ECryptfs

From Gentoo Wiki
Jump to: navigation, search
This article is a stub. You can help by expanding it.
Resources

eCryptfs is an in-kernel file encryption suite.

Installation

Kernel

KERNEL Enable eCryptfs support
File systems  --->
    [*] Miscellaneous filesystems  --->
        <M>   eCrypt filesystem layer support
Security options  --->
    [*] Enable access key retention support

USE flags

USE flags for sys-fs/ecryptfs-utils eCryptfs userspace utilities

gpg Enable app-crypt/gnupg key module
openssl Enable dev-libs/openssl key module
pkcs11 Enable PKCS#11 (Smartcards) key module
python Add optional support/bindings for the Python language
tpm Enable support for Trusted Platform Module (TPM) using app-crypt/trousers

Emerge

Install sys-fs/ecryptfs-utils:

root #emerge --ask sys-fs/ecryptfs-utils

Note: The USE flags above are not up to date. sys-fs/ecryptfs-utils must be compiled with the suid USE flag in order to use the auto-mount capabilities of PAM as described below.

user $USE="suid" emerge sys-fs/ecryptsfs-utils

Configuration

Files

/etc/pam.d

See the below diff for the system-auth file.

diff -u /etc/pam.d/system-auth.orig /etc/pam.d/system-auth
--- /etc/pam.d/system-auth	2017-12-28 23:59:48.048839950 +0100
+++ pam.d/system-auth	2018-08-30 20:47:20.100012146 +0200
@@ -1,12 +1,15 @@
 auth		required	pam_env.so 
 auth		required	pam_unix.so try_first_pass likeauth nullok 
+auth            optional        pam_ecryptfs.so unwrap
 auth		optional	pam_permit.so
 account		required	pam_unix.so 
 account		optional	pam_permit.so
 password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
+password        optional        pam_ecryptfs.so unwrap
 password	required	pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
 password	optional	pam_permit.so
 session		required	pam_limits.so 
 session		required	pam_env.so 
 session		required	pam_unix.so 
+session         optional        pam_ecryptfs.so unwrap
 session		optional	pam_permit.so

Encrypting your SWAP

Ecryptfs-utils has a utitlity ecryptfs-setup-swap which depends on sys-fs/cryptsetup. However, this utility is currently Ubuntu centric. You should setup an encrypted swap by installing sys-fs/cryptsetup and edit /etc/conf.d/dmcrypt which has an example of an ecrypted swap in it.

FILE /etc/conf.d/dmcryptcrypt-swap example
swap=crypt-swap
source=/dev/sda3
options='--cipher=aes-xts-plain64 --key-size=512 --key-file=/dev/urandom'

Also note, you need to add dm-crypt to the boot run level with:

rc-config add dmcrypt boot

You can find a version of ecryptfs-setup-swap which works with gentoo [1].

See also

Mount_Encrypted_Ubuntu_Home/Guide

External resources