eCryptfs is a kernel-native stacked cryptographic filesystem for Linux. Stacked filesystems layer on top of existing mounted filesystems that are referred to as lower filesystems. eCryptfs is a stacked filesystem that encrypts and decrypts the files as they are written to or read from the lower filesystem.

eCryptfs encrypts and decrypts individual data extents in each file using a unique randomly generated File Encryption Key (FEK). The FEK is encrypted with the File Encryption Key Encryption Key (FEKEK), and the resulting Encrypted File Encryption Key (EFEK) is stored in the header of each lower file.

First, install the necessary packages. From a terminal prompt enter:

 sudo apt-get install ecryptfs-utils

Now, lets encrypt all files that we read & write on /home/nikesh/private. So, mount /home/secretdata on a encrypted mount-point using command:

 sudo mount -t ecryptfs /home/nikesh/private/ /encrypted

The directory /encrypted is an “encrypted” now, you can check using command “mount”, What ever you write to this directory will get encrypted here.

Once the encrypted filesystem is out of action, we cannot read the file – as it is encrypted.

Automatically Mounting Encrypted Partitions There is a ways to automatically mount an ecryptfs encrypted filesystem at boot. This example will use a /root/.ecryptfsrc file containing mount options, along with a passphrase file residing on a USB key.

First, create /root/.ecryptfsrc containing:

    key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
    ecryptfs_sig=5826dd62cf81c615
    ecryptfs_cipher=aes
    ecryptfs_key_bytes=16
    ecryptfs_passthrough=n
    ecryptfs_enable_filename_crypto=n

Note: Adjust the above parameter as specified in your signature file in /root/.ecryptfs/sig-cache.txt Next, create the /mnt/usb/passwd_file.txt passphrase file:

 passphrase_passwd=[secrets]

Now add the necessary lines to /etc/fstab:

 /home/nikesh/private/ /encrypted ecryptfs defaults 0 0

Make sure the USB drive is mounted before the encrypted partition.

linux/ecryptfs.txt · Last modified: 2010/10/20 11:57 by a
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready