eCryptfs is an in-kernel file encryption suite. It supports diffferent symmetric encryption algorithms depending on the Kernel's crypto API. In contrast to LUKS encryption happens per file. Encryption meta data is added to the file header.
File systems ---> [*] Miscellaneous filesystems ---> <M> eCrypt filesystem layer support Security options ---> [*] Enable access key retention support
USE flags for sys-fs/ecryptfs-utils eCryptfs userspace utilities
||Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally|
||Enable app-crypt/gnupg key module|
||Add support for x11-libs/gtk+ (The GIMP Toolkit)|
||Add Native Language Support (using gettextGNU locale utilities)|
||Enable dev-libs/openssl key module|
||Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip|
||Enable PKCS#11 (Smartcards) key module|
||Enable setuid root program(s)|
||Enable support for Trusted Platform Module (TPM) using app-crypt/trousers|
emerge --ask sys-fs/ecryptfs-utils
The USE flags above are not up to date. sys-fs/ecryptfs-utils must be compiled with the
suidUSE flag in order to use the auto-mount capabilities of PAM as described below. Getting rid of setuid and/ or fixing general mounts see bug #829576. Otherwise mounting arbitrary directories requires user mounts based on /etc/fstab. Section Mount Remote Directory shows how to do this.
USE="suid" emerge sys-fs/ecryptfs-utils
See the below diff for the system-auth file.
diff -u /etc/pam.d/system-auth.orig /etc/pam.d/system-auth
--- /etc/pam.d/system-auth 2021-12-13 02:23:28.094220446 -0500 +++ /etc/pam.d/system-auth 2021-12-13 02:28:04.886740693 -0500 @@ -3,6 +3,7 @@ auth [success=1 default=ignore] pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail auth optional pam_cap.so +auth optional pam_ecryptfs.so unwrap account required pam_unix.so account required pam_faillock.so password required pam_passwdqc.so config=/etc/security/passwdqc.conf @@ -10,3 +11,4 @@ session required pam_limits.so session required pam_env.so session required pam_unix.so +session optional pam_ecryptfs.so unwrap
Encrypting your SWAP
Ecryptfs-utils has a utitlity ecryptfs-setup-swap which depends on sys-fs/cryptsetup. However, this utility is currently Ubuntu centric. You should setup an encrypted swap by installing sys-fs/cryptsetup and edit /etc/conf.d/dmcrypt which has an example of an ecrypted swap in it.
swap=crypt-swap source=/dev/sda3 options='--cipher=aes-xts-plain64 --key-size=512 --key-file=/dev/urandom'
Also note, you need to add dm-crypt to the boot run level with:
rc-config add dmcrypt boot
You can find a version of ecryptfs-setup-swap which works with gentoo .
Mount Remote Directory
Current version of ecryptfs ships with an unusable mount.ecryptfs. It will always complain that passwd details cannot be found for uid. Due to a lack of adaption since 2012, this helper is broken. Only direct invocation of mount works.
To bind and encrypt a remote directory, two stages are necessary. First, net-fs/sshfs mounts the directory onto the local machine and provides transport encryption. Second, ecryptfs transparently encrypts and decrypts files. NFS is an alternative but must be secured in transport and at rest, too.
- on the remote host create an empty directory
- on the local machine create a directory .secret and a second directory secret
- on the local machine mount the remote host's directory to .secret
- and add a passphrase to the Kernel's (user) keyring with ecryptfs-add-passphrase
- as root use the signature prompted from the previous command to create an entry in /etc/fstab with option user, so that user mount is possible
- as normal user mount -i secret so that encrypted directory becomes decrypted under secret
- when done, first umount secret which also removes the key from the keyring...
- ... second umount .secret to disconnect from remote host
Passphrase: Inserted auth tok with sig [28320aba320b22df] into the user session keyring
#mount with same passphrase for files and meta data /home/user/.secret /home/user/secret ecryptfs user,noauto,ecryptfs_sig=28320aba320b22df,ecryptfs_fnek_sig=28320aba320b22df,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs 0 0
Use keyctl to verify signatures of keys being loaded for current user. After ecryptfs-add-passphrase, there will be more entries. The sample shows the signature from above plus two others. Also check that after umount of ecryptfs layer the signature is gone.
keyctl list @u
3 keys in keyring: 314829634: --alswrv 1000 1000 user: a9d767fe56ef6923 225345633: --alswrv 1000 1000 user: 28320aba320b22df 729098673: --alswrv 1000 1000 user: 277ff13fd4e56c3d
It is absolutely valid to mount different ecryptfs overlays with the same signature. It is not a problem when unmounting one of them erases the signature from the keyring. The second overlay stays fully functional.
Hints and Criticism
- available algorithms depend on Kernel API and configuration, check /proc/crypto
- folder structure, number of files and file size clearly visible
- changing the passphrase/ encryption key requires full re-encryption (in different location)