How to use ecryptfs on Fedora
How to create an encrypted volume on top of a regular file system in Fedora using ecryptfs.
Install ecryptfs if it’s not already on your system.
$ sudo yum install ecryptfs-utils
If you want to use a key and a password, follow the next set of steps. If you just want to use a password, you can skip the ecryptfs-manager section and jump right to making the directory.
$ sudo ecryptfs-manager
eCryptfs key management menu
-------------------------------
1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit
Make selection:
Generate a new public/private keypair
Select key type to use for newly created files: 1) openssl Selection:
Choose openssl, accept the default path to write out the key.pem file.
SSL key file path [/home/ninja/.ecryptfs/pki/openssl/key.pem]:
Choose a passphrase if you want (something you know), or just leave it blank to rely solely on the key (something you have).
Passphrase: Returning to main menu
Exit the management menu.
Now make and mount the encrypted volume.
Create a directory where you want to store encrypted data. I’ll make a folder called crypt_vol in my home directory.
$ mkdir ~/encrypted_vol
$ sudo mount -t ecryptfs ~/crypt_vol ~/crypt_vol
Select key type to use for newly created files: 1) openssl 2) passphrase 3) tspi Selection:
Choose your key.pem location, if you created it with the default, you can just hit enter here because it should be the default here too.
PEM key file [/home/ninja/.ecryptfs/pki/openssl/key.pem]:
Now you have to provide the password you used when you made the public/private keypair. If you didn’t create a password, choose openssl_passwd and just leave it empty. (the default option below)
Method of providing the passphrase: 1) openssl_passwd: Enter on Console 2) openssl_passwd_file: File Containing Passphrase 3) openssl_passwd_fd: File Descriptor for File Containing Passphrase Selection [openssl_passwd]: Passphrase:
Choose your favorite encryption cipher, aes…
Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]:
Pick the default key size of 16.
Select key bytes: 1) 16 2) 32 3) 24 Selection [16]:
If you want to store a mix of encrypted and unencrypted files under the same area, choose plaintext passthrough, otherwise choose the default, no. I suggest an all or nothing approach, as it can get confusing as to which files are encrypted especially when they’re binary! (With ascii text files you can just cat a file and tell if it’s encrypted or not.)
Enable plaintext passthrough (y/n) [n]:
The first time you create and mount something, you will get this message:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? yes Would you like to append sig [fa0757b1] to [/home/ninja/.ecryptfs/sig-cache.txt] yes
If all went well, you’ll see one last message before returning to your shell.
Successfully appended new sig to user sig cache file Mounted eCryptfs
Now when you check your mounts, you should see the encrypted volume overlaying one of your other file systems. In my case, I have an ext3 home partition with the encrypted volume on part of it. Anything you put under /home/ninja/crypt_vol will be encrypted. When you unmount crypt_vol, you will still be able to see the directories and file names, but the contents of everything will be scrambled.
/dev/sda4 on /home type ext3 (rw) /home/ninja/crypt_vol on /home/ninja/crypt_vol type ecryptfs (rw,ecryptfs_sig=fa0757b1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,)
Since i’m not using a password at all, i’ll move the key.pem to a remote mount and link it back in place, or i’ll make the pki directory a mount point on some remote disk (via nfs probably). If the computer ever gets stolen, the encrypted volume will not be mountable. This is just one example of how to use keys and/or passphrases to protect your encrypted data. If you’re not going to put the key.pem on a remote mount or provide a passphrase, you should consider the encryption worthless since anyone using your machine will be able to find your key and mount the volume after a little searching around.
Related Posts
2 Comments
May 6, 200912:00 pm
When you’re in the middle of editing a file with vi, if you open another terminal and look at the hidden files in the same directory as the file you’re editing, you should see a .swp file. Did you have another vi open while you were trying to modify test.c? Perhaps a vi instance died while you were opening?
I’m not sure what happened with the other commands, echoing “hello” and redirecting it to a file is pretty basic. Try doing it in your home directory, or in tmp. What shell are you using?
« How to delete a user from a Mediawiki database Next Post
30 extra lives for your Xbox 360 console, like old school Contra »
- Pingback: Free Google Adwords Advertising for Charitable Non-Profit
- Nevermind... I guess MySql provides fro...
- Hello... Nice job. Where can I get the ...
- Battlefield aint a port, but modern warf...
- Pingback: Dale Beggs Smith Blogs | Tech News
Blog RSS Feed
1:58 am
Hi,
I followed the above approach. I created a directory and mounted it using public-private key pair.
I tried to create a file named test.c using vi. I got this error:
Found a swap file by the name .test.c.swp
Then, I tried to create a file using echo. I issued this command:
echo hello > f.c
f.c: Transport endpoint is not connected
finally, I tried to copy a file to this directory
Again, I got this error:
cannot create regular file ‘all.c’: Transport endpoint is not connected.
My system is ubuntu version 8. What is wrong here?