From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. You can help by expanding it.

eCryptfs is an in-kernel file encryption suite.



KERNEL Enable eCryptfs support
File systems  --->
    [*] Miscellaneous filesystems  --->
        <M>   eCrypt filesystem layer support
Security options  --->
    [*] Enable access key retention support

USE flags

USE flags for sys-fs/ecryptfs-utils eCryptfs userspace utilities

doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
gpg Enable app-crypt/gnupg key module
gtk Add support for x11-libs/gtk+ (The GIMP Toolkit)
nls Add Native Language Support (using gettextGNU locale utilities)
openssl Enable dev-libs/openssl key module
pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
pkcs11 Enable PKCS#11 (Smartcards) key module
suid Enable setuid root program, with potential security risks
tpm Enable support for Trusted Platform Module (TPM) using app-crypt/trousers


Install sys-fs/ecryptfs-utils:

root #emerge --ask sys-fs/ecryptfs-utils
The USE flags above are not up to date. sys-fs/ecryptfs-utils must be compiled with the suid USE flag in order to use the auto-mount capabilities of PAM as described below.
user $USE="suid" emerge sys-fs/ecryptfs-utils




See the below diff for the system-auth file.

diff -u /etc/pam.d/system-auth.orig /etc/pam.d/system-auth
--- /etc/pam.d/system-auth	2017-12-28 23:59:48.048839950 +0100
+++ pam.d/system-auth	2018-08-30 20:47:20.100012146 +0200
@@ -1,12 +1,15 @@
 auth		required 
 auth		required try_first_pass likeauth nullok 
+auth            optional unwrap
 auth		optional
 account		required 
 account		optional
 password	required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
+password        optional unwrap
 password	required try_first_pass use_authtok nullok sha512 shadow 
 password	optional
 session		required 
 session		required 
 session		required 
+session         optional unwrap
 session		optional

Encrypting your SWAP

Ecryptfs-utils has a utitlity ecryptfs-setup-swap which depends on sys-fs/cryptsetup. However, this utility is currently Ubuntu centric. You should setup an encrypted swap by installing sys-fs/cryptsetup and edit /etc/conf.d/dmcrypt which has an example of an ecrypted swap in it.

FILE /etc/conf.d/dmcryptcrypt-swap example
options='--cipher=aes-xts-plain64 --key-size=512 --key-file=/dev/urandom'

Also note, you need to add dm-crypt to the boot run level with:

root #rc-config add dmcrypt boot

You can find a version of ecryptfs-setup-swap which works with gentoo [1].

See also

External resources