Using ecryptfs with opensuse 12.2
[Update: it appears that the ecryptfs kernel module may need to be loaded before you can setup a private directory. See the comments below, particularly my reply with time stamp of “2012/09/10 at 22:16”.]
It has been a while since I first posted on ecryptfs, and there have been some changes (improvements) with opensuse 12.2. My earlier post was about my experimenting. Some time in the near future, I will do a more complete post about ecryptfs. For now, this will be specific to using it with opensuse 12.2, and about what has changed since that earlier post.
What has mainly changed, is that opensuse support for ecryptfs has improved. It still does not quite work “out of the box,” but it is closer.
The ecryptfs software is not automatically installed. Moreover, it is not included in the install DVD. However, it is available in the repos. So the first thing you will need to do is start Yast, and click on “Software Management”. From there, enter “ecryptfs” into the search box, and click “search”. Then select “ecryptfs-utils” for installation.
That’s it, as far as installing goes.
In prior versions of opensuse, the permissions were wrong on “/sbin/mount.ecryptfs_private” and you had to change that (make it suid) before you could properly use ecryptfs. That has been fixed in 12.2. Also, with 12.1, I found that ecryptfs would not work properly the first time that it was used after reboot. So I had to force loading of the ecryptfs module during boot. That, too, has been fixed with opensuse 12.2.
What remains broken, is the PAM support for ecryptfs. The proper entries are now in the PAM configuration, but they are in the wrong order. To fix that, open an editor as root, and edit the file “/etc/pam.d/common-auth-pc”. It should contain the line
auth required pam_ecryptfs.so unwrap
but that line is in the wrong place. So move that line to just after the line
auth required pam_unix2.so
I use “vi” (really “vim”) for this. I move the cursor to the ecryptfs line, and type “dd” (without the quotes) which deletes that line. Then I move my cursor to the “unix2.so” line, where I type “p” (without the quotes) to “pull” a copy of that deleted line and insert it below the current line. Finally, I type “:wq” (without the quotes) to write back the file and quit.
Unfortunately, you may have to do this again. Whenever a system update affects one of the pam modules, the pam configuration is rebuilt, and that rebuild may put the line back in the wrong place.
Now that the software is installed on the system, and suitably configure, you should be able to do everything with user level commands (until the pam configuration breaks).
Here’s a useful hint. At a command prompt, use
to list all of the user level commands for ecryptfs. The names are a pretty good guide as to what they do.
To get started, use the command
That will set you up for using ecryptfs. It will create three directories under your home directory (or home folder). Those are “Private”, “.Private” and “.ecryptfs”. Of those, “.Private” and “.ecryptfs” are normally hidden (because their names begin with “.”). Most of what you do will use the visible “Private” directory.
Of those three directories, “.ecryptfs” contains your personal configuration, “.Private” contains the encrypted version of your files, and “Private” is where you will transparently see the unencryted version of your files.
When setting up your private directory, you are asked for your login password. You are also asked for a mount passphrase, with a hint that you can leave that blank. The way this actually works, is that your files are encrypted with the mount passphrase. In turn, the mount passphrase is encrypted with your login password.
If you previously setup ecryptfs with an earlier version of opensuse, one of the files in your Private directory might be wrong. I’ll comment on that near the end of this post.
Accessing your private data
Once you have setup your private directory, it should be accessible the next time you login. The way this works, is that ecryptfs mounts a virtual directory on top of “Private”, and whenever you look at a file there, the corresponding file in “.Private” is transparenly decrypted to give you access to the data.
Sometimes this does not work. There are three case that I know of, where you will not see your files in your “Private” directory on login. Those are
- When the pam configuration is broken (discussed above);
- When you are logged in automatically at boot;
- When you login with a method that does not use a password (such as an ssh login with public key authentication).
In those case, you will need to manually unlock your files. You will know that this is needed, if you look in “Private” and see only the two files “README.txt” and “Access-Your-Private-Data.desktop”.
To solve this problem at the command line, enter the command
In case you forget, that “README.txt” will remind you what the command is.
To solve the problem from the graphic desktop, click on “Access-Your-Private-Data.desktop” (the word “desktop” might not show in your file manager). If you happen to have setup your private directory with an earlier version of opensuse, clicking on that file may not work. See my comment below on fixing older installs.
Now that you have it unlocked, using ecryptfs is simple. Store all sensitive files in your “Private” directory, or a subdirectory of that. As an example, I use “MH” formatted mailboxes. The mailboxes are in directories under Mail. I use claws-mail on the desktop, and “nmh” at the command line to access this mail. I have created a mail folder called “crypto” for mail that I am composing and that will eventually be encrypted. So “crypto” is really “Private/Mail/crypt” so that it is under my “Private” directory. And “Mail/crypto” is a symbolic link to that.
When using ecryptfs, the software keeps a copy of the unencrypted data for files you are accessing. This unencrypted data is held in memory, and made to appear as if it is a file in your “Private”. However, there is a risk that data held in memory could be written to swap. It is usually good advice to setup encrypted swap as protection. I discussed how to do that in an earlier post on “Encrypted swap.”
Encrypting the home directory
It is possible to use ecryptfs for encrypting home directories. Here, I will just mention the possibility. I believe that Ubuntu does that. The full details are beyond the intended scope of this post. But I will give details in a future post on ecryptfs.
Fixing older installs
If you created your private ecryptfs directory with an earlier version of opensuse, then the file “Access-Your-Private-Data.desktop” (visible when the directory is locked) might be wrong. The file was created with a broken symbolic link when I set it up with opensuse 12.1. You will know this is a problem if you see that the “Private” directory is locked, but clicking on “Access-Your-Private-Data” does not work, or
ls -lL Private/Access-Your-Private-Data.desktop
gives errors when run from the command line.
ecryptfs-umount-private ## unlock Private directory, if needed cd ~/Private chmod u+w . rm Access-Your-Private-Data.desktop ln -l /usr/share/applications/ecryptfs-mount-private.desktop Access-Your-Private-Data.desktop chmod u-w .
And then you can check by clicking on “Access-Your-Private-Data” to see if that now works.