From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. You can help by expanding it.

eCryptfs is an in-kernel file encryption suite. It supports diffferent symmetric encryption algorithms depending on the Kernel's crypto API. In contrast to LUKS encryption happens per file. Encryption meta data is added to the file header.



KERNEL Enable eCryptfs support
File systems  --->
    [*] Miscellaneous filesystems  --->
        <M>   eCrypt filesystem layer support
Security options  --->
    [*] Enable access key retention support

USE flags

USE flags for sys-fs/ecryptfs-utils eCryptfs userspace utilities

doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
gpg Enable app-crypt/gnupg key module
gtk Add support for x11-libs/gtk+ (The GIMP Toolkit)
nls Add Native Language Support (using gettextGNU locale utilities)
openssl Enable dev-libs/openssl key module
pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
pkcs11 Enable PKCS#11 (Smartcards) key module
suid Enable setuid root program, with potential security risks
tpm Enable support for Trusted Platform Module (TPM) using app-crypt/trousers


Install sys-fs/ecryptfs-utils:

root #emerge --ask sys-fs/ecryptfs-utils
The USE flags above are not up to date. sys-fs/ecryptfs-utils must be compiled with the suid USE flag in order to use the auto-mount capabilities of PAM as described below. Getting rid of setuid and/ or fixing general mounts see bug #829576. Otherwise mounting arbitrary directories requires user mounts based on /etc/fstab. Section Mount Remote Directory shows how to do this.
user $USE="suid" emerge sys-fs/ecryptfs-utils




See the below diff for the system-auth file.

diff -u /etc/pam.d/system-auth.orig /etc/pam.d/system-auth
--- /etc/pam.d/system-auth	2021-12-13 02:23:28.094220446 -0500
+++ /etc/pam.d/system-auth	2021-12-13 02:28:04.886740693 -0500
@@ -3,6 +3,7 @@
 auth            [success=1 default=ignore] nullok  try_first_pass
 auth		[default=die] authfail
 auth		optional
+auth		optional unwrap
 account		required
 account         required
 password	required config=/etc/security/passwdqc.conf
@@ -10,3 +11,4 @@
 session		required
 session		required
 session		required
+session		optional unwrap

Encrypting your SWAP

Ecryptfs-utils has a utitlity ecryptfs-setup-swap which depends on sys-fs/cryptsetup. However, this utility is currently Ubuntu centric. You should setup an encrypted swap by installing sys-fs/cryptsetup and edit /etc/conf.d/dmcrypt which has an example of an ecrypted swap in it.

FILE /etc/conf.d/dmcryptcrypt-swap example
options='--cipher=aes-xts-plain64 --key-size=512 --key-file=/dev/urandom'

Also note, you need to add dm-crypt to the boot run level with:

root #rc-config add dmcrypt boot

You can find a version of ecryptfs-setup-swap which works with gentoo [1].

Mount Remote Directory

Current version of ecryptfs ships with an unusable mount.ecryptfs. It will always complain that passwd details cannot be found for uid. Due to a lack of adaption since 2012, this helper is broken. Only direct invocation of mount works.

To bind and encrypt a remote directory, two stages are necessary. First, net-fs/sshfs mounts the directory onto the local machine and provides transport encryption. Second, ecryptfs transparently encrypts and decrypts files. NFS is an alternative but must be secured in transport and at rest, too.

  1. on the remote host create an empty directory
  2. on the local machine create a directory .secret and a second directory secret
  3. on the local machine mount the remote host's directory to .secret
  4. and add a passphrase to the Kernel's (user) keyring with ecryptfs-add-passphrase
  5. as root use the signature prompted from the previous command to create an entry in /etc/fstab with option user, so that user mount is possible
  6. as normal user mount -i secret so that encrypted directory becomes decrypted under secret
  7. when done, first umount secret which also removes the key from the keyring...
  8. ... second umount .secret to disconnect from remote host
user $ecryptfs-add-passphrase
Inserted auth tok with sig [28320aba320b22df] into the user session keyring
FILE /etc/fstab
#mount with same passphrase for files and meta data
/home/user/.secret	/home/user/secret	ecryptfs	user,noauto,ecryptfs_sig=28320aba320b22df,ecryptfs_fnek_sig=28320aba320b22df,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs 0 0

Use keyctl to verify signatures of keys being loaded for current user. After ecryptfs-add-passphrase, there will be more entries. The sample shows the signature from above plus two others. Also check that after umount of ecryptfs layer the signature is gone.

user $keyctl list @u
3 keys in keyring:
314829634: --alswrv  1000  1000 user: a9d767fe56ef6923
225345633: --alswrv  1000  1000 user: 28320aba320b22df
729098673: --alswrv  1000  1000 user: 277ff13fd4e56c3d
It is absolutely valid to mount different ecryptfs overlays with the same signature. It is not a problem when unmounting one of them erases the signature from the keyring. The second overlay stays fully functional.

Hints and Criticism

  • available algorithms depend on Kernel API and configuration, check /proc/crypto
  • folder structure, number of files and file size clearly visible
  • changing the passphrase/ encryption key requires full re-encryption (in different location)

See also

External resources