eCryptfs and $HOME encryption

anrxc · 2009-03-28 20:30:08

Hi,
using eCryptfs for encrypting your entire $HOME is still kind of an un-documented area (until next Ubuntu arrives). I wrote an article describing how I setup eCryptfs to encrypt my entire $HOME and dm-crypt to protect swap space, without breaking hibernation - this is also a gray area of missinformation, many even claim it impossible (well it's not).

Topics:
* eCryptfs basics
* Encrypting a directory
* Encrypting $HOME
* Auto mounting on login
* Encrypting swap space
* Encrypting other directories
* Notes on security

http://sysphere.org/~anrxc/j/articles/e … index.html

Last edited by anrxc (2009-10-24 02:27:12)

smartboyathome · 2009-03-28 22:48:06

What is the advantage of using eCryptfs vs. LUKS and dm-crypt?

anrxc · 2009-03-28 23:27:49

They are two completetly different implementations, so you get some advantages and some drawbacks... Maybe the best comparison between block device encryption and stacked filesystem encryption would be this table.

Most people are probably attracted because you can encrypt any single directory very easy, there is also no need for pre-allocated disk space and that it is somewhat faster. It also works over network filesystems (i.e. encrypted NFS shares), and applications can easily read lower encrypted data (i.e. rsync doing an offsite backup of encrypted data).

Last edited by anrxc (2009-03-29 00:14:00)

anrxc · 2009-04-26 16:44:10

eCryptfs is now also featured on the Arch Linux wiki: http://wiki.archlinux.org/index.php/Sys … h_eCryptfs

Heller_Barde · 2009-04-27 09:22:03

cool, i'll have to look at that

anrxc · 2009-10-24 02:26:04

Time for an update, 6 months have passed. Ubuntu remains the only distribution with a completely integrated eCryptfs setup. Learning from their experience, and seeing a lot of Ubuntu users loose their data, was invaluable.

Both the wiki article "System Encryption with eCryptfs" and my own "eCryptfs and $HOME" have been rewritten. They now feature improved and safer setups, based on all that I learned and experienced, as mentioned.

It's also worth to mention that the Linux Magazine just published a good article on eCryptfs. It is available in full here: http://www.linux-mag.com/id/7568/1/

fabertawe · 2009-12-01 11:50:55

I've spent days banging my head against the wall trying to get my ecryptfs "Private" directory to automount. Nothing in the wiki articles works for me. Turns out Leo72's post (#5) (http://bbs.archlinux.org/viewtopic.php?id=72985) is a very simple fix for this. I realise this thread is related to $HOME but surely automounting should work the same for both mount points?

anrxc · 2009-12-01 16:17:49

Hello,
if you read that whole dicussion then you know why the wiki article does not talk about auto-mounting of ~/Private (or at least why I will not be the one to write that section).

Automatic mounting (official solution) with eCryptfs works like this: The mount passphrase is encrypted with the user login password. Resulting hash is stored in the ~/.ecryptfs/wrapped-passphrase file. eCryptfs is distributed with a PAM module which can intercept the password user entered on login and use it to unlock the wrapped-passphrase file. From the passphrase is generated the encryption key and is inserted into the keyring. User has to setup the PAM stack correctly to make use of this, and create an empty file ~/.ecryptfs/auto-mount.

Once the key is in the keyring, somehow the mount command has to be executed. Be it from the shell profile file, be it from pam_mount package - which you, the user, also have to setup. Just like you did with the PAM stack.

Important to know is that the eCryptfs PAM module also has support to perform the mount action. However it is not very flexible and has some hard-coded defaults (mainly developed for Ubuntu). In order to have the PAM module mount for you, you have to use AES and a 16 byte key.

If the PAM module finds the auto-mount file it unwraps the passphrase and proceeds to call /sbin/mount.ecryptfs_private which can successfully mount only if all above requirements are met. Same thing applies to un-mounting when session is closed, provided the PAM stack is configured correctly.

There are no fixes. Nothing was broken to begin with.

fabertawe · 2009-12-01 17:32:24

Hi anrxc and thanks for taking the time to reply. I understand everything you're saying, I've been through the wiki many times. By "fix" I meant a solution to my problem, not that anything was broken. Saying that, shouldn't the procedure from the wiki work for any mountpoint if adjusted accordingly?

anrxc · 2009-12-01 19:15:56

Saying that, shouldn't the procedure from the wiki work for any mountpoint if adjusted accordingly?

Someone added information about pam_mount to the wiki, it wasn't me and I can't vouch for it. Even if all the pam_mount instructions are correct that small section does not cover the actual PAM setup, so there is a lot of room for mistakes. User Leo has setup his GDM for eCryptfs. Neither of the articles covers that. Only configuration of the /etc/pam.d/login file is covered, for user login from the console - for which part I can vouch.

If users want to auto-mount their ~/Private directory I agree that the wiki article would be better with complete information on that, covering all run levels and login managers. But as I said in the previous thread it won't be me to write it, I don't want to recommend bad security practices to users on the official distribution wiki.

Arch Linux

#1 2009-03-28 20:30:08

eCryptfs and $HOME encryption

#2 2009-03-28 22:48:06

Re: eCryptfs and $HOME encryption

#3 2009-03-28 23:27:49

Re: eCryptfs and $HOME encryption

#4 2009-04-26 16:44:10

Re: eCryptfs and $HOME encryption

#5 2009-04-27 09:22:03

Re: eCryptfs and $HOME encryption

#6 2009-10-24 02:26:04

Re: eCryptfs and $HOME encryption

#7 2009-12-01 11:50:55

Re: eCryptfs and $HOME encryption

#8 2009-12-01 16:17:49

Re: eCryptfs and $HOME encryption

#9 2009-12-01 17:32:24

Re: eCryptfs and $HOME encryption

#10 2009-12-01 19:15:56

Re: eCryptfs and $HOME encryption

Board footer