Experimenting with ecryptfs

Since I last blogged about encryption, I have made a few changes in how I do things.  I’ll give an overall summary and recommendations at some time in the future.

The weakest point in my encryption strategy was with my desktop computer at work.  I set that up only for encrypted swap.  The reason is that I leave that running at all times, and expect to be able to access it remotely from home and elsewhere.  If there’s a power interruption when I am not present, it needs to be able to boot unattended.  And if I encrypt the “/home” file system, then that won’t work very well.  The boot would hang at the point where it was asking for the encryption key.  So my choice was to go without an encrypted “/home”, but be cautious about storing anything sensitive on that computer, unless in an encrypted file.

I am now experimenting with ecryptfs.  It looks as if it might be an excellent solution.  It will allow me to have an encrypted subdirectory, by default “$HOME/Private” which is only decrypted when I login.  So there is no need for a key during bootup.

I went with the default location of “$HOME/Private”.  Here’s how it works:

There is a directory “$HOME/.ecryptfs” which contains configuration for my use of ecryptfs.  There is another directory, “$HOME/.Private” where the files are really stored but are kept encrypted.  And then “$HOME/Private” is a directory used as a mount point.

If I want to access the files in “$HOME/Private”, I use the command:

% ecryptfs-mount-private

That prompts me for my login password.  Then the encrypted files are visible as plain files (unencrypted files) in “$HOME/Private”.  In effect, the ecryptfs support creates a virtual decrypted image of the encrypted directory, and mounts that as “$HOME/Private”.  Encryption/decryption is done on the fly.  If I access a file in “$HOME/Private”, then the content of that file is decrypted from “$HOME/.Private” and made available.  If I write to a file in “$HOME/Private”, then the data written is automatically encrypted and written to the corresponding file in “$HOME/.Private”.

This works very well.  It is said to be slower than using LUKS encryption of a partition.  I have not done any timings for that.  I actually have very few files with that kind of sensitive information, so I don’t expect the cost to be noticeable.

Setup in openSUSE

The support for ecryptfs was not automatically installed.  So I first had to install “ecryptfs-utils” from the standard openSUSE repos.

My experiments showed that it does not work properly unless the “ecryptfs” kernel module is loaded.  So I added that to the list of modules to be auto-loaded, in “/etc/sysconfig/kernel”.

In order for an ordinary user to be able to run the command “ecryptfs-mount-private”, the permissions on “/sbin/mount.ecryptfs_private” must be changed to make that setuid.

# cd /sbin
# chmod u+s mount.ecryptfs_private
# ls -l mount.ecryptfs_private  ## list as a check.

Then the user who plans to use ecryptfs must run the user setup program:

% /usr/bin/ecryptfs-setup-private

That command prompts for the user login password.  It actually uses a random key to encrypt the files.  In turn, that random key is encrypted with the user login password.  This allows a user to change password without losing access to the files.  He need only reencrypt the key with the new password.  (I have not tested that function).

Using the ecryptfs file system

Once it has been setup, then you can access the unencrypted version of the files by running the command:

% ecryptfs-mount-private

And, before you logout, you might want to make the unencrypted version unavailable with:

% ecryptfs-umount-private

Automating with PAM

It turns out that a PAM setup can be used to make things easier.  I hesitated for a while before trying this.  And when I did try, I found that the documentation was not correct.  It probably has not been fully updated.

Here’s what I did.  As root, I edited two files in “/etc/pam.d”.  Those two files are “common-auth-pc” and “common-session-pc”.  I added a line to each.  In each case, I added the line immediately after the existing line that mentioned “pam_unix2.so”.

For “common-auth-pc”, the line that I added was:

auth     required        pam_ecryptfs.so unwrap

For “common-session-pc” the added line was:

session       optional        pam_ecryptfs.so unwrap

Here’s how ecryptfs behaves after those PAM changes:

When I login using a password, the ecryptfs file system is automatically unlocked.  I don’t have to do anything.

When I logout, the encrypted file system is automatically locked.  Again, I don’t have to do anything for this.

If I login without using a password — say by connecting with ssh using public key authentication — then the ecryptfs files are not available until I manually run the command “ecryptfs-mount-private” and give the login password.  When I logout from that ssh session, the ecryptfs files are automatically locked again.

A word of caution

If you are going to use ecryptfs, you should use encrypted swap.  An unencrypted copy of some of the file will be temporarily in memory, and could be paged out.  Encrypted swap is your protection for this, to ensure that unencrypted data from those files are never written directly to disk.

Advertisements

Tags: ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

5 responses to “Experimenting with ecryptfs”

  1. dperusich says :

    Nice article. I thought you’d be interested to know that a number of fixes/enhancements to ecryptfs in OpenSUSE are making there way into the distro and will hopefully be available in the upcoming releases.

    1. mount.ecryptfs_private will be setuid by default. The packaging has been updated and the codes being audited by the security team.
    https://bugzilla.novell.com/show_bug.cgi?id=740110

    2. pam-config’s been patched to support the ecryptfs pam modules. My patches for this have been added and the codes in OBS.
    https://bugzilla.novell.com/show_bug.cgi?id=752851

    3. add/remove pam modules upon installation of ecryptfs-utils. I’ve filed a bug and included a patch for this. Additional comments or +1 may help to accelerate this;-)
    https://bugzilla.novell.com/show_bug.cgi?id=755475

    Later,
    Darin

    Like

    • Neil Rickert says :

      Thanks for the update.

      I had been watching one of those bugzilla reports (the “suid” one).

      I’ll be watching to see if those changes make it to opensuse 12.2. The milestone 3 release should be out soon (it seems to have been delayed a little).

      Like

  2. William Visser says :

    Dear Neil,

    Thank you for your very good posts. Yesterday I upgraded to OpenSuse 12.2 and I expected setup of ecryptfs to be possible and easy. But no way. I don’ t understand what I’m doing wrong. Is there a step by step instruction available that specifically concentrates op ecryptfs in OpenSuse 12.2, that you know about? I desperately need something like that…

    Like

    • Neil Rickert says :

      There have been improvements on ecryptfs support for opensuse 12.2, but they still have the pam settings a bit off.

      I’m not sure where you are stuck, so it is hard to know what to advise. So I’ll take your comment as a reminder that I should do a full post on ecryptfs in 12.2. I’ll see if I can get to that some time today.

      Like

Trackbacks / Pingbacks

  1. More on ecryptfs « Thoughts on computing - 2012/01/22

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: