You are not logged in.

#1 2010-06-01 17:21:04

dengu
Member
Registered: 2010-06-01
Posts: 31

ecryptfs: Encrypted $HOME - umount after logout and ssh access

Hi there,

I've set up an ecryptfs-mounted $HOME using the excellent guide by anrxc. This is working fine for interactive logins at the machine.

However, I'm missing two things:

a) The $HOME does not get unmounted when I logout.

b) The $HOME does not get mounted when I login via ssh. I tried to add the pam_ecryptfs.so lines to /etc/pam.d/sshd, but to no avail.

I'd appreciate if someone could give me a hint how to make this work.

Offline

#2 2010-06-01 17:46:38

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

Hi,
automatic unmounting should be done by placing a rule below pam_limits, and creating a file ~/.ecryptfs/auto-umount:

session        required       pam_limits.so
session        optional       pam_ecryptfs.so

But like everything else with the "automatic" prefix in eCryptfs it depends on some hard coded internals (which corespond to default Ubuntu setup of eCryptfs). Only way to learn how it works, and if it will work for your setup, is by reading ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c.

Otherwise some users are very happy with using pam_mount which provides nice workarounds for these limitations. For SSH you should really do a Google search, because there are some caveats... what happens when home is unmounted and ssh needs to read your ~/.ssh for example.


You need to install an RTFM interface.

Offline

#3 2010-06-01 19:31:51

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

anrxc wrote:

automatic unmounting should be done by placing a rule below pam_limits, and creating a file ~/.ecryptfs/auto-umount:

session        required       pam_limits.so
session        optional       pam_ecryptfs.so

But like everything else with the "automatic" prefix in eCryptfs it depends on some hard coded internals (which corespond to default Ubuntu setup of eCryptfs). Only way to learn how it works, and if it will work for your setup, is by reading ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c.

Thank you for the quick reply. I tried the above and it doesn't work - the $HOME is still mounted after logout. I had a quick look at pam_mount, maybe I'll try that. Really hate XML config files, though... ;-) Was this developed for OS X?

anrxc wrote:

For SSH you should really do a Google search, because there are some caveats... what happens when home is unmounted and ssh needs to read your ~/.ssh for example.

Yeah, I know those problems from Ubuntu, but so far I could always live with them. I now also found out why the auto-mount after ssh login didn't work for me: the pam.d/sshd doesn't have the 'nullok' option for pam_unix.so. After I added this, it's finally working now.  :-)

Thanks again, also for your terrific guides, I did learn a lot from them.

Offline

#4 2010-06-01 21:49:22

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

dengu wrote:
anrxc wrote:

automatic unmounting should be done by placing a rule below pam_limits, and creating a file ~/.ecryptfs/auto-umount:

session        required       pam_limits.so
session        optional       pam_ecryptfs.so

But like everything else with the "automatic" prefix in eCryptfs it depends on some hard coded internals (which corespond to default Ubuntu setup of eCryptfs). Only way to learn how it works, and if it will work for your setup, is by reading ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c.

Thank you for the quick reply. I tried the above and it doesn't work - the $HOME is still mounted after logout.

I skimmed through pam_encryptfs.c, and it calls '/sbin/umount.ecryptfs_private' for unmounting. However, the man page for this utility says that it only umounts private directories under ~/Private. So how does Ubuntu actually do the unmounting? I'm a bit puzzled...

Offline

#5 2010-06-01 22:03:17

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

I believe the mount can be controlled by ~/.ecryptfs/Private.mnt, it (u)mounts the path that is in that file, if any. But follow the source, read ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c next.


You need to install an RTFM interface.

Offline

#6 2010-06-01 23:44:39

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

anrxc wrote:

I believe the mount can be controlled by ~/.ecryptfs/Private.mnt, it (u)mounts the path that is in that file, if any. But follow the source, read ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c next.

Yep, seems the man page doesn't tell the whole thing. Next to Private.mnt, there's also Private.sig which is important. However, I dismissed pam_ecryptfs for unmounting, because when I add it to the 'session' type in pam.d, it of course also mounts the home at login, but this (as you write in your guide) is fixed to aes/16bit and I'd rather use your twofish/32bit. Also, I actually like the simple login-script solution better, so why not simply use .zlogout for unmounting?

echo "keyctl clear @u\nkeyctl clear @s\ncd / && exec /bin/umount $HOME" >> ~/.zlogout

Maybe not nice, but it's simple and works for me.

Offline

#7 2010-06-02 23:42:42

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

You did a good job on researching this.

If the ecryptfs_unlink_sigs mount option is used the key(s) will be automatically cleared, so could avoid one step in your unmount procedure. Although none of the available, automatic or manual, unmounting solutions are perfect.

Perhaps a bit more smarter system (even just in the shell profile file) is needed. If there is an open filedescriptor we can't unmount. Some kind of session or cryptographic agents we could put on a blacklist. Say they are safe to kill only if we are exiting in this way, and keep $HOME mounted in another, there could be some cases where we want to kill all PIDs. Also would be a waste to run all these checks every time, maybe there should be a series of steps... which lead to a definite "yes, we are unmounting". Why I don't bother with umount in the first place.


You need to install an RTFM interface.

Offline

#8 2010-06-03 10:54:59

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

anrxc wrote:

Perhaps a bit more smarter system (even just in the shell profile file) is needed. If there is an open filedescriptor we can't unmount. Some kind of session or cryptographic agents we could put on a blacklist. Say they are safe to kill only if we are exiting in this way, and keep $HOME mounted in another, there could be some cases where we want to kill all PIDs. Also would be a waste to run all these checks every time, maybe there should be a series of steps... which lead to a definite "yes, we are unmounting". Why I don't bother with umount in the first place.

Yes, there is no perfect solution for this so far, and I'm doubtful that there can be one. I regularly use programs like 'nohup' or 'screen' to keep stuff running after logging out, so of course the home should stay mounted in this case. If I get an error message that the 'umount' failed after logging out, that's OK with me since I know what happened, but I can see that other users might be puzzled by that. Same situation when the user has invoked several login shells - I saw that the ecryptfs-utils are using a counter in /tmp for the number of login shells, so that they unmount only when the last one closes.

Actually, I'm not sure that encrypting $HOME can be done in a transparent way without such problems occurring later on. I already went through all of this stuff at work with Apple's FileVault. It's a dangerous thing to hide all the complexity that's going on under the hood, which is also why I'm skeptical about the way Ubuntu is doing this. Handling backups is surely the most important problem.

Offline

#9 2010-06-04 06:21:52

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

Just use dm-crypt/LUKS and don't torture yourself....
Or you already are and eCryptfs is part of a defense in depth strategy?


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#10 2010-06-04 08:30:59

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

moljac024 wrote:

Just use dm-crypt/LUKS and don't torture yourself....
Or you already are and eCryptfs is part of a defense in depth strategy?

You're comparing two different things. dm-crypt is block-device encryption, whereas ecryptfs is an actual file system. Both have their (dis)advantages.

Offline

#11 2010-06-04 09:22:06

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

dengu wrote:

I now also found out why the auto-mount after ssh login didn't work for me: the pam.d/sshd doesn't have the 'nullok' option for pam_unix.so. After I added this, it's finally working now.  :-)

What I wrote there earlier is of course wrong - the nullok option has nothing to do with it. In fact, adding 'nullok' to pam.d/sshd is a really bad idea.
For mounting ecryptfs on ssh login, simply adding pam_ecryptfs.so with the unwrap option to the pam.d/sshd file works.

Offline

#12 2010-06-04 13:53:55

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

dengu wrote:
moljac024 wrote:

Just use dm-crypt/LUKS and don't torture yourself....
Or you already are and eCryptfs is part of a defense in depth strategy?

You're comparing two different things. dm-crypt is block-device encryption, whereas ecryptfs is an actual file system. Both have their (dis)advantages.

No, I'm not - I realize the difference between block level and filesystem level encryption but if you encrypt your home folder (which always has to be mounted when you're logged in, or even when you're not if you run screen or something similar) then it's almost equivalent to encrypting the whole drive (since that too needs to be decrypted the whole time a pc is running).

Using eCryptfs for a different location than home would be the right way to benefit from some of the advantages of filesystem level encryption. And it should be combined with full disk encryption as well, just for good measure - a layered defense strategy.


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#13 2010-06-04 14:59:04

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

moljac024 wrote:

Just use dm-crypt/LUKS and don't torture yourself....

Let's pretend you didn't say "torture", because that is just BS.

So, why should we, everyone, use dm-crypt? What are you protecting from - from physical access, from theft, from the secret police, from system compromise? I can tell you that I am protecting my personal data from theft, with eCryptfs.

If I wanted to protect my self from anything else I would still not use dm-crypt - because either solution does not provide the level of security I really desire, no plausible deniability, and not enough flexibility (destroy the data with the wrong passphrase i.e.).


You need to install an RTFM interface.

Offline

#14 2010-06-04 15:16:05

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

moljac024 wrote:

No, I'm not - I realize the difference between block level and filesystem level encryption but if you encrypt your home folder (which always has to be mounted when you're logged in, or even when you're not if you run screen or something similar) then it's almost equivalent to encrypting the whole drive (since that too needs to be decrypted the whole time a pc is running).

Using eCryptfs for a different location than home would be the right way to benefit from some of the advantages of filesystem level encryption. And it should be combined with full disk encryption as well, just for good measure - a layered defense strategy.

Encrypting the whole drive is usually not needed and has disadvantages (regarding performance, battery life on laptops, etc.). I'm not fighting the NSA here - I'm just using encryption so my data is safe in case my computer gets stolen.

Offline

#15 2010-06-04 18:25:51

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

Ok, fair enough.
Still, seems to me eCryptfs would be better used for a location other than $HOME so that it can get nicely unmounted and all that smile
Just put your private files elsewere, because if it's theft you're protecting from, why encrypt configuration files?
If you are using your home folder for every file you have on the disk, you just realized the disadvantage of that approach.

I, for instance, have a small $HOME partition and a separate data partition.
One of the reasons for doing this was that I hated getting configuration files and data mixed up in the same directory. Also, it's better for a multi-user system to have a separate data partition if more users need to access the same files.

@anxrc: Ok, I repent, not torture smile


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#16 2010-06-04 21:35:43

dengu
Member
Registered: 2010-06-01
Posts: 31

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

moljac024 wrote:

Still, seems to me eCryptfs would be better used for a location other than $HOME so that it can get nicely unmounted and all that smile
Just put your private files elsewere, because if it's theft you're protecting from, why encrypt configuration files?
If you are using your home folder for every file you have on the disk, you just realized the disadvantage of that approach.

Configuration files in fact often contain sensitive information (.authinfo, address books, shell history, .ssh directory - just to name a few). You can usually configure their location, but it's easy to miss one and it's additional work which has to be done for every machine explicitly.

Regarding unmounting, it was actually anrxc who doesn't want to bother with it - I think that a failing unmount is actually more a feature than a bug. For example, if I'm logged in at the machine's console, and I'm also accessing the machine later via ssh, I wouldn't want my ecryptfs directory to be unmounted when I quit the ssh session. Yes, you can use counters for login sessions and all that, but it just makes things more complicated. Currently, unmount simply throws an error in the above case, but it would be easy to check for open files and issue a warning that $HOME won't be unmounted since you're still logged in. Granted, it could be that a hanging process is preventing the unmount, but that can happen with an encrypted data directory just as well.

Also, it's better for a multi-user system to have a separate data partition if more users need to access the same files.

Yes, we can discuss all kinds of situations where this or that would be better, obviously. In fact, I am using dm-crypt for my external discs and of course for swap. If you're happy with dm-crypt for everything, good for you, but please don't dismiss ecryptfs just because your specific setup doesn't warrant it.

Offline

#17 2010-06-04 21:47:43

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: ecryptfs: Encrypted $HOME - umount after logout and ssh access

Encrypting $HOME vs. encrypting ~/Secret actually amounts to less work, in the long run. Mozilla for one needs protecting, so you move it into the container and symlink it back. Right now I can think of your e-mail, your image cache (and all other cached items) etc. Maintaining that, and worrying what is left unprotected on one side, and encrypt everything on the other - I choose the second, and what made the decision easier I'll get to in a second;

I was opposed to "torture" because with dm-crypt you have to modify your initram, and if you want encrypted swap to work with hibernation you had to hack the initram (up to at least this year). It is not any easier to implement. However I can tell you that eCryptfs works pretty good, it is transparent, it is integrated into the PAM stack, it doesn't have big overhead. Basically a replacement for FileVault (Apple) and BitLocker (MS), exactly what Canonical needs it to be, and wants it to become.


You need to install an RTFM interface.

Offline

Board footer

Powered by FluxBB