Experimenting with ecryptfs
Since I last blogged about encryption, I have made a few changes in how I do things. I’ll give an overall summary and recommendations at some time in the future.
The weakest point in my encryption strategy was with my desktop computer at work. I set that up only for encrypted swap. The reason is that I leave that running at all times, and expect to be able to access it remotely from home and elsewhere. If there’s a power interruption when I am not present, it needs to be able to boot unattended. And if I encrypt the “/home” file system, then that won’t work very well. The boot would hang at the point where it was asking for the encryption key. So my choice was to go without an encrypted “/home”, but be cautious about storing anything sensitive on that computer, unless in an encrypted file.
I am now experimenting with ecryptfs. It looks as if it might be an excellent solution. It will allow me to have an encrypted subdirectory, by default “$HOME/Private” which is only decrypted when I login. So there is no need for a key during bootup.
I went with the default location of “$HOME/Private”. Here’s how it works:
There is a directory “$HOME/.ecryptfs” which contains configuration for my use of ecryptfs. There is another directory, “$HOME/.Private” where the files are really stored but are kept encrypted. And then “$HOME/Private” is a directory used as a mount point.
If I want to access the files in “$HOME/Private”, I use the command:
That prompts me for my login password. Then the encrypted files are visible as plain files (unencrypted files) in “$HOME/Private”. In effect, the ecryptfs support creates a virtual decrypted image of the encrypted directory, and mounts that as “$HOME/Private”. Encryption/decryption is done on the fly. If I access a file in “$HOME/Private”, then the content of that file is decrypted from “$HOME/.Private” and made available. If I write to a file in “$HOME/Private”, then the data written is automatically encrypted and written to the corresponding file in “$HOME/.Private”.
This works very well. It is said to be slower than using LUKS encryption of a partition. I have not done any timings for that. I actually have very few files with that kind of sensitive information, so I don’t expect the cost to be noticeable.
Setup in openSUSE
The support for ecryptfs was not automatically installed. So I first had to install “ecryptfs-utils” from the standard openSUSE repos.
My experiments showed that it does not work properly unless the “ecryptfs” kernel module is loaded. So I added that to the list of modules to be auto-loaded, in “/etc/sysconfig/kernel”.
In order for an ordinary user to be able to run the command “ecryptfs-mount-private”, the permissions on “/sbin/mount.ecryptfs_private” must be changed to make that setuid.
# cd /sbin # chmod u+s mount.ecryptfs_private # ls -l mount.ecryptfs_private ## list as a check.
Then the user who plans to use ecryptfs must run the user setup program:
That command prompts for the user login password. It actually uses a random key to encrypt the files. In turn, that random key is encrypted with the user login password. This allows a user to change password without losing access to the files. He need only reencrypt the key with the new password. (I have not tested that function).
Using the ecryptfs file system
Once it has been setup, then you can access the unencrypted version of the files by running the command:
And, before you logout, you might want to make the unencrypted version unavailable with:
Automating with PAM
It turns out that a PAM setup can be used to make things easier. I hesitated for a while before trying this. And when I did try, I found that the documentation was not correct. It probably has not been fully updated.
Here’s what I did. As root, I edited two files in “/etc/pam.d”. Those two files are “common-auth-pc” and “common-session-pc”. I added a line to each. In each case, I added the line immediately after the existing line that mentioned “pam_unix2.so”.
For “common-auth-pc”, the line that I added was:
auth required pam_ecryptfs.so unwrap
For “common-session-pc” the added line was:
session optional pam_ecryptfs.so unwrap
Here’s how ecryptfs behaves after those PAM changes:
When I login using a password, the ecryptfs file system is automatically unlocked. I don’t have to do anything.
When I logout, the encrypted file system is automatically locked. Again, I don’t have to do anything for this.
If I login without using a password — say by connecting with ssh using public key authentication — then the ecryptfs files are not available until I manually run the command “ecryptfs-mount-private” and give the login password. When I logout from that ssh session, the ecryptfs files are automatically locked again.
A word of caution
If you are going to use ecryptfs, you should use encrypted swap. An unencrypted copy of some of the file will be temporarily in memory, and could be paged out. Encrypted swap is your protection for this, to ensure that unencrypted data from those files are never written directly to disk.