Tip:
Highlight text to annotate it
X
Keep your files safe from prying eyes, even other users of your computer, by creating a stacked filesystem with ecryptfs.
Last year, when everyone was interested in privacy in the aftermath of Edward Snowden's revelations, Linux Format magazine looked at using cryptsetup to encrypt whole disk partitions with the Linux kernel's dm-cryptfacilities, but there are other encryption systems available. There are several ways of encrypting data on your computer.
The method we looked at before encrypted a whole block device, usually a disk partition. This is good for whole system encryption, but makes everything available once the system is booted. There was also TrueCrypt, which works with either whole devices or virtual disks (a large file that acts like a disk). Sadly the project was abandoned in 2014, and although there have been a couple of forks many people are still using the 7.1a version (the final, neutered 7.2 version only allows viewing of TrueCryptvolumes). Another alternative is for the filesystem to handle the encryption, as ZFS does on Sun systems, but none of the main Linux filesystems provide encryption themselves.
Introducing ecryptfs
The next option, and the one we are concerned with today, is what is called a stacked filesystem, where you mount one filesystem on top of another, and this is what ecryptfs uses (cryptsetup, which we've covered before, uses stacked block devices, below the filesystem).
Because ecryptfs works on top of the normal filesystem, it's not restricted to entire disk partitions, it can be used to encrypt individual directories. This is the method Ubuntu uses to provide encrypted home directories if you choose that option during installation. It is easiest to explain with an example. The ecryptfs filesystem itself is contained in the Linux kernel, but you will need to install the ecryptfs-utils package for the tools to work with it. Create two directories called crypt and plain, then you can create an encrypted directory with this command: sudo mountecryptfs crypt plain
You will be asked a number of questions, obviously you should choose a password that is both secure and memorable (or store it somewhere safe). Most of the rest can be left as the defaults with the possible exception of Enable Filename Encryption that you may want to set to yes.
Now copy some files to plain then look in crypt. You will see the same filenames if you didn't enable filename encryption, otherwise you will see encrypted names. Either way, the contents will be encrypted; try viewing one of the files. Now unmount it with: sudo umount plain
The readable versions of the files have disappeared, leaving only the encrypted versions. Run the above mount command and the contents of plain will reappear. This method of mounting is cumbersome but it illustrates how ecryptfs functions. The filesystem you mounted on plain is virtual, it exists only in memory, the only data written to disk are the encrypted files in crypt. Once you unmount the plain version your data is protected, and cannot be read again until you mount it, which requires your password.
Convenient encryption
There is, of course, a more convenient way of setting up an encrypted directory for a user that doesn't require sudo or answering questions - run this as your normal user: ecryptfs-setup-private
The command will ask for your login password and then a passphrase for the encrypted directory. The former is used to lock the latter, which you can leave that blank and have ecryptfs generate a secure passphrase automatically. This creates three directories: .Private contains your encrypted data, Private is the mountpoint for the decrypted contents and .ecryptfs contains files that are used to mount your directory. As the passphrase itself is encrypted, you should make a copy and store it somewhere secure, such as a USB key nowhere near your computer:
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase >/somewhere/safe/ecryptfs_passphrase
Now you can mount and unmount your private data with these commands, or use the desktop icon it provides. |ecryptfs-mount-private |ecryptfs-umount-private
This creates a single, encrypted directory in your home, but what if you want more? Let's say you want your Documents and Accounts directories encrypted but see no point in encrypting Photos or Music (why waste time decrypting large files that hold nothing private). The easy answer is to move the directories into Private and create symbolic links back to their original locations, like this:
|mv Documents Private
|ln -s Private/Documents Documents
Make sure Private is mounted when you do this, then your files will only be available when the ecryptfs filesystem is mounted, otherwise it will just show up as a broken link.
Automatic mounting
You give your login password to unlock the ecryptfs passphrase to mount the filesystem (you can use the -w option to ecryptfs-setup-private if you want to use an independent password) so you may be asking why when you've already just given a password to login, you need to give it again to mount your private files? This is a valid question, if you know it once, I'm sure you can remember it again a few seconds later. If you prefer, you can have your Private directory automatically mounted when you login (and unmounted when you logout), thanks to the magic of PAM.
As root, insert this line into /etc/pam.d/common-auth: auth required pam_ecryptfs.so unwrap and this one into /etc/pam.d/common-session: session optional pam_ecryptfs.so unwrap
Now PAM will mount your ecryptfs home directory when you login. This will not happen if you have auto-login enabled, otherwise you would have no security at all.
Encrypted $HOME
If all of this looks a little familiar, that is probably because you have used the encrypted home directory feature in Ubuntu, which also uses ecryptfs. But this a standard kernel feature not restricted to one distro (ChromeOS also uses ecryptfs behind the scenes). Ubuntu doesn't just set up a Private directory when you install it, but it encrypts your entire home directory. So the simplest way to get a fully encrypted home directory may seem to be to install Ubuntu and choose that option. There are a couple of reasons you may not want to do this: you may use a different distro or you may already use Ubuntu but don't want to start again with a new installation.
There's a single command that will convert your entire home directory to ecryptfs, but there are a couple of caveats. You must have no files in use in the home directory, which means that the user mustn't be logged in, and you need free space of up to 2.5 times the current size of your home directory for the conversion process (mainly because encrypted and unencrypted copies of your files are stored until the job is done). So log out and log in as another user with admin rights then run:
sudo ecryptfs-migrate-home --user
After the process completes, you must log in as that user before rebooting, to complete the setup and make sure everything is working. Once that is done and you have verified that your files are there and readable, you can delete the original unencrypted files that are still in /home/user.some_ random_string. Be aware that deleting that directory does not remove all of your unencrypted data from your hard drive, only the directory table. To be fully secure, you should overwrite all unused space with random data. dd if=/dev/urandom of=somefile bs=4k rm somefile
This creates a file of random data that fills the drive and then deletes it to return the space to you.
Whether you use ecryptfs-setup-private or ecryptfs-migrate-home, you should use ecryptfs-unwrap-passphrase
to save the passphrase to a safe place. If you don't keep a copy of your passphrase, you won't be able to access your data if the .ecryptfs directory is lost or damaged.