Ecryptfs
From Notes_Wiki
Home > CentOS > CentOS 6.x > Filesystem or partition tools > Ecryptfs
Basic ecryptfs usage
For basic ecryptfs usage for encrypting filesystem:
- yum -y install ecryptfs-utils
- mount -t ecryptfs /<raw> /<plain> where <raw> and <plain> can even be same
- Note that you would have remember all options chosen (hence prefer defaults) as all the questions are asked again(!) on remount.
Mounting ecryptfs private home folders of Ubuntu in CentOS
ecryptfs is used for encrypting home folders in various Linux flavors, esp Ubuntu. To mount such encrpted folders using CentOS following script can be used:
#!/bin/bash -u
# $0 [ecryptfsdir [mountpoint]]
# Run as root with USER set to login user of ecryptfs
# https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709
# http://ubuntuforums.org/showthread.php?p=10445371
# -Ian! D. Allen - idallen@idallen.ca - www.idallen.com
if [ $(whoami) != 'root' ] ; then
echo 1>&2 "$0: ERROR must be root to use this"
exit 1
fi
if [ "$USER" = 'root' ] ; then
echo 1>&2 "$0: Warning - USER is '$USER'"
fi
# source ecryptfs dir and desired mount point
#
if [ $# -gt 0 ] ; then
DIR=$1
shift
else
# change this to where your keep your default encrypted backup
DIR=/backup/home/.ecryptfs/$USER
fi
if [ $# -gt 0 ] ; then
MNT=$1
shift
else
# change this to your default backup mount point
MNT=/mnt/some/place/you/decide
fi
if [ $# -gt 0 ] ; then
echo 1>&2 "$0: $#: more than two arguments: $*"
exit 1
fi
# check that things exist and we can write them
if [ ! -d "$DIR" -o ! -r "$DIR" ] ; then
echo 1>&2 "$0: not a directory, or not readable: $DIR"
exit 1
fi
if [ ! -d "$MNT" -o ! -w "$MNT" ] ; then
echo 1>&2 "$0: is not a writable directory: $MNT"
exit 1
fi
pvt=$DIR/.Private
ecr=$DIR/.ecryptfs
if [ ! -d "$pvt" -o ! -r "$pvt" ] ; then
echo 1>&2 "$0: not a readable directory: $pvt"
exit 1
fi
if [ ! -d "$ecr" -o ! -r "$ecr" ] ; then
echo 1>&2 "$0: not a readable directory: $ecr"
exit 1
fi
privsig=$ecr/Private.sig
if [ ! -s "$privsig" -o ! -r "$privsig" ] ; then
echo 1>&2 "$0: not a non-null, readable signature file '$privsig'"
exit 1
fi
sig1=$(head -n1 "$privsig") || exit $?
sig2=$(tail -n1 "$privsig") || exit $?
case "$sig1/$sig2" in
????????????????/???????????????? ) ;;
*) echo 1>&2 "$0: Unable to extract signatures from '$privsig'"
echo 1>&2 "$0: sig1: '$sig1'"
echo 1>&2 "$0: sig2: '$sig2'"
exit 1
;;
esac
read -s -p "$USER login password: " loginpass || exit $?
echo "" # add the missing newline after reading the password
# echo "DEBUG sig1 $sig1 and sig2 $sig2"
# keyctl clear @u
printf '%s\0' "$loginpass" | ecryptfs-insert-wrapped-passphrase-into-keyring "$ecr/wrapped-passphrase" - || exit $?
# keyctl list @u # DEBUG
# The -i bypasses the mount helper - see "man mount.ecryptfs"
# ... but the "mount" man page claims this has a different function!
# ... but it works for me (Ubuntu 10.10). -IAN!
mount -i -t ecryptfs -o "ro,ecryptfs_passthrough=no,ecryptfs_unlink_sigs,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig1,ecryptfs_fnek_sig=$sig2" "$pvt" "$MNT" || exit $?
echo ""
df "$MNT"
The script can be used as follows:
- export USER=<username>
- cd .../home/.ecryptfs/<username>
- mkdir Private
- ./script.sh . Private/
Steps learned from http://ubuntuforums.org/showthread.php?t=1508111
Home > CentOS > CentOS 6.x > Filesystem or partition tools > Ecryptfs
