Encrypt Your Directories And Partitions With eCryptfs In Linux

eCryptfs is a cryptographic stacked Linux filesystem which is derived from Erez Zadok’s Cryptfs, and the FiST framework for stacked filesystems. eCryptfs extends Cryptfs to provide advanced key management and policy features. It was originally developed by Michael Halcrow and the IBM LInux Technology Center.  Now it is actively maintained by Dustin Kirkland and Tyler Hicks of Canonical, Ltd.

eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of “gnupgfs”, or “gnupg as a filesystem”.

eCryptfs is widely used, as the basis for Ubuntu’s Encrypted Home Directory, natively within Google’s ChromeOS, and transparently embedded in several network attached storage (NAS) devices.

In this tutorial, let us learn how to encrypt a directory and partition with eCryptfs on Debian and Ubuntu systems. I tested this how-to on Debian 7 ‘Wheezy ‘ and it works perfectly for me.

Install eCryptfs On Debian / Ubuntu

eCryptfs is available in the default repositories of Debina and Ubuntu. So we can install it using command:

# apt-get install ecryptfs-utils

Encrypt A Directory

In this example, i am going to encrypt a directory. Say for example, let us encrypt a directory named /home/sk/unixmen.

Make sure that the encrypted directory doesn’t contains any data’s. If it have any data, do a backup safely to another directory and restore them later. After encrypting the directory we won’t be able to access the data.

For testing purpose, I create a new empty directory /home/sk/unixmen.

# mkdir /home/sk/unixmen

Now let us encrypt the above directory using command:

# mount -t ecryptfs /home/sk/unixmen/ /home/sk/unixmen/

During installation, it will ask you a couple of questions as shown below. Read and answer them accordingly.

Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2 <----- Key type selection.
Passphrase:  <----- Enter passpharase.
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: <---- Press Enter
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: <---- Press Enter
Enable plaintext passthrough (y/n) [n]: <----- Press Enter
Enable filename encryption (y/n) [n]: <---- Press Enter
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5c116acdf1d0dd89
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes <---- Type Yes and Press Enter
Would you like to append sig [5c116acdf1d0dd89] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes <---- Type Yes and press Enter
Successfully appended new sig to user sig cache file
Mounted eCryptfs

Now let us check the encrypted directory with command:

# mount

Sample output:

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=62987,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=51480k,mode=755)
/dev/mapper/server-root on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,data=ordered)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=102960k)
/dev/sda1 on /boot type ext2 (rw,relatime,errors=continue)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
/home/sk/unixmen on /home/sk/unixmen type ecryptfs (rw,relatime,ecryptfs_sig=5c116acdf1d0dd89, ecryptfs_cipher=aes,ecryptfs_key_bytes=16, ecryptfs_unlink_sigs)

As you see on last line, the directory /home/sk/unixmen is mounted with ecryptfs filesystem which means that the directory is encrypted.

Test Encrypted Directory

Now let us check whether the directory is really encrypted. Create a text file as shown below in our encrypted directory.

# /home/sk/unixmen/nano test.txt

Add some contents in it.

Welcome to unixmen.. Let us encrypt a directory..

Save and close file. Now unmount the directory from ecryptfs file system as shown below.

# umount /home/sk/unixmen

The directory has been unencrypted now.

Then try to view the file in the directory now. Probably you’ll have see some junk characters in the file as shown below.

# cat /home/sk/unixmen/test.txt

Sample output:

��n&!�b�!��m�~F�59d����|��b}Έ�J�S���f<�"��k%�w�w    �9� ��)"B�!S�r�.���#&�^+��M��8�_ �+_�uAzW~V镑L_��g#K��'���Of�p����u���Ms��[|=���5�Լ���1�h�B^�M �4I�����H
��N��xo,��={
6��gtH��<��ZE�?��bj�
S{��y���� `#�`E���PRU��~��L�`Ӑu�e���u�^�����VhV��$����=�3d�'P\��b9��^�a����Pg���W��w�a��s��L��
q,[�|�xH��&xo�lz�S�E��m��ſ���y
�g���}�ؠ�Bլ�NFĔ�I�t��X��h�I�"[��fcz�a��j���
al�M�����ɩJ��p{�4�mڍHu�j����6.<�B
ƟJ4�4E���?�!O1�G����yMb��:��d��J��l9V��M�W,:��_���^;�[j�ښ�7�F�ޢ������i��fvI(�5S�(٢��)�
۾�JQrK$�W$�r6���BڞN/    O
Qh"PU�_�C6-o;>��Y��lR�Q�<��>��ɪ��:����U��B��K����)�p 0<H6/�����ʇ�Z�刡F��3W��⊧�%7��U�+�P�}��������b���Z#�Zo)w�d޸��?�k웭�㛥��?�]|�<U���033�<(a��Z�zm�1��!�uq����j�]ó����PY�s����b|���1���^�(�bq�,�9'">O���fD�ޮ‡�YETC\F��|r����1õ\�0��o~a.[�1�`ZeK�������־b��Ȕ�ʃ*W}ԃ��38:T��S$�`y�^</V]����Ɵ[����zY���}�(}K
G_��+;R�eAq�2G�>c����    }��a�l����E�+��t�2�����_bL��]ߑ02Z����X������hl`L�ċ�Դ0���a9���r�m|��a��y95�|����j�kPGe\��5�Z�e6��S�(

To see the files again, just mount the directory with ecryptfs filesystem.

# mount -t ecryptfs /home/sk/unixmen/ /home/sk/unixmen/
Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2 <---- Type 2 and press enter
Passphrase:  <---- Enter the passphrase
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: <---- Press Enter
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: <---- Press Enter
Enable plaintext passthrough (y/n) [n]: <---- Press Enter
Enable filename encryption (y/n) [n]: <---- Press Enter
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5c116acdf1d0dd89
Mounted eCryptfs

Now the directory is mounted with ecryptfs file system. You’ll be able to view the files in the encrypted directory without any problem.

Auto mount the Encrypted partitions

You may be don’t like to mount your encrypted partitions each time on every reboot.

Here i will describe you how to automount the encrypted partition each time at boot. I use a USB drive to store the passphrase.

Plug in your pendrive. Create a mount point and mount the pendrive with following commands.

# mkdir /mnt/usb
# mount /dev/sdb1 /mnt/usb/

Note down your passphrase. Probably it will be found in the following file.

# cat /root/.ecryptfs/sig-cache.txt

Sample output:

5c116acdf1d0dd89

Create a file in USB key and put the passphrase key.

# nano /mnt/usb/passwd.txt

Add your passphrase in this file. My passphrase is unixmen.

unixmen

Save and close the file.

Now Create a file /root/.ecryptfsrc,

vi /root/.ecryptfsrc

Add the following lines and specify the passwd.txt file location and specify the sig-cache.txt file output (i.e. 5c116acdf1d0dd89).

key=passphrase:passphrase_passwd_file=/mnt/usb/passwd.txt
ecryptfs_sig=5c116acdf1d0dd89
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

Save and close the file. Now add the following lines to /etc/fstab file.

/dev/sdb1       /mnt/usb        ext3    ro      0 0
/home/sk/unixmen /home/sk/unixmen ecryptfs defaults 0 0

The USB drive should be mounted before the encrypted partition. So you should place the usb line before the encrypted partition line on /etc/fstab file.

Finally, reboot and the /home/sk/unixmen should be mounted using eCryptfs.

Good Luck.

Reference Links:

eCryptfs Website

Ubuntu Help Documentation