You are not logged in.
Pages: 1
Topic closed
I've used ecryptfs to secure on my laptop my personal files in the past under Ubuntu and it worked great.
Now I've choosen Arch as my distro and wanted to setup ecryptfs but I wasn't able to do that completely.
I've followed these tutorials:
http://wiki.archlinux.org/index.php/Sys … h_eCryptfs
http://sysphere.org/~anrxc/j/articles/e … index.html
But I have a problem: my system doesn't do the auto-mount at login because it do that, I have to doesn't unwrap the passphrase and, so, it doesn't mount the private directory. If I try to give this command: "mount -i /home/leo/Private", I get the error: "Mount: no such file or directory". If, before that, I give "ecryptfs-manager" and add the key in the keyring, then I am able to mount the folder.
This is my /etc/pam.d/login:
#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth required pam_unix.so nullok
auth required pam_ecryptfs.so unwrap
auth required pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account required pam_access.so
account required pam_time.so
account required pam_unix.so
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_ecryptfs.so
#password required pam_unix.so md5 shadow use_authtok
session required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/spool/mail standard
session optional pam_lastlog.so
This is my /etc/pam.d/gdm (I use Gnome):
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
auth required pam_ecryptfs.so unwrap
auth optional pam_gnome_keyring.so
account required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session optional pam_gnome_keyring.so auto_start
password required pam_ecryptfs.so
password required pam_unix.so
This is my /etc/fstab:
#
# /etc/fstab: static file system information
#
# <file system> <dir> <type> <options> <dump> <pass>
none /dev/pts devpts defaults 0 0
none /dev/shm tmpfs defaults 0 0
#/dev/cdrom /media/cd auto ro,user,noauto,unhide 0 0
#/dev/dvd /media/dvd auto ro,user,noauto,unhide 0 0
#/dev/fd0 /media/fl auto user,noauto 0 0
UUID=08796d2a-e886-41a1-9fab-64e13e0c814e / ext3 defaults 0 1
UUID=0fd6cc7c-7b65-4ae1-9803-1e41e763a514 swap swap defaults 0 0
UUID=46763f86-511a-404d-b395-d9a391fca1a9 /boot ext2 defaults 0 1
UUID=981a5104-92e4-4649-81ce-3a7a2def75ed /home ext3 defaults 0 1
/home/leo/Private /home/leo/Private ecryptfs rw,user,noauto,exec,ecryptfs_sig=xxxxxxxxxxxxxxxx,ecryptfs_cipher=aes,ecryptfs_passthrough,ecryptfs_unlink_sigs,ecryptfs_key_bytes=16 0 0
This is my ~/.bash_profile:
. $HOME/.bashrc
if test -e $HOME/.ecryptfs/auto-mount; then
mount | grep "$HOME/Private type ecryptfs"
if test $? != 0; then
mount -i $HOME/Private
fi
fi
In /etc/rc.conf I've put the module ecryptfs in MODULES.
Mount works only if I first manually insert the passphrase in my keyring and then mount the folder using mount -i.
Last edited by leo72 (2009-05-29 22:31:04)
Offline
After one such failed mount attempt you can check your /var/log/errors.log file for an explanation of the failure.
There could be a couple of reasons why your mount failes, but to start with the obvious:
1) You gave a lot of information but you did not say if you "wrapped" your mount passphrase (you encrypt your mount-passphrase with your user login password and the resulting hash is stored in the ~/.ecryptfs/wrapped-passphrase file)? PAM module needs this.
2) Also, the PAM module first checks if there is a file ~/.ecryptfs/auto-mount (just an empty file) and only then it will mount.
Also note:
1) That code for automounting in your shell init file is not really needed when you don't encrypt your entire $HOME. Even more so in your case, since you are using a directory named "Private" - the PAM module invokes the "mount.ecryptfs_private" utility which has "Private" hard-coded (this being the standard in eCryptfs) and your ~/Private directory will be auto-mounted automatically.
1a) It's good to mention that in the future users will be able to use the ~/.ecryptfs/Private.mnt file, listing all their mounts in there, so the "mount.ecryptfs_private" utility and the PAM module will be able to auto-mount _all_ encrypted directories automatically - without the need for custom mounting code or using PAM_mount.
2) If you are not encrypting your entire $HOME you really should not auto-mount (in case of $HOME it is of course mandatory). When you need to work with ~/Private only then you should mount it for added security. That is the reason why the wiki article does not talk about auto-mounting. To make things easier you can create a simple desktop launcher that will execute the mount/umount commands or check the ecryptfs-gui utility that will sit in your tray and make things easier...
Last edited by anrxc (2009-05-28 15:14:13)
You need to install an RTFM interface.
Offline
you don't want to mount encrypted fs automatically. just makes no sense.
Offline
I have my ~/.ecryptfs folder, and it contains 2 files: auto-mount and wrapped-passphrase, generated by "ecryptfs-wrap-passphrase". Then I inserted it in my keyring using "ecryptfs-insert-wrapped-passphrase-into-keyring /home/leo/.ecryptfs/wrapped-passphrase". As I said, I followed both tutorials, so I made all the necessary steps.
I will try to remove the code from my bash_profile and to try to see if it mounts my secret folder.
Also, I would remark that I am using ecryptfs because I would want to have automount
I know that I can mount my folder when I need to access my personal data but the way ecryptfs is working is easier for me. Instead, I could use Truecrypt (or CryptKeeper, if it compiled... but there are problems with the new gcc 4.4) but I don't want a mount-before-use solution
Offline
I was finally able to setup ecryptfs to auto-mount my private directory!
The bad thing is that I've done the work setting up my /etc/pam.d/gdm file as the one I have on my Ubuntu system, so I can say that the tutorial in the Wiki is not perfect or maybe it has been written for an old version of ecryptfs-utils and it doesn't work for the version it's in the AUR repo.
I've simply done these steps:
1) installed ecryptfs-utils using yaourt (and its dependency keyutils)
2) loaded the ecryptfs module: #modprobe ecryptfs
3) launched ecryptfs-setup-private as normal user and entered: a) my login password, b) return to let ecryptfs to create a random passphrase
4) editet /etc/pam.d(gdm (because I'm using Gnome: if you use KDE, you have to edi /etc/pam.d/kde or if you use terminal you have to edit /etc/pam.d/login) and modified as follow:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
#the following has been added
auth required pam_ecryptfs.so unwrap
auth optional pam_gnome_keyring.so
account required pam_unix.so
session required pam_limits.so
session required pam_unix.so
#the following has been added
session required pam_ecryptfs.so unwrap
session optional pam_gnome_keyring.so auto_start
password required pam_unix.so
#the following has been added
password required pam_ecryptfs.so
The lines that have been added are marked by a comment above.
They have been inserted by myself following the config files I had on my Ubuntu system. It is important to put them in the exact position where I wrote them beacuse the pam_ecrypt module must be loaded at a certain step.
So, if you think to modify the other pam files (kde or login) keep this in mind.
5) edited the /etc/rc.conf file and added the ecryptfs module in the MODULES array.
After those steps, I simply rebooted my system and, after GDM login I had my ~/Private folder accessible like all the other folders. But if I logout and login as another user (i.e. root), I couldn't access the files that are in.
I don't speak/write english very well (it's not my primary language) so I ask someone else to correct the tutorial in the wiki in the section relating to the auto-mount configuration (http://wiki.archlinux.org/index.php/Sys … h_eCryptfs).
Offline
The article talks about mounting only in the context of encrypted $HOME and using pam_mount.
You need to install an RTFM interface.
Offline
Yes, I'm wrong.
I mixed the contents of the two tutorials and I didn't remember which contained what and vice-versa
Maybe it could be useful to add this auto-mount tips to the wiki, isn't it?
Offline
Maybe it could be useful to add this auto-mount tips to the wiki, isn't it?
I was just discussing that with developers on IRC, I was interested in policies of other distributions that have eCryptfs well integrated. The current (version of the)article on the wiki is written in the context that you (user) will keep passwords and similar sensitive files in there, in which case I would advise against auto-mounting.
However, if a user transfers his mozilla profiles, chat logs and similar stuff in there (and symlinks them back to $HOME), that user would certainly want automatic mounting.
When other people pick up on the article someone might add information about PAM and everything else... but up to this point that article is the only source of information related to Arch Linux in particular and I would rather not be connected with recommending bad security practices to users - especially given the source, the official distribution wiki.
In the other article, on my journal, I took the liberty to offer some solutions that have security implications (which I also discuss). But that is my personal page and I can except that responsability - but for that reason I could not just dump that whole article on the wiki it self.
You need to install an RTFM interface.
Offline
Let me say that I partially disagree with your point of view.
We are not talking about security issues, but we are talking about the use of ecryptfs, so I think that the wiki page about ecryptfs should report all the uses of ecryptfs itself (like auto-mount solutions)and maybe specifying possible security flaws deriving from the use of those infos and kind of tools.... but informing users about all the possibilities that ecryptfs offers.
I know a little bit about security and cryptography (I founded the Cryptographic portal on the italian wikipedia ) so I can understand you when you say that you dislike auto-mount solutions. But keep in mind that almost all the users use cryptography and security knowing nothing about them: they are using passwords like "password", "abcdef", "123456", etc... thinking that their data are secure.... and maybe writing passwords on little papers left in the laptop bag...
The way ecryptfs works is just a little piece of security for these users: an encrypted folder that can be decrypted on-the-fly at login with the same user password (!) is better than nothing
I agree that if you wanto to _secure_ your data, you have to use something stronger like Truecrypt or similars.
Offline
I'm just trying out Archbang, and mount my ubuntu /home with Archbang. On /home there is a .Private set up.
After installing ecryptfs, I used the instructions on post #5 modify /etc/pam.d/login (and slim), and my ~/Private directory appears exactly as in ubuntu. Great stuff. Thanks!
Offline
mervinb,
Don't necro-bump
We do not provide assistance for other distributions. Take your question to ArchBang's forums.
Read our forum rules.
Closing.
aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies
Offline
Pages: 1
Topic closed