Ubuntu Server Guide

Security

6. eCryptfs

eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on top of the filesystem layer eCryptfs protects files no matter the underlying filesystem, partition type, etc.

During installation there is an option to encrypt the

/home

partition. This will automatically configure everything needed to encrypt and mount the partition.

As an example, this section will cover configuring

/srv

to be encrypted using eCryptfs.

6.1. Using eCryptfs

First, install the necessary packages. From a terminal prompt enter:

sudo apt-get install ecryptfs-utils

Now mount the partition to be encrypted:

sudo mount -t ecryptfs /srv /srv

You will then be prompted for some details on how ecryptfs should encrypt the data.

To test that files placed in

/srv

are indeed encrypted copy the

/etc/default

folder to

/srv

:

sudo cp -r /etc/default /srv

Now unmount

/srv

, and try to view a file:

sudo umount /srv cat /srv/default/cron

Remounting

/srv

using ecryptfs will make the data viewable once again.

6.2. Automatically Mounting Encrypted Partitions

There are a couple of ways to automatically mount an ecryptfs encrypted filesystem at boot. This example will use a

/root/.ecryptfsrc

file containing mount options, along with a passphrase file residing on a USB key.

First, create

/root/.ecryptfsrc

containing: key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt

ecryptfs_sig=5826dd62cf81c615 ecryptfs_cipher=aes ecryptfs_key_bytes=16

128

Security ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=n

Adjust the ecryptfs_sig to the signature in

/root/.ecryptfs/sig-cache.txt

.

Next, create the

/mnt/usb/passwd_file.txt

passphrase file: passphrase_passwd=[secrets]

Now add the necessary lines to

/etc/fstab

:

/dev/sdb1 /mnt/usb ext3 ro 0 0

/srv /srv ecryptfs defaults 0 0

Make sure the USB drive is mounted before the encrypted partition.

Finally, reboot and the

/srv

should be mounted using ecryptfs.

6.3. Other Utilities

The ecryptfs-utils package includes several other useful utilities:

• ecryptfs-setup-private: creates a

~/Private

directory to contain encrypted information. This utility can be run by unprivileged users to keep data private from other users on the system.

• ecryptfs-mount-private and ecryptfs-umount-private: will mount and unmount respectively, a users

~/Private

directory.

• ecryptfs-add-passphrase: adds a new passphrase to the kernel keyring.

• ecryptfs-manager: manages eCryptfs objects such as keys.

• ecryptfs-stat: allows you to view the ecryptfs meta information for a file.

6.4. References

• For more information on eCryptfs see the Launchpad project page

21

.

• There is also a Linux Journal

22

article covering eCryptfs.

• Also, for more ecryptfs options see the ecryptfs man page

23

.

• The eCryptfs Ubuntu Wiki

24

page also has more details.

129