You are not logged in.

Pages: 1

Topic closed

#1 2009-05-28 14:26:11

leo72
Member
Registered: 2009-05-28
Posts: 16

[SOLVED] eCryptfs: how to set auto-mount up at login on Arch

I've used ecryptfs to secure on my laptop my personal files in the past under Ubuntu and it worked great.

Now I've choosen Arch as my distro and wanted to setup ecryptfs but I wasn't able to do that completely.
I've followed these tutorials:
http://wiki.archlinux.org/index.php/Sys … h_eCryptfs
http://sysphere.org/~anrxc/j/articles/e … index.html

But I have a problem: my system doesn't do the auto-mount at login because it do that, I have to doesn't unwrap the passphrase and, so, it doesn't mount the private directory. If I try to give this command: "mount -i /home/leo/Private", I get the error: "Mount: no such file or directory". If, before that, I give "ecryptfs-manager" and add the key in the keyring, then I am able to mount the folder.

This is my /etc/pam.d/login:

#%PAM-1.0
auth        required    pam_securetty.so
auth        requisite    pam_nologin.so
auth        required    pam_unix.so nullok
auth        required    pam_ecryptfs.so unwrap
auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth        required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account        required    pam_access.so
account        required    pam_time.so
account        required    pam_unix.so
#password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password    required    pam_ecryptfs.so
#password    required    pam_unix.so md5 shadow use_authtok
session        required    pam_unix.so
session        required    pam_env.so
session        required    pam_motd.so
session        required    pam_limits.so
session        optional    pam_mail.so dir=/var/spool/mail standard
session        optional    pam_lastlog.so

This is my /etc/pam.d/gdm (I use Gnome):

#%PAM-1.0
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
auth        required    pam_ecryptfs.so unwrap
auth            optional        pam_gnome_keyring.so
account         required        pam_unix.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_gnome_keyring.so auto_start
password    required    pam_ecryptfs.so
password        required        pam_unix.so

This is my /etc/fstab:

# 
# /etc/fstab: static file system information
#
# <file system>        <dir>         <type>    <options>          <dump> <pass>
none                   /dev/pts      devpts    defaults            0      0
none                   /dev/shm      tmpfs     defaults            0      0

#/dev/cdrom             /media/cd   auto    ro,user,noauto,unhide   0      0
#/dev/dvd               /media/dvd  auto    ro,user,noauto,unhide   0      0
#/dev/fd0               /media/fl   auto    user,noauto             0      0

UUID=08796d2a-e886-41a1-9fab-64e13e0c814e / ext3 defaults 0 1
UUID=0fd6cc7c-7b65-4ae1-9803-1e41e763a514 swap swap defaults 0 0
UUID=46763f86-511a-404d-b395-d9a391fca1a9 /boot ext2 defaults 0 1
UUID=981a5104-92e4-4649-81ce-3a7a2def75ed /home ext3 defaults 0 1
/home/leo/Private /home/leo/Private ecryptfs rw,user,noauto,exec,ecryptfs_sig=xxxxxxxxxxxxxxxx,ecryptfs_cipher=aes,ecryptfs_passthrough,ecryptfs_unlink_sigs,ecryptfs_key_bytes=16 0 0

This is my ~/.bash_profile:

. $HOME/.bashrc

if test -e $HOME/.ecryptfs/auto-mount; then
  mount | grep "$HOME/Private type ecryptfs"
  if test $? != 0; then
    mount -i $HOME/Private
  fi
fi

In /etc/rc.conf I've put the module ecryptfs in MODULES.

Mount works only if I first manually insert the passphrase in my keyring and then mount the folder using mount -i.

Last edited by leo72 (2009-05-29 22:31:04)

Offline

#2 2009-05-28 15:09:28

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

After one such failed mount attempt you can check your /var/log/errors.log file for an explanation of the failure.

There could be a couple of reasons why your mount failes, but to start with the obvious:
1) You gave a lot of information but you did not say if you "wrapped" your mount passphrase (you encrypt your mount-passphrase with your user login password and the resulting hash is stored in the ~/.ecryptfs/wrapped-passphrase file)? PAM module needs this.
2) Also, the PAM module first checks if there is a file ~/.ecryptfs/auto-mount (just an empty file) and only then it will mount.

Also note:
1) That code for automounting in your shell init file is not really needed when you don't encrypt your entire $HOME. Even more so in your case, since you are using a directory named "Private" - the PAM module invokes the "mount.ecryptfs_private" utility which has "Private" hard-coded (this being the standard in eCryptfs) and your ~/Private directory will be auto-mounted automatically.
1a) It's good to mention that in the future users will be able to use the ~/.ecryptfs/Private.mnt file, listing all their mounts in there, so the "mount.ecryptfs_private" utility and the PAM module will be able to auto-mount _all_ encrypted directories automatically - without the need for custom mounting code or using PAM_mount.
2) If you are not encrypting your entire $HOME you really should not auto-mount (in case of $HOME it is of course mandatory). When you need to work with ~/Private only then you should mount it for added security. That is the reason why the wiki article does not talk about auto-mounting. To make things easier you can create a simple desktop launcher that will execute the mount/umount commands or check the ecryptfs-gui utility that will sit in your tray and make things easier...

Last edited by anrxc (2009-05-28 15:14:13)

You need to install an RTFM interface.

Offline

#3 2009-05-28 20:14:35

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,556

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

you don't want to mount encrypted fs automatically. just makes no sense.

Offline

#4 2009-05-28 20:17:33

leo72
Member
Registered: 2009-05-28
Posts: 16

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

I have my ~/.ecryptfs folder, and it contains 2 files: auto-mount and wrapped-passphrase, generated by "ecryptfs-wrap-passphrase". Then I inserted it in my keyring using "ecryptfs-insert-wrapped-passphrase-into-keyring /home/leo/.ecryptfs/wrapped-passphrase". As I said, I followed both tutorials, so I made all the necessary steps.

I will try to remove the code from my bash_profile and to try to see if it mounts my secret folder.

Also, I would remark that I am using ecryptfs because I would want to have automount wink
I know that I can mount my folder when I need to access my personal data but the way ecryptfs is working is easier for me. Instead, I could use Truecrypt (or CryptKeeper, if it compiled... but there are problems with the new gcc 4.4) but I don't want a mount-before-use solution smile

Offline

#5 2009-05-29 15:49:22

leo72
Member
Registered: 2009-05-28
Posts: 16

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

I was finally able to setup ecryptfs to auto-mount my private directory! smile
The bad thing is that I've done the work setting up my /etc/pam.d/gdm file as the one I have on my Ubuntu system, so I can say that the tutorial in the Wiki is not perfect or maybe it has been written for an old version of ecryptfs-utils and it doesn't work for the version it's in the AUR repo.

I've simply done these steps:

1) installed ecryptfs-utils using yaourt (and its dependency keyutils)

2) loaded the ecryptfs module: #modprobe ecryptfs

3) launched ecryptfs-setup-private as normal user and entered: a) my login password, b) return to let ecryptfs to create a random passphrase

4) editet /etc/pam.d(gdm (because I'm using Gnome: if you use KDE, you have to edi /etc/pam.d/kde or if you use terminal you have to edit /etc/pam.d/login) and modified as follow:

#%PAM-1.0
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
#the following has been added
auth            required        pam_ecryptfs.so unwrap
auth            optional        pam_gnome_keyring.so
account         required        pam_unix.so
session         required        pam_limits.so
session         required        pam_unix.so
#the following has been added
session         required        pam_ecryptfs.so unwrap
session         optional        pam_gnome_keyring.so auto_start
password        required        pam_unix.so
#the following has been added
password        required        pam_ecryptfs.so

The lines that have been added are marked by a comment above.
They have been inserted by myself following the config files I had on my Ubuntu system. It is important to put them in the exact position where I wrote them beacuse the pam_ecrypt module must be loaded at a certain step.
So, if you think to modify the other pam files (kde or login) keep this in mind.

5) edited the /etc/rc.conf file and added the ecryptfs module in the MODULES array.

After those steps, I simply rebooted my system and, after GDM login I had my ~/Private folder accessible like all the other folders. But if I logout and login as another user (i.e. root), I couldn't access the files that are in.

I don't speak/write english very well (it's not my primary language) so I ask someone else to correct the tutorial in the wiki in the section relating to the auto-mount configuration (http://wiki.archlinux.org/index.php/Sys … h_eCryptfs).

Offline

#6 2009-05-29 16:23:24

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

The article talks about mounting only in the context of encrypted $HOME and using pam_mount.

You need to install an RTFM interface.

Offline

#7 2009-05-29 20:49:41

leo72
Member
Registered: 2009-05-28
Posts: 16

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

Yes, I'm wrong.
I mixed the contents of the two tutorials and I didn't remember which contained what and vice-versa smile

Maybe it could be  useful to add this auto-mount tips to the wiki, isn't it?

Offline

#8 2009-05-29 21:06:28

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

Maybe it could be  useful to add this auto-mount tips to the wiki, isn't it?

I was just discussing that with developers on IRC, I was interested in policies of other distributions that have eCryptfs well integrated. The current (version of the)article on the wiki is written in the context that you (user) will keep passwords and similar sensitive files in there, in which case I would advise against auto-mounting.

However, if a user transfers his mozilla profiles, chat logs and similar stuff in there (and symlinks them back to $HOME), that user would certainly want automatic mounting.

When other people pick up on the article someone might add information about PAM and everything else... but up to this point that article is the only source of information related to Arch Linux in particular and I would rather not be connected with recommending bad security practices to users - especially given the source, the official distribution wiki.

In the other article, on my journal, I took the liberty to offer some solutions that have security implications (which I also discuss). But that is my personal page and I can except that responsability - but for that reason I could not just dump that whole article on the wiki it self.

You need to install an RTFM interface.

Offline

#9 2009-05-29 22:28:48

leo72
Member
Registered: 2009-05-28
Posts: 16

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

Let me say that I partially disagree with your point of view.
We are not talking about security issues, but we are talking about the use of ecryptfs, so I think that the wiki page about ecryptfs should report all the uses of ecryptfs itself (like auto-mount solutions)and maybe specifying possible security flaws deriving from the use of those infos and kind of tools.... but informing users about all the possibilities that ecryptfs offers.

I know a little bit about security and cryptography (I founded the Cryptographic portal on the italian wikipedia wink) so I can understand you when you say that you dislike auto-mount solutions. But keep in mind that almost all the users use cryptography and security knowing nothing about them: they are using passwords like "password", "abcdef", "123456", etc... thinking that their data are secure.... and maybe writing passwords on little papers left in the laptop bag...

The way ecryptfs works is just a little piece of security for these users: an encrypted folder that can be decrypted on-the-fly at login with the same user password (!) is better than nothing smile

I agree that if you wanto to _secure_ your data, you have to use something stronger like Truecrypt or similars.

Offline

#10 2011-11-21 09:39:55

mervinb
Member
Registered: 2011-11-19
Posts: 25

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

I'm just trying out Archbang, and mount my ubuntu /home with Archbang. On /home there is a .Private set up.

After installing ecryptfs, I used the instructions on post #5 modify /etc/pam.d/login (and slim), and my ~/Private directory appears exactly as in ubuntu. Great stuff. Thanks!

Offline

#11 2011-11-21 16:12:18

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: [SOLVED] eCryptfs: how to set auto-mount up at login on Arch

mervinb,

  • Don't necro-bump

  • We do not provide assistance for other distributions. Take your question to ArchBang's forums.

  • Read our forum rules.

Closing.

aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

Pages: 1

Topic closed

Board footer

Powered by FluxBB