As already stated ecryptfs is not a solution for my problem as my home folder is already encrypted by ecryptfs. Moving the "Ubuntu One" folder out of the home tree isn't a solution either as then the rest of the "Ubuntu One" content isn't encrypted anymore.
I've decided to use EncFS instead. Setting up en encrypted folder is pretty simple. But how to get it mounted automatically so applications can use it to store config files? There are some solutions:
- pam_mount
- gnome-encfs
- autofs
- afuse
I don't like idea 1 because I don't want to use the same password for EncFS as my login password.
Solution 2 I don't like on one hand because there's no apt package available for Ubuntu and on the other hand I don't want to have the EncFS folder only mounted just after logging in. If something fails or it the folder gets unmounted every subsequent access will fail.
Solution 3 just doesn't work. I've been using autofs for quite some time to mount CIFS shares and folders through sshfs but EncFS is just not supported. I've played around with several scripts to mount EncFS by autofs but that became too complex and error-prone.
So what I'm currently using is solution 4. Afuse is available as an apt package. Afuse automatically mounts the EncFS folder as soon the folder is accessed and unmounts it again after some idle time.
Here are the quick steps how to set everything up (maybe I add some details in future):
- install afuse
- create the "Ubuntu One" folder to store the encrypted content
Example:
~/Ubuntu\ One/.encrypted
- create a folder as a top folder for afuse to mount folders within
Example:
~/.fuse
- create some helper scripts
- create an autostart entry in Gnome to launch afuse
The unencrypted EncFS folder gets mounted underneath ~/.fuse. In my case the folder with the unencrypted content is named U1Enc, therefore all data stays in ~/.fuse/U1Enc. For my convenience I created a link from ~/U1Enc to ~/.fuse/U1Enc to get there easier.
The ideas and helper scripts I found on several web sites. Here come the links:
Automounting FUSE filesystems
autofs: encfs over sshfs
I use the following scripts:
~/.afuse-fstab
U1Enc encfs --ondemand --idle=5 --extpass="/home/xxx/.creds/U1.encfs.sh" /home/xxx/Ubuntu\ One/.encrypted %m
~/.creds/U1.encfs.sh (marked as executable and only accessable by the user themself)
#!/bin/sh
echo PASSWORD_FOR_ENCFS_IN_CLEARTEXT
~/bin/afuse-handler.pl (marked as executable and with ~/bin in $PATH)
#!/usr/bin/perl -w
$fstab="$ENV{HOME}/.afuse-fstab";
$afusedir=$ARGV[0];
$afuse_mountpoint=$ARGV[1];
print "afusedir:$afusedir\n";
print "afuse_mountpoint:$afuse_mountpoint\n";
system("logger -t afuse 1:$ARGV[0] 2:$ARGV[1]");
open(FSTAB, $fstab ) or die("Can not open afuse-fstab at $fstab\n");
while( <FSTAB> ) {
if( /^$afusedir/ ) {
s/[^\s\/]+[\s]*//;
s/%r/$afusedir/g;
s/%m/$afuse_mountpoint/g;
chomp;
$cmd = $_;
print "$cmd\n";
system($_) == 0
or die "execution of FUSE filesystem failed!\n"
. "command:$cmd\n"
. "reason:$?\n";
}
}
and finally ~/bin/afuse.start.sh (marked again as executable) which I registered with Gnome/System/Settings to start afuse after log in
#!/bin/sh
afuse -o mount_template="/home/xxx/bin/afuse-handler.pl %r %m" -o unmount_template="fusermount -u -z %m" ~/.fuse
The last script launches afuse which starts the afuse-handler to mount the EncFS folder underneath ~/.fuse as soon it gets accessed. The afuse.handler itself checks the .afuse-fstab how to mount the folder. The EncFS password is echoed out by U1.encfs.sh so no user intervention is needed (as this file is stored in my home folder it get's encrypted by ecryptfs so I don't see there a big security issue).
Take care of different EncFS versions. On Natty currently EncFS version 1.7.4 gets installed. That doesn't play well with an older 1.6 version on Maverick. I had to update EncFS on Maverick to 1.7.4 as well (done this by pinning apt/preferences).
There is a few things you can try. The error message you get is itself helpful: the directory is not mounted.
If you get this type of files CRYPTFS_FNEK_ENCRYPTED.[some code here] in fact the decryption was not succesful. That means something went wrong in the decryption process (usually the problem is related to the settings you provide in the prompt). Make sure to type the full passphrase in gedit and copy it from there. I once already spend two days figuring out what went wrong decrypting and for some reason I had a tiny mistake (O as 0) in the passphrase.
You can also give this command a try:
mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]
This will do the mounting and decrypting for you. Read more here and don't stick too close to that tutorial you mention.
BTW: Is your username the same as on the old system?
Best Answer
Known bug
If I understand correctly, this is a known bug.
See this link: wiki.archlinux.org/index.php/ECryptfs
Scroll down to the pink paragraph
Work-around
As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).