securing your computer – eCryptfs

There are a lot of possible options for securing your computer using encryption.  Perhaps the easiest way to secure your data would be to purchase a new laptop with support for a self encrypting disk drive.  Failing that, all the Windows fans could could try Microsoft’s bitlocker to keep your data safe.

There are of course a lot more options than just those two.  There are a number of free encryption choices from the Internet.  Despite the fact that they are free doesn’t necessarily make them insecure, some of them are actually used in commercial products.

One such example is the encryption software eCryptfs.  This encryption software is used by Ubuntu for when encrypting home directories as well as by Google’s ChromeOS.

It is actually a pretty neat implementation of encryption. Rather than actually encrypting the filesystem itself, this encryption solution actually encrypts the individual files while also storing cryptographic metadata in the header of the files. This makes it possible to copy the encrypted files to another location. When the proper key is in the Linux kernel keyring the files will be decrypted. On the web eCryptfs they compare this to be quite similar to gnupg which is often used for encrypting single files or documents.

Install

Installing eCryptfs, like most Linux software, is pretty simple if it happens to be in your repository.

sudo apt-get install ecryptfs-utils rsync

dock@asus:$ sudo apt-get install ecryptfs-utils rsync
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gstreamer1.0-pulseaudio libfreerdp-rail1.1 liblivemedia23 libmpg123-0 libpostproc52 libproxy-tools libusageenvironment1
Use 'apt-get autoremove' to remove them.
Suggested packages:
  cryptsetup
The following NEW packages will be installed:
  ecryptfs-utils rsync
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/488 kB of archives.
After this operation, 1,101 kB of additional disk space will be used.
Selecting previously unselected package ecryptfs-utils.
(Reading database ... 143885 files and directories currently installed.)
Preparing to unpack .../ecryptfs-utils_103-5_amd64.deb ...
Unpacking ecryptfs-utils (103-5) ...
Selecting previously unselected package rsync.
Preparing to unpack .../rsync_3.1.1-3_amd64.deb ...
Unpacking rsync (3.1.1-3) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u2) ...
Setting up ecryptfs-utils (103-5) ...
Setting up rsync (3.1.1-3) ...
dock@asus:/media/dock/disk$ 

Setup

The data files are stored in the actual data directory as an encrypted file, while the access to the file as an unencrypted file is done through the mount point.  Simply create a directory for the actual encrypted data and one to be used for the mount point.

For my example, I have created my private directory as “.private” and the mount point as “private”.  It is actually pretty neat, by having the actual data directory starting with a period it will be not be displayed for most of the directory listings.

The first time that you try and mount the directory you will be asked quite a few questions as well as for a password.

dock@asus:$ sudo mount -t ecryptfs /media/dock/disk/.private /media/dock/disk/private
Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2
Passphrase: badpassword
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=04f11152141160c7
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [04f11152141160c7] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
dock@asus:/media/dock/disk$

Note: The password "badpassword" isn't actually displayed to the screen.

Now that the eCryptfs filesystem has been mounted and the signature has been saved to the sig-cache.txt file. This is great as this piece of information, along with the rest of your choices, is necessary to allow you to re-mount the file system.

Although we want the security of the encrypted files, this would be a serious pain in the backside if we really had to enter these parameters each and every mount.  The secret to simplifying was displayed when the file system was mounted the first time.

ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=04f11152141160c7

This text, which is actually the choices that we made the first time, simply need to be saved into the file named .ecryptfsrc in our home directory for our root user.  These will be used instead of being prompted for the values next time you mount the directory.  You will simply be asked for the authentication information.

dock@asus:$ sudo mount -t ecryptfs /media/dock/disk/.private /media/dock/disk/private
Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2
Passphrase: badpassword
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=04f11152141160c7
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=04f11152141160c7
Mounted eCryptfs
dock@asus:/media/dock/disk$
Note: the password "badpassword" isn't actually displayed to the screen.

The eCryptfs filesystem is mounted and dismounted in the exact same manner as any other Linux filesystem.

mount -t ecryptfs <encrypted dir> <unencrypted mount point>

mount -t ecryptfs /media/dock/disk/.private /media/dock/disk/private

umount /media/dock/disk/private

That’s it.  It is possible to have files that are encrypted and still access them with all the same programs just as if nothing were encrypted.

Yet, there are a number of other parameters that can also be put into our .ecryptfsrc file. One such option is for us to put the password for the filesystem into the the configuration file.

key=passphrase:passphrase_passwd=badpassword
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=04f11152141160c7
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=04f11152141160c7

This is a very bad idea if security is the goal.  The password is stored in clear text on the file system where it could be read by anyone.

There is another solution to the password problem.  It is possible to put a directory pointing to our password  into the .ecryptfsrc file.  The link points to a file that contains the password.

key=passphrase:passphrase_passwd_file=/media/dock/disk/passwd_file.txt
ecryptfs_sig=04f11152141160c7
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

Depending on where the file is stored this is only marginally better.  The file contains passphrase_passwd=<password>

passphrase_passwd=badpassword

This is not much better than putting the password directly into the .ecryptfsrc file.  The reason is that it is not too much effort for some other person to see where the password is located.

The exception would be if this password file was stored on some sort of removable media.  This way you would not be able to mount the encrypted directory without the media (USB stick or SD Card) being inserted.

Limitations

The good news is that eCryptfs is a super convenient and fairly simple solution to setup which gives you a bit of security for your files.  The bad news is that you are limited to a single encrypted top directory per user.

The other limitation is that this solution is only available for Linux due to it be built into the kernel.

 

This entry was posted in Setup From Scratch and tagged , , . Bookmark the permalink.