Filesystem) in Ubuntu Linux

eCryptfs is a kernel-native stacked cryptographic filesystem for Linux. Stacked filesystems layer on top of existing mounted filesystems that are referred to as lower filesystems. eCryptfs is a stacked filesystem that encrypts and decrypts the files as they are written to or read from the lower filesystem.

eCryptfs encrypts and decrypts individual data extents in each file using a unique randomly generated File Encryption Key (FEK). The FEK is encrypted with the File Encryption Key Encryption Key (FEKEK), and the resulting Encrypted File Encryption Key (EFEK) is stored in the header of each lower file.



First, install the necessary packages. From a terminal prompt enter:
sudo apt-get install ecryptfs-utils

Now, lets encrypt all files that we read & write on /home/nikesh/private. So, mount /home/secretdata on a encrypted mount-point using command:
sudo mount -t ecryptfs /home/nikesh/private/ /encrypted


The directory /encrypted is an “encrypted” now, you can check using command "mount", What ever you write to this directory will get encrypted here.

Once the encrypted filesystem is out of action, we cannot read the file – as it is encrypted.

Automatically Mounting Encrypted Partitions
There is a ways to automatically mount an ecryptfs encrypted filesystem at boot. This example will use a /root/.ecryptfsrc file containing mount options, along with a passphrase file residing on a USB key.

First, create /root/.ecryptfsrc containing:
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
Note: Adjust the above parameter as specified in your signature file in /root/.ecryptfs/sig-cache.txt
Next, create the /mnt/usb/passwd_file.txt passphrase file:
passphrase_passwd=[secrets]
Now add the necessary lines to /etc/fstab:

/home/nikesh/private/ /encrypted ecryptfs defaults 0 0

Make sure the USB drive is mounted before the encrypted partition.


2 comments:

Post a Comment

Related Posts with Thumbnails