You are not logged in.

#1 2012-05-29 19:46:30

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

ecryptfs-simple: KISS directory encryption

Update: Warning

I have encounted problems with eCryptFS (independent of ecryptfs-simple) that have led to data loss. I can no longer recommend the use of eCryptFS. I will continue to maintain this package, but I strongly suggest that users switch to something else such as encfs.

If there are any ecryptfs enthusiasts who know how to recover from random input/output errors, please let me know and I may reconsider this stance.


Original Post

Project page: ecryptfs-simple

*edit: removed old usage example after major update*


If you have seen my most recent threads on the forum, you will be aware that I am currently setting up different encryption schemes on some systems. One of the issues that I encountered was with eCryptfs (related thread). Setting up eCryptfs either requires superuser privileges (both for ad-hoc mounting and for editing fstab), or you are forced to use hard-coded paths in the ecryptfs-utils package (~/.Private). Neither of these were acceptable.

Basically, I just want to be able to use eCryptfs the same way that I use EncFS: by selecting an arbitrary source directory and mountpoint. I found no easy way to do it so I wrote my own simple utility.

Enter ecryptfs-simple. It lets a regular user mount any encrypted directory on any other directory as long as the user has full access permissions on both. It also prevents mounting on top of mount points and unmounting non-eCryptfs mount points.

Last edited by Xyne (2013-09-24 20:07:50)

Offline

#2 2012-05-29 22:07:16

/dev/zero
Member
From: Melbourne, Australia
Registered: 2011-10-20
Posts: 1,176
Website

Re: ecryptfs-simple: KISS directory encryption

Nice! I notice the help page has a typo, repeated a few times: ecrypts vs ecryptfs.

USAGE
  Mount a directory:
    [b]ecrypts[/b]-simple <directory> <mountpoint> [option1=value1,option2=value2,...]

  Unmount a directory:
    [b]ecrypts[/b]-simple <mountpoint>
# ... (and so forth.)

Also, it doesn't seem to deal elegantly with the case that an encrypted directory (say, .Private) has already been set up. I have to say again when remounting, 1. Use a passphrase, 1. Use AES, and so forth. Does there exist some way to replicate the effects of ecryptfs-mount-private, which doesn't re-ask the questions for a previously set up directory?


Linux is NOT Windows | The Rootless Root
Toshiba Satellite i5-3230M 2.6GHz CPUs, 4Gb RAM, ArchLinux, wmii, nVidia GeForce GT 740M.

Offline

#3 2012-05-29 22:15:39

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

Re: ecryptfs-simple: KISS directory encryption

Thanks, I've fixed the typo.

I'll try to figure out how ecryptfs-mount-private retrieves that data and port the functionality if I can. In the meantime, take a look at the example script on the project page. It's easy to adapt (or even convert to a .bashrc function) and it bypasses most of the dialogue.

Offline

#4 2012-05-31 00:54:30

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 833
Website

Re: ecryptfs-simple: KISS directory encryption

Nice, I get annoyed by the lack of abstraction in ecryptfs-utils and Ubuntu defaults being hard-coded.

Last edited by anrxc (2012-06-18 00:52:43)


You need to install an RTFM interface.

Offline

#5 2012-06-18 00:05:31

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

Re: ecryptfs-simple: KISS directory encryption

I've just release a major update. You can find the changelog on the homepage.

The main thing is that it should now save and reload options so that all you need to supply is the password (when using the automount option).

Offline

#6 2012-06-24 22:17:35

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

Re: ecryptfs-simple: KISS directory encryption

*edit*
Removed last post as it was a bit of a rant.

Summary: The upstream codebase is a kludgy mess in motion and the last update broke my hooks. Given the quality of the code I have growing concerns about trusting eCryptfs with real data.
Update: ecryptfs-simple no longer uses hooks. I hope that the current implementation will remain stable (or only require minimal intervention with future updates).

Last edited by Xyne (2012-06-25 06:40:01)

Offline

#7 2013-02-16 23:29:04

kozaki
Member
From: London >. < Paris
Registered: 2005-06-13
Posts: 620
Website

Re: ecryptfs-simple: KISS directory encryption

Xyne wrote:

Thanks, I've fixed the typo.

I'll try to figure out how ecryptfs-mount-private retrieves that data and port the functionality if I can. In the meantime, take a look at the example script on the project page. It's easy to adapt (or even convert to a .bashrc function) and it bypasses most of the dialogue.

Xyne please could you add a note on how to have ecryptfs-simple "deal elegantly with the case that an encrypted directory (say, .Private) has already been set up" as /dev/zero said? Just for clarity, e.g.

It will check that the real user has full permissions to both the directory and mountpoint for the requested operation

...means $HOME/Private needs to be 'drwx' (in place of 'dr-x' as per ecryptfs-setup-private), correct?

Also ecryptfs-simple "automount" option still requires the user to enter its own password when login? Here I mean for when login in via ssh or through root 'su - $USER'.


PGP Key: 1C2A554EFF0157D9
Core i3 @3.30GHz | 4GB RAM | Arch linux-ck
Atom N450 | 2 gig RAM | Arch linux 4.6.0rc3 i686 / 4.07 x86_64 (5-6H battery life smile * ARM Tegra K1 | 4 gig RAM | Chrome OS
Atom Z520 | 2 gig RAM | OMV (Debian) kernel 3.16.0-0.bpo.4-586 on SDHC

Offline

#8 2013-02-20 12:49:57

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

Re: ecryptfs-simple: KISS directory encryption

I don't use the default .Private directory and I don't have time to set it up right now and look at how it stores its settings. If someone wants to check that for me to save some time then I will have a look at it, otherwise it will have to wait. To be honest, I don't really see the need as ecryptfs-simple should probably not be managing .Private anyway.

I'm not against the idea, but ultimately it is just extra work for something that I will never use myself and something that I will likely not properly test in future releases.

kozaki wrote:

Just for clarity, e.g.

It will check that the real user has full permissions to both the directory and mountpoint for the requested operation

...means $HOME/Private needs to be 'drwx' (in place of 'dr-x' as per ecryptfs-setup-private), correct?

Yes. The exact check is

if (access(path, R_OK | W_OK | X_OK))

The directory obviously needs to be readable and executable for the user to see anything inside of it, and I assume that it needs to be writable to create new files. If this is not the case, please let me know.


kozaki wrote:

Also ecryptfs-simple "automount" option still requires the user to enter its own password when login? Here I mean for when login in via ssh or through root 'su - $USER'.

In this context "automount" just means that it should detect previous ecryptfs settings. There's probably a way to skip the password prompt if the key already exists in the keyring but I do not know how. In any case, it will need the password the first time. I don't see how it could be secure otherwise.

Offline

#9 2013-09-24 20:06:28

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

Re: ecryptfs-simple: KISS directory encryption

I have encounted problems with eCryptFS (independent of ecryptfs-simple) that have led to data loss. I can no longer recommend the use of eCryptFS. I will continue to maintain this package, but I strongly suggest that users switch to something else such as encfs.

If there are any ecryptfs enthusiasts who know how to recover from random input/output errors, please let me know and I may reconsider this stance.

Offline

#10 2013-09-26 04:29:27

sas
Member
Registered: 2009-11-24
Posts: 153

Re: ecryptfs-simple: KISS directory encryption

Xyne wrote:

I have encounted problems with eCryptFS (independent of ecryptfs-simple) that have led to data loss.

That's really bad; did you already ask the upstream developers for help or file a bug report?

AFAIK both Ubuntu and Google Chrome OS heavily rely on eCryptFS, so I'm pretty sure they'd want to fix such a bug.


my AUR packages ~~ my community contributions ~~ my referral link for Copy.com (an Arch Linux compatible free cloud storage service - if you sign up via this link both of us get 5GB bonus storage!)

Offline

#11 2013-09-26 05:00:03

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,616
Website

Re: ecryptfs-simple: KISS directory encryption

I didn't bother contacting upstream because I honestly have no desire to waste my time debugging this.* EncFS has worked flawlessly for me for years and the extra overhead is negligible.

* Proper documentation is lacking, the API has changed at least once without notice, the code is tangled, potentially useful user functions are buried in functions with hard-coded paths, etc. I'm guilty of this for several of my own projects, but I honestly expected more from such an old and popular project.

Offline

Board footer

Powered by FluxBB