Using ecryptfs with opensuse 12.2

[Update: it appears that the ecryptfs kernel module may need to be loaded before you can setup a private directory.  See the comments below, particularly my reply with time stamp of “2012/09/10 at 22:16”.]

It has been a while since I first posted on ecryptfs, and there have been some changes (improvements) with opensuse 12.2.  My earlier post was about my experimenting.  Some time in the near future, I will do a more complete post about ecryptfs.  For now, this will be specific to using it with opensuse 12.2, and about what has changed since that earlier post.

What has mainly changed, is that opensuse support for ecryptfs has improved.  It still does not quite work “out of the box,” but it is closer.

Installing ecryptfs

The ecryptfs software is not automatically installed.  Moreover, it is not included in the install DVD.  However, it is available in the repos.  So the first thing you will need to do is start Yast, and click on “Software Management”.  From there, enter “ecryptfs” into the search box, and click “search”.  Then select “ecryptfs-utils” for installation.

That’s it, as far as installing goes.

System setup

In prior versions of opensuse, the permissions were wrong on “/sbin/mount.ecryptfs_private” and you had to change that (make it suid) before you could properly use ecryptfs.  That has been fixed in 12.2.  Also, with 12.1, I found that ecryptfs would not work properly the first time that it was used after reboot.  So I had to force loading of the ecryptfs module during boot.  That, too, has been fixed with opensuse 12.2.

What remains broken, is the PAM support for ecryptfs.  The proper entries are now in the PAM configuration, but they are in the wrong order.  To fix that, open an editor as root, and edit the file “/etc/pam.d/common-auth-pc”.  It should contain the line

auth    required        pam_ecryptfs.so unwrap

but that line is in the wrong place.  So move that line to just after the line

auth    required        pam_unix2.so

I use “vi” (really “vim”) for this.  I move the cursor to the ecryptfs line, and type “dd” (without the quotes) which deletes that line.  Then I move my cursor to the “unix2.so” line, where I type “p” (without the quotes) to “pull” a copy of that deleted line and insert it below the current line.  Finally, I type “:wq” (without the quotes) to write back the file and quit.

Unfortunately, you may have to do this again.  Whenever a system update affects one of the pam modules, the pam configuration is rebuilt, and that rebuild may put the line back in the wrong place.

Using ecryptfs

Now that the software is installed on the system, and suitably configure, you should be able to do everything with user level commands (until the pam configuration breaks).

Here’s a useful hint.  At a command prompt, use

ls /usr/bin/ecryptfs*

to list all of the user level commands for ecryptfs.  The names are a pretty good guide as to what they do.

To get started, use the command

ecryptfs-setup-private

That will set you up for using ecryptfs.  It will create three directories under your home directory (or home folder).  Those are “Private”, “.Private” and “.ecryptfs”.  Of those, “.Private” and “.ecryptfs” are normally hidden (because their names begin with “.”).  Most of what you do will use the visible “Private” directory.

Of those three directories, “.ecryptfs” contains your personal configuration, “.Private” contains the encrypted version of your files, and “Private” is where you will transparently see the unencryted version of your files.

When setting up your private directory, you are asked for your login password.  You are also asked for a mount passphrase, with a hint that you can leave that blank.  The way this actually works, is that your files are encrypted with the mount passphrase.  In turn, the mount passphrase is encrypted with your login password.

If you previously setup ecryptfs with an earlier version of opensuse, one of the files in your Private directory might be wrong.  I’ll comment on that near the end of this post.

Accessing your private data

Once you have setup your private directory, it should be accessible the next time you login.  The way this works, is that ecryptfs mounts a virtual directory  on top of “Private”, and whenever you look at a file there, the corresponding file in “.Private” is transparenly decrypted to give you access to the data.

Sometimes this does not work.  There are three case that I know of, where you will not see your files in your “Private” directory on login.  Those are

  • When the pam configuration is broken (discussed above);
  • When you are logged in automatically at boot;
  • When you login with a method that does not use a password (such as an ssh login with public key authentication).

In those case, you will need to manually unlock your files.  You will know that this is needed, if you look in “Private” and see only the two files “README.txt” and “Access-Your-Private-Data.desktop”.

To solve this problem at the command line, enter the command

ecryptfs-mount-private

In case you forget, that “README.txt” will remind you what the command is.

To solve the problem from the graphic desktop, click on “Access-Your-Private-Data.desktop” (the word “desktop” might not show in your file manager).  If you happen to have setup your private directory with an earlier version of opensuse, clicking on that file may not work.  See my comment below on fixing older installs.

Now that you have it unlocked, using ecryptfs is simple.  Store all sensitive files in your “Private” directory, or a subdirectory of that.  As an example, I use “MH” formatted mailboxes.  The mailboxes are in directories under Mail.  I use claws-mail on the desktop, and “nmh” at the command line to access this mail.  I have created a mail folder called “crypto” for mail that I am composing and that will eventually be encrypted.  So “crypto” is really “Private/Mail/crypt” so that it is under my “Private” directory.  And “Mail/crypto” is a symbolic link to that.

Encrypted swap

When using ecryptfs, the software keeps a copy of the unencrypted data for files you are accessing.  This unencrypted data is held in memory, and made to appear as if it is a file in your “Private”.  However, there is a risk that data held in memory could be written to swap.  It is usually good advice to setup encrypted swap as protection.  I discussed how to do that in an earlier post on “Encrypted swap.”

Encrypting the home directory

It is possible to use ecryptfs for encrypting home directories.  Here, I will just mention the possibility.  I believe that Ubuntu does that.  The full details are beyond the intended scope of this post.  But I will give details in a future post on ecryptfs.

Fixing older installs

If you created your private ecryptfs directory with an earlier version of opensuse, then the file “Access-Your-Private-Data.desktop” (visible when the directory is locked) might be wrong.  The file was created with a broken symbolic link when I set it up with opensuse 12.1.  You will know this is a problem if you see that the “Private” directory is locked, but clicking on “Access-Your-Private-Data” does not work, or

ls -lL Private/Access-Your-Private-Data.desktop

gives errors when run from the command line.

To fix:

ecryptfs-umount-private   ## unlock Private directory, if needed
cd ~/Private
chmod u+w .
rm Access-Your-Private-Data.desktop
ln -l /usr/share/applications/ecryptfs-mount-private.desktop Access-Your-Private-Data.desktop
chmod u-w .

And then you can check by clicking on “Access-Your-Private-Data” to see if that now works.

Advertisements

Tags: , , ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

14 responses to “Using ecryptfs with opensuse 12.2”

  1. William Visser says :

    Dear Neil,

    Thank you very much!!!

    William Visser

    Like

  2. William Visser says :

    Dear Neil,

    I can’t get it to work. This is what happens:

    ecryptfs-setup-private
    ERROR: Cannot get ecryptfs version, ecryptfs kernel module not loaded?

    And then I try to load the module:

    modprobe ecryptfs
    Absolute path to ‘modprobe’ is ‘/sbin/modprobe’, so running it may require superuser privileges (eg. root).

    Must I use su / act as root in the terminal?

    Thank you in advance for your reply.

    William

    Like

  3. William Visser says :

    Dear Neil,

    I tried via su (as root). This is what happened”

    ecryptfs-setup-private
    Enter your login passphrase [joan]:
    Enter your mount passphrase [leave blank to generate one]:

    ************************************************************************
    YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
    ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
    THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
    ************************************************************************

    Done configuring.

    Testing mount/write/umount/read…
    Inserted auth tok with sig [cba2c2c24ccdffd7] into the user session keyring
    Inserted auth tok with sig [928a186c5cfa7b5c] into the user session keyring
    fopen: No such file or directory
    keyctl_search: Success
    Perhaps try the interactive ‘ecryptfs-mount-private’
    ERROR: Could not mount private ecryptfs directory

    I’m completely lost and becoming desperate

    Like

    • Neil Rickert says :

      Thanks for the report. Apparently, I did not test this well enough.

      To test, I setup a private directory on an account that did not have one. But my mistake was to do that on an already running machine, where the ecryptfs module was probably already loaded.

      To retest, I rebooted my computer. Then I logged in as a user that did not have an ecryptfs private directory. And I ran “ecryptfs-setup-private”. And I got the same message about the ecryptfs module not being loaded.

      Here’s what works.

      # su
      # modprobe ecryptfs
      # exit
      

      Now, back as an ordinary user, run “ecryptfs-setup-private”

      Your mistake, in your second attempt, was to not exit superuser mode before the setting up. So you appear to have setup an ecryptfs private directory for the superuser, but not for yourself. Or perhaps you set one up for yourself, but with all of the wrong permissions (i.e. owned by root).

      Try, in your home directory:

      ls -ld .ecryptfs .Private Private

      If those three directories exist, but are owned by root, then the simplest thing would be to remove them (as superuser):

      # rm -rf .ecryptfs .Private Private
      

      and then try setting up again. If you have since rebooted, you will have to do that modprobe again (as superuser), and then setup your private directory as yourself.

      Like

      • William Visser says :

        Dear Neil,

        Thank you very much. It workes now.

        But another question:

        Do you know a procedure to use ecryptfs with a directory named other than ‘Private’, I mean a self chosen directoryname?

        Like

        • Neil Rickert says :

          Yes, you can use just about any directory name that you like, with the exception of “.Private” and “.ecryptfs”. You can even use your home directory, but that takes more work.

          Before making such changes, you should unmount your private directory (if it is mounted) with

          ecryptfs-umount-private
          

          Then use the unix “mv” command to move (rename) Private to whatever you want. And, finally, edit the file “$HOME/.ecryptfs/Private.mnt”. That file has one line, and the line contains the path to where you want your private directory mounted.

          Finally, use

          ecryptfs-mount-private
          

          to test that it is all working.

          I plan a future post on using ecryptfs for the home directory.

          Like

  4. William Visser says :

    Dear Neil,

    Thank you!

    I don’t know why (maybe because of some update?) but in Opensuse 12.2 the permissions are wrong (again?) on “/sbin/mount.ecryptfs_private” and you have to change that (make it suid) before you could properly use ecryptfs.

    Like

    • Neil Rickert says :

      … the permissions are wrong (again?) on “/sbin/mount.ecryptfs_private

      That’s interesting. However, the permissions are correct here, and I am up-to-date with all updates. I am wondering what could have gone wrong for you, but not for me.

      On another note: I installed 12.3 Milestone 0. It is early days yet for 12.3. However, ecryptfs worked without tweaking. They seem to finally have the PAM setup correct. Let’s hope that is still true by the time 12.3 is released.

      Like

    • Neil Rickert says :

      A further thought.

      This might depend on how you have configured security settings via Yast.

      I am using the default of “easy”. However, if that is changed to “secure” or “paranoid”, I think it turns off the suid permission for mount.ecryptfs_private.

      Try:
      grep ecryptfs /etc/permissions.??*
      to see the relevant lines.

      Like

      • William Visser says :

        Dear Neil,

        Thank you. You’re right and gave the correct explanation. Everything worked oke, but today there was an update in Opensuse and after that I cannot mount ecryptfs anymore. After typing the password nothing happens. Can you advice me about how to solve this?

        William

        Like

        • William Visser says :

          Dear Neil,

          I found out that somehow through a OpenSuse update the file ‘mount.ecryptfs_private’ was not setuid anymore. I don’t understand what happenend, but after changing it back to Set uid it works again.

          William

          Like

          • Neil Rickert says :

            It is still setuid here.

            Check the output from
            grep PERMISSION_SECURITY /etc/sysconfig/security
            Here, I get:
            PERMISSION_SECURITY="easy local"
            (and another line). If you see “secure” or “paranoid”, then that’s a change that you have made to your system. I’m not sure, but I think updates apply these security settings. If you want to go with “secure” or “paranoid”, then you can add a line for “ecryptfs” to the local file “/etc/permissions.local”. Check the file “/etc/permissions.easy” to see what you need.

            Like

  5. William Visser says :

    Dear Neil,

    I still use Opensuse 12.2 but would like to upgrade to 12.3 and later on to 13.1. What hols me back is my fear that the configuration that I have now including ecryptfs working, will be destroyed in the process of an upgrade. And I’m not a computerwizzard who can easily make everything work oke again. My specific question to you is: What happens with ecryptfs in upgrading to 12.3? Will it be untouched because it is on the separate /home partition? Or will I get in trouble?
    Thank you in advance for your reply.
    Best regards,

    William

    Like

    • Neil Rickert says :

      As long as “/home” is preserved, you will be fine.

      Well, almost fine. You won’t be able to access any of the ecryptfs files until you have installed “ecryptfs-utils”.

      What I do: I have my usual account “rickert” where I have some ecryptfs stuff. I have a separate account “support” for just admin stuff, and nothing ecryptfs there. (Not much there at all).

      On first boot, I login as support, to icewm. I then install ecryptfs, and do any other initial tweaking. Then I logout, and login as “rickert”. And everything is fine.

      The big different with 12.3, is that the pam module for unlocking your private directory keeps working, whereas in 12.2 it breaks whenever there is a pam update.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: