Ecryptfs

Introduction

Encryption is becoming more popular and, IMO, is simply the best way to protect your data from unauthorized access or in the event your laptop is stolen. There are several options for encrypting an entire directory or partition :

• EncFS
• LUKS
• Truecrypt

I wanted to feature Ecryptfs as it is used on Ubuntu as an option (during installation) to encrypt your home directory. This page is intended to review the features of Ecryptfs, including how to set up a private, encrypted directory in Ubuntu (9.04 or higher). As of this writing, Ubuntu 9.04 is an Beta Release, so do not be surprised if you find bugs.

New features in Ubuntu 9.04 (Jaunty):

• The desktop CD allows encryption of your home directory during the installation.
• Encrypt home directories when you create new users.
• Ecryptfs now encrypts file names!
• Your private directory is now decrypted no matter if you log in from the console, ssh, or X (GDM).

Overview

Ecryptfs uses two passwords to decrypt your private directory.

The first is your log in password. This allows your private directory to be automatically decrypted when you log in. When you change your log in password, however, the ecrypts password is not updated. You unfortunately need to manually the Ecryptfs password (see below).

While this may at first seem inconvenient, in effect it prevents root from accessing your private data by simply changing your user's password.

The second passphrase is called a "mount passphrase". This passpharase is used if you wish to mount your private directory manually.

sudo mount -t ecryptfs /home/user_name/.Private /home/user_name/Private

The mount passphrase, and not your log in password, is used to decrypt your data and is discussed on the Ubuntu Wiki page (see References below).

Ecryptfs uses 3 directories : .Private, Private , and .Ecryptfs

• .Private = This is where the encrypted data is kept.
• Private = Used as a mount point for .Private. This is where your working directory for your decrypted data.
• .Ecryptfs = This directory contains configuration information and will also be covered later.

How it works

You data is encrypted in ~/.Private and is decrypted by mounting ~/.Private to ~/Private using Ecryptfs-mount-private. This is performed automatically when you log in (although you can manually encrypt (unmount)/ decrypt (mount) ). When you log off, all data in Private is then encrypted to .Private .

If you elect to encrypt your entire home directory the setup is a bit more complex in that ~/.Ecryptfs is a symbolic link to /var/lib/Ecryptfs/user_name/ . This is all set up during the installation.

Private (encrypted) directory

Ecryptfs can be used to create an encrypted directory in your home directory. By default, this directory is called "Private" and is automatically decrypted when you log in. This is a change from Ubuntu 8.10 where the directory was only decrypted automatically if you logged in via GDM (X).

This directory is then automatically encrypted when you log off.

To generate an encrypted directory we first need to install Ecryptfs

sudo apt-get install ecryptfs-utilizes

Then simply

ecryptfs-setup-private

This will asked first for your login password, enter your log in password. You will next be asked to "Enter your mount passphrase [leave blank to generate one]" , leave this blank (hit the enter key) and a random passphrase will be generated.

That is all there is to it. Any data you place in ~/Private will be encrypted in ~/.Private when you log off.

Make an encrypted directory with a unique name

You may wish to use an alternate name to "Private". Although this is easy to do, it is not as automated as Ecryptfs-setup-private and requires root access (via sudo).

To do this, make a new directory such as "secret".

mkdir ~/secret
chmod 700 secret

Now mount the directory secret (as root) with the mount command, using Ecryptfs as the filesystem type.

You may use either a single directory (as I do in this example) or two directories (as is default for your Private and .Private directories).

When using a single directory, the contents are encrypted into the same directory when the directory is unmounted.

sudo mount -t ecryptfs ~victoria/secret ~victoria/secret

You will be asked to enter a passphrase and a number of additional questions. Go with the defaults (hit enter) but answer y (yes) to "Enable filename encryption (y/n) [n]:" to encrypt file names.

See man ecryptfs for an explanation of the options.

FYI: ~username is short hand for /home/username

Place any data you wish encrypted in ~/secret .

sudo umount ./secret

To make it easier you can give the options you desire to the mount command with the -o flag (all one line)

sudo mount ./secret ./secret -o key=passphrase,ecryptfs_cipher=aes,
ecryptfs_key_bytes=16,ecryptfs_passthrough=no,
ecryptfs_enable_filename_crypto=yes

Either make an alias in ~/.bashrc or make a custom launcher.

There are two caveats to this method:

1. The custom directory will NOT automatically be decrypted when you log in.
2. You may use more then one password.

If you use more then one password, you will have more then one set of data. Only data encrypted with password_1 will be decrypted whey you mount with password_1. Data encrypted with password_2 will remain encrypted.

Encrypt your entire home directory

This is now an option on both the alternate and desktop (live) CD's.

With the alternate CD you will be given the option to encrypt your home directory as part of the installation, just after you create your first user.

This can be done with the desktop CD with a "cheat code".

Boot the desktop CD. At the very first screen, just after you select your language, hit F6, then the Esc key. This will allow you to edit the options line. Use the arrow keys on the key board to position the cursor between the word "splash" and the "--" at the end of the line.

Add user-setup/encrypt-home=true , be sure there is a space between the cheat code and the --

Hit the enter key to continue booting.

As you install, at the screen where you enter your user name and password, you now have a new option, "Require a password to log in and decrypt your home folder".

Congratulations, your home directory is now encrypted.

Change your passphrase to mount your encrypted private directory or home

When you are using an encrypted home directory, you must change your Ecryptfs passphrase and log in password at the same time. This is accomplished either via the graphical interface (easiest) or from the command line (not difficult).

Graphical Interface

Change your password from the graphical interface under:

System -> Preferences -> About Me

Click the "Change password ..." box :

Enter your current password, click "Authenticate", enter and confirm your new password.

Finally, click "Change password".

Command line

If you change your (login) password from the command line, you will notice the passphrase to mount your encrypted home directory is NOT updated. This is good news in that it keeps root from accessing your data simply by changing your user's password and logging in as your user.

To change your log in password, use passwd :

passwd

Enter your old password, new password, and confirm your new password.

Next change your Ecryptfs passphrase (to your new login password). To change your Ecryptfs passphrase, use ecryptfs-rewrap-passphrase :

ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase

You will need to enter your old passphrase, then your new passphrase.

Prevent your encrypted private directory or home from being mounted automatically

Simply delete

This is an empty file and you can recreate it with

touch ~/.ecryptfs/auto-mount

Create a new user with an encrypted home directory

Simply use adduser with the --encrypt-home options (no graphical option yet).

sudo adduser --encrypt-home new_user_name

Access your encrypted data from a live CD

See: Dustin Kirkland's Blog

Using Ecryptfs with a separate /home partition

One downside of encryption is that using a separate /home partition is more difficult and there are as of yet no automated tools on the installation CD (alternate or desktop) to automatically preserve and configure your Ecryptfs encrypted /home directories.

I advise you back up your data, install, then restore your data.

Using Ecryptfs to encrypt swap

Note: Encrypting swap may break hibernation and sleep.

In addition to ecryptfs-utils you need cryptsetup

sudo apt-get install ecryptfs-utils cryptsetup

Then use ecryptfs-setup-swap

sudo ecryptfs-setup-swap

This will unmount your swap partition, encrypt it, and remount it.

A new entry for your encrypted swap is automatically generated in /etc/fstab , but unfortunately as of this writing ,the old entry is not removed and you must remove it manually (or suffer error messages when you boot).

Using any editor, edit fstab as root (gksu gedit /etc/fstab)

The old swap starts with either UUID=xxx-yyy-zzz or /dev/sdxy, remove that line.

The new swap is identified by /dev/mapper/cryptswap , keep this line.

That's it, your swap is now encrypted and will mount automatically when you boot.

I would like to thank Dustin Kirkland for his contributions to Ecryptfs and his blog. His blog in particular is the best source of up to date information on Ecryptfs.

References

• Ecryptfs Home Page
• Ecryptfs FAQ
• Ubuntu Wiki Ecryptfs page
• Tombuntu's ecryptfs blog
• ubuntugeek ecryptfs
• Debian Ecryptfs
• Dustin Kirkland's blog - Encrypted Home directories
• Dustin Kirkland's blog - Mounting Ecryptfs directories with a live CD

bodhizazen.net