Ubuntu – How to confirm that I’m using ecryptfs

ecryptfs

Is there a simple way to tell if I'm using ecryptfs on my home directory? I tried running the ecryptfs-migrate-home script a while ago, and it failed part way through. I assumed that it went back to using my old plain, unencrypted home, but I just noticed that /home/.ecryptfs/naught10t/.Private exists, and has lots of files in it…

Best Answer

If ecryptfs is being used, your home folder will be mounted. You can check if it is with this command:

df -T

When I run it, I get this result:

kalle@Kalle-PC:~$ df -T
Filesystem           Type      1K-blocks       Used Available Use% Mounted on
/dev/sdc1            ext4      115376648    9002220 100513568   9% /
udev                 devtmpfs    2050188          4   2050184   1% /dev
tmpfs                tmpfs        824108       1128    822980   1% /run
none                 tmpfs          5120          0      5120   0% /run/lock
none                 tmpfs       2060264        900   2059364   1% /run/shm
/dev/sdb1            fuseblk  1953512444 1183183452 770328992  61% /media/x
/dev/sda2            ext4      861466440  138769200 678937216  17% /home
/home/kalle/.Private ecryptfs  861466440  138769200 678937216  17% /home/kalle

I have several drives on my system, but the last line is the relevant one. It shows that /home/kalle/.Private of type ecryptfs is mounted to /home/kalle, which is my home directory.

Run df -T on your system and check the results.

Related Solutions

Ubuntu – Private directory mounted without passphrase

From the EncryptedPrivateDirectory wiki:

We can stop ecryptfs from unlocking the Private folder on startup, by removing the empty file auto-mount which is located in ~/.ecryptfs/, where you also can remove the auto-umount file, if you would like ecryptsfs to stop unmounting the private folder upon shutdown and logout.

UPDATE: To fix the issue of ~/Private being mountable without using a password, follow the instructions in this Ubuntu Forums post:

OK Folks, here is the true fix.

I was reading an article on ecryptfs (http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt) and found that PAM is involved and thus started looking in /etc/pam.d/ and found 2 files that need to be modified:

/etc/pam.d/common-auth
/etc/pam.d/common-session

Do the following as root, but make a backup copy first in a directory OUT OF this directory like ~/ or it will possibly run the backup which is unmodified.

In /etc/pam.d/common-session look for a line that says:

auth optional pam_ecryptfs.so unwrap
and comment it out like:
#auth optional pam_ecryptfs.so unwrap

In /etc/pam.d/common-auth look for a line that says:

session optional pam_ecryptfs.so unwrap
and comment it out like
#session optional pam_ecryptfs.so unwrap

Both files must be modified. The common-session file is what cause the actually mounting and the common-auth unwraps the passphrase.

If just common-session is commented out (as I tried first), all one has to do is type ecrypt-mount-private and it will mount without the login passphrase. This is NOT GOOD. So the common-auth must be modified to prevent the loading of the unwrapped passphrase into the kernel.

The caveat to this is that THIS AFFECTS ALL USERS. I have just discovered the above by rooting around myself and it satisfies my needs. However, it will make it more difficult on a multiuser system for novices as the Private will not be automatically mounted. There may be a way to prevent this on a user-level (not system level) but I don't know how to do that.

Hope this helps someone in the future.

Yours, Narnie

You will need to restart your computer after you modify those files.

Ubuntu – Ecryptfs on too-small harddrive – how to add links into the encryption

You can accomplish this using mount.ecryptfs_private's alias feature. From the manpage:

   mount.ecryptfs_private  is a mount helper utility for non-root users to
   cryptographically mount a private directory, ~/Private by default.

   This program  optionally  takes  one  argument,  ALIAS.   If  ALIAS  is
   omitted, the program will default to using "Private" using:
    - $HOME/.Private as the SOURCE
    - $HOME/Private as the DESTINATION
    - $HOME/.ecryptfs/Private.sig for the key signatures.

   If ALIAS is specified, then the program will look for an fstab(5) style
   configuration in:
    - $HOME/.ecryptfs/ALIAS.conf and for key signature(s) in:
    - $HOME/.ecryptfs/ALIAS.sig

Best Answer

Related Solutions

Ubuntu – Private directory mounted without passphrase

Ubuntu – Ecryptfs on too-small harddrive – how to add links into the encryption

Related Question