advertisement
Security
6. eCryptfs
eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on top of the filesystem layer eCryptfs protects files no matter the underlying filesystem, partition type, etc.
During installation there is an option to encrypt the
/home
partition. This will automatically configure everything needed to encrypt and mount the partition.
As an example, this section will cover configuring
/srv
to be encrypted using eCryptfs.
6.1. Using eCryptfs
First, install the necessary packages. From a terminal prompt enter:
sudo apt-get install ecryptfs-utils
Now mount the partition to be encrypted:
sudo mount -t ecryptfs /srv /srv
You will then be prompted for some details on how ecryptfs should encrypt the data.
To test that files placed in
/srv
are indeed encrypted copy the
/etc/default
folder to
/srv
:
sudo cp -r /etc/default /srv
Now unmount
/srv
, and try to view a file:
sudo umount /srv cat /srv/default/cron
Remounting
/srv
using ecryptfs will make the data viewable once again.
6.2. Automatically Mounting Encrypted Partitions
There are a couple of ways to automatically mount an ecryptfs encrypted filesystem at boot. This example will use a
/root/.ecryptfsrc
file containing mount options, along with a passphrase file residing on a USB key.
First, create
/root/.ecryptfsrc
containing: key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615 ecryptfs_cipher=aes ecryptfs_key_bytes=16
128
Security ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=n
Adjust the ecryptfs_sig to the signature in
/root/.ecryptfs/sig-cache.txt
.
Next, create the
/mnt/usb/passwd_file.txt
passphrase file: passphrase_passwd=[secrets]
Now add the necessary lines to
/etc/fstab
:
/dev/sdb1 /mnt/usb ext3 ro 0 0
/srv /srv ecryptfs defaults 0 0
Make sure the USB drive is mounted before the encrypted partition.
Finally, reboot and the
/srv
should be mounted using ecryptfs.
6.3. Other Utilities
The ecryptfs-utils package includes several other useful utilities:
• ecryptfs-setup-private: creates a
~/Private
directory to contain encrypted information. This utility can be run by unprivileged users to keep data private from other users on the system.
• ecryptfs-mount-private and ecryptfs-umount-private: will mount and unmount respectively, a users
~/Private
directory.
• ecryptfs-add-passphrase: adds a new passphrase to the kernel keyring.
• ecryptfs-manager: manages eCryptfs objects such as keys.
• ecryptfs-stat: allows you to view the ecryptfs meta information for a file.
6.4. References
• For more information on eCryptfs see the Launchpad project page
21
.
• There is also a Linux Journal
22
article covering eCryptfs.
• Also, for more ecryptfs options see the ecryptfs man page
23
.
• The eCryptfs Ubuntu Wiki
24
page also has more details.
129
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 7 1. Introduction
- 8 1. Support
- 9 2. Installation
- 10 1. Preparing to Install
- 12 2. Installing from CD
- 15 3. Upgrading
- 16 4. Advanced Installation
- 23 3. Package Management
- 24 1. Introduction
- 25 2. dpkg
- 26 3. Apt-Get
- 28 4. Aptitude
- 30 5. Automatic Updates
- 32 6. Configuration
- 34 7. References
- 35 4. Networking
- 36 1. Network Configuration
- 44 2. TCP/IP
- 48 3. Dynamic Host Configuration Protocol (DHCP)
- 51 4. Time Synchronisation with NTP
- 53 5. Remote Administration
- 54 1. OpenSSH Server
- 57 2. eBox
- 60 6. Network Authentication
- 61 1. OpenLDAP Server
- 80 2. Samba and LDAP
- 85 3. Kerberos
- 92 4. Kerberos and LDAP
- 98 7. Domain Name Service (DNS)
- 99 1. Installation
- 100 2. Configuration
- 105 3. Troubleshooting
- 109 4. References
- 110 8. Security
- 111 1. User Management
- 117 2. Console Security
- 118 3. Firewall
- 125 4. AppArmor
- 129 5. Certificates
- 134 6. eCryptfs
- 136 9. Monitoring
- 137 1. Overview
- 138 2. Nagios
- 142 3. Munin
- 144 10. Web Servers
- 145 1. HTTPD - Apache2 Web Server
- 152 2. PHP5 - Scripting Language
- 154 3. Squid - Proxy Server
- 156 4. Ruby on Rails
- 158 5. Apache Tomcat
- 162 11. Databases
- 163 1. MySQL
- 165 2. PostgreSQL
- 167 12. LAMP Applications
- 168 1. Overview
- 169 2. Moin Moin
- 171 3. MediaWiki
- 173 4. phpMyAdmin
- 175 13. File Servers
- 176 1. FTP Server
- 180 2. Network File System (NFS)
- 182 3. CUPS - Print Server
- 185 14. Email Services
- 186 1. Postfix
- 193 2. Exim
- 196 3. Dovecot Server
- 198 4. Mailman
- 204 5. Mail Filtering
- 210 15. Chat Applications
- 211 1. Overview
- 212 2. IRC Server
- 214 3. Jabber Instant Messaging Server
- 216 16. Version Control System
- 217 1. Bazaar
- 218 2. Subversion
- 223 3. CVS Server
- 225 4. References
- 226 17. Windows Networking
- 227 1. Introduction
- 228 2. Samba File Server
- 230 3. Samba Print Server
- 232 4. Securing a Samba File and Print Server
- 236 5. Samba as a Domain Controller
- 240 6. Samba Active Directory Integration
- 242 7. Likewise Open
- 246 18. Backups
- 247 1. Shell Scripts
- 251 2. Archive Rotation
- 254 3. Bacula
- 259 19. Virtualization
- 260 1. libvirt
- 265 2. JeOS and vmbuilder
- 275 3. UEC
- 284 4. OpenNebula
- 287 20. Clustering
- 288 1. DRBD
- 291 21. VPN
- 292 1. OpenVPN
- 296 22. Other Useful Applications
- 297 1. pam_motd
- 299 2. etckeeper
- 301 3. Byobu
- 303 4. References
- 304 A. Appendix
- 305 1. Reporting Bugs in Ubuntu Server Edition