From Notes Wiki
Jump to: navigation, search

ecryptfs

Basic ecryptfs usage

For basic ecryptfs usage for encrypting filesystem:

  1. yum -y install ecryptfs-utils
  2. mount -t ecryptfs /<raw> /<plain> where <raw> and <plain> can even be same
    Note that you would have remember all options chosen (hence prefer defaults) as all the questions are asked again(!) on remount.


Mounting ecryptfs private home folders of Ubuntu in CentOS

ecryptfs is used for encrypting home folders in various Linux flavors, esp Ubuntu. To mount such encrpted folders using CentOS following script can be used:

#!/bin/bash -u
#    $0 [ecryptfsdir [mountpoint]]
# Run as root with USER set to login user of ecryptfs
# https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709
# http://ubuntuforums.org/showthread.php?p=10445371
# -Ian! D. Allen - idallen@idallen.ca - www.idallen.com

if [ $(whoami) != 'root' ] ; then
    echo 1>&2 "$0: ERROR must be root to use this"
    exit 1
fi
if [ "$USER" = 'root' ] ; then
    echo 1>&2 "$0: Warning - USER is '$USER'"
fi

# source ecryptfs dir and desired mount point
#
if [ $# -gt 0 ] ; then
    DIR=$1
    shift
else
    # change this to where your keep your default encrypted backup
    DIR=/backup/home/.ecryptfs/$USER
fi
if [ $# -gt 0 ] ; then
    MNT=$1
    shift
else
    # change this to your default backup mount point
    MNT=/mnt/some/place/you/decide
fi
if [ $# -gt 0 ] ; then
    echo 1>&2 "$0: $#: more than two arguments: $*"
    exit 1
fi

# check that things exist and we can write them
if [ ! -d "$DIR" -o ! -r "$DIR" ]  ; then
    echo 1>&2 "$0: not a directory, or not readable: $DIR"
    exit 1
fi
if [ ! -d "$MNT" -o ! -w "$MNT" ]  ; then
    echo 1>&2 "$0: is not a writable directory: $MNT"
    exit 1
fi

pvt=$DIR/.Private
ecr=$DIR/.ecryptfs

if [ ! -d "$pvt" -o ! -r "$pvt" ]  ; then
    echo 1>&2 "$0: not a readable directory: $pvt"
    exit 1
fi
if [ ! -d "$ecr" -o ! -r "$ecr" ]  ; then
    echo 1>&2 "$0: not a readable directory: $ecr"
    exit 1
fi

privsig=$ecr/Private.sig
if [ ! -s "$privsig" -o ! -r "$privsig" ]  ; then
    echo 1>&2 "$0: not a non-null, readable signature file '$privsig'"
    exit 1
fi

sig1=$(head -n1 "$privsig") || exit $?
sig2=$(tail -n1 "$privsig") || exit $?
case "$sig1/$sig2" in
????????????????/???????????????? ) ;;
*)  echo 1>&2 "$0: Unable to extract signatures from '$privsig'"
    echo 1>&2 "$0: sig1: '$sig1'"
    echo 1>&2 "$0: sig2: '$sig2'"
    exit 1
    ;;
esac

read -s -p "$USER login password: " loginpass || exit $?
echo "" # add the missing newline after reading the password

# echo "DEBUG sig1 $sig1 and sig2 $sig2"
# keyctl clear @u
printf '%s\0' "$loginpass" | ecryptfs-insert-wrapped-passphrase-into-keyring "$ecr/wrapped-passphrase" - || exit $?
# keyctl list @u # DEBUG

# The -i bypasses the mount helper - see "man mount.ecryptfs"
#  ... but the "mount" man page claims this has a different function!
#  ... but it works for me (Ubuntu 10.10).  -IAN!
mount -i -t ecryptfs -o "ro,ecryptfs_passthrough=no,ecryptfs_unlink_sigs,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig1,ecryptfs_fnek_sig=$sig2" "$pvt" "$MNT" || exit $?
echo ""
df "$MNT"

The script can be used as follows:

  1. export USER=<username>
  2. cd .../home/.ecryptfs/<username>
  3. mkdir Private
  4. ./script.sh . Private/

Steps learned from http://ubuntuforums.org/showthread.php?t=1508111