Ecryptfs
From Notes_Wiki
<yambe:breadcrumb>Filesystem_or_partition_tools|Filesystem tools</yambe:breadcrumb>
ecryptfs
Basic ecryptfs usage
For basic ecryptfs usage for encrypting filesystem:
- yum -y install ecryptfs-utils
- mount -t ecryptfs /<raw> /<plain> where <raw> and <plain> can even be same
- Note that you would have remember all options chosen (hence prefer defaults) as all the questions are asked again(!) on remount.
Mounting ecryptfs private home folders of Ubuntu in CentOS
ecryptfs is used for encrypting home folders in various Linux flavors, esp Ubuntu. To mount such encrpted folders using CentOS following script can be used:
#!/bin/bash -u # $0 [ecryptfsdir [mountpoint]] # Run as root with USER set to login user of ecryptfs # https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709 # http://ubuntuforums.org/showthread.php?p=10445371 # -Ian! D. Allen - idallen@idallen.ca - www.idallen.com if [ $(whoami) != 'root' ] ; then echo 1>&2 "$0: ERROR must be root to use this" exit 1 fi if [ "$USER" = 'root' ] ; then echo 1>&2 "$0: Warning - USER is '$USER'" fi # source ecryptfs dir and desired mount point # if [ $# -gt 0 ] ; then DIR=$1 shift else # change this to where your keep your default encrypted backup DIR=/backup/home/.ecryptfs/$USER fi if [ $# -gt 0 ] ; then MNT=$1 shift else # change this to your default backup mount point MNT=/mnt/some/place/you/decide fi if [ $# -gt 0 ] ; then echo 1>&2 "$0: $#: more than two arguments: $*" exit 1 fi # check that things exist and we can write them if [ ! -d "$DIR" -o ! -r "$DIR" ] ; then echo 1>&2 "$0: not a directory, or not readable: $DIR" exit 1 fi if [ ! -d "$MNT" -o ! -w "$MNT" ] ; then echo 1>&2 "$0: is not a writable directory: $MNT" exit 1 fi pvt=$DIR/.Private ecr=$DIR/.ecryptfs if [ ! -d "$pvt" -o ! -r "$pvt" ] ; then echo 1>&2 "$0: not a readable directory: $pvt" exit 1 fi if [ ! -d "$ecr" -o ! -r "$ecr" ] ; then echo 1>&2 "$0: not a readable directory: $ecr" exit 1 fi privsig=$ecr/Private.sig if [ ! -s "$privsig" -o ! -r "$privsig" ] ; then echo 1>&2 "$0: not a non-null, readable signature file '$privsig'" exit 1 fi sig1=$(head -n1 "$privsig") || exit $? sig2=$(tail -n1 "$privsig") || exit $? case "$sig1/$sig2" in ????????????????/???????????????? ) ;; *) echo 1>&2 "$0: Unable to extract signatures from '$privsig'" echo 1>&2 "$0: sig1: '$sig1'" echo 1>&2 "$0: sig2: '$sig2'" exit 1 ;; esac read -s -p "$USER login password: " loginpass || exit $? echo "" # add the missing newline after reading the password # echo "DEBUG sig1 $sig1 and sig2 $sig2" # keyctl clear @u printf '%s\0' "$loginpass" | ecryptfs-insert-wrapped-passphrase-into-keyring "$ecr/wrapped-passphrase" - || exit $? # keyctl list @u # DEBUG # The -i bypasses the mount helper - see "man mount.ecryptfs" # ... but the "mount" man page claims this has a different function! # ... but it works for me (Ubuntu 10.10). -IAN! mount -i -t ecryptfs -o "ro,ecryptfs_passthrough=no,ecryptfs_unlink_sigs,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig1,ecryptfs_fnek_sig=$sig2" "$pvt" "$MNT" || exit $? echo "" df "$MNT"
The script can be used as follows:
- export USER=<username>
- cd .../home/.ecryptfs/<username>
- mkdir Private
- ./script.sh . Private/
Steps learned from http://ubuntuforums.org/showthread.php?t=1508111
<yambe:breadcrumb>Filesystem_or_partition_tools|Filesystem tools</yambe:breadcrumb>