As already stated ecryptfs is not a solution for my problem as my home folder is already encrypted by ecryptfs. Moving the "Ubuntu One" folder out of the home tree isn't a solution either as then the rest of the "Ubuntu One" content isn't encrypted anymore.
I've decided to use EncFS instead. Setting up en encrypted folder is pretty simple. But how to get it mounted automatically so applications can use it to store config files? There are some solutions:
- pam_mount
- gnome-encfs
- autofs
- afuse
I don't like idea 1 because I don't want to use the same password for EncFS as my login password.
Solution 2 I don't like on one hand because there's no apt package available for Ubuntu and on the other hand I don't want to have the EncFS folder only mounted just after logging in. If something fails or it the folder gets unmounted every subsequent access will fail.
Solution 3 just doesn't work. I've been using autofs for quite some time to mount CIFS shares and folders through sshfs but EncFS is just not supported. I've played around with several scripts to mount EncFS by autofs but that became too complex and error-prone.
So what I'm currently using is solution 4. Afuse is available as an apt package. Afuse automatically mounts the EncFS folder as soon the folder is accessed and unmounts it again after some idle time.
Here are the quick steps how to set everything up (maybe I add some details in future):
- install afuse
- create the "Ubuntu One" folder to store the encrypted content
Example:
~/Ubuntu\ One/.encrypted
- create a folder as a top folder for afuse to mount folders within
Example:
~/.fuse
- create some helper scripts
- create an autostart entry in Gnome to launch afuse
The unencrypted EncFS folder gets mounted underneath ~/.fuse. In my case the folder with the unencrypted content is named U1Enc, therefore all data stays in ~/.fuse/U1Enc. For my convenience I created a link from ~/U1Enc to ~/.fuse/U1Enc to get there easier.
The ideas and helper scripts I found on several web sites. Here come the links:
Automounting FUSE filesystems
autofs: encfs over sshfs
I use the following scripts:
~/.afuse-fstab
U1Enc encfs --ondemand --idle=5 --extpass="/home/xxx/.creds/U1.encfs.sh" /home/xxx/Ubuntu\ One/.encrypted %m
~/.creds/U1.encfs.sh (marked as executable and only accessable by the user themself)
#!/bin/sh
echo PASSWORD_FOR_ENCFS_IN_CLEARTEXT
~/bin/afuse-handler.pl (marked as executable and with ~/bin in $PATH)
#!/usr/bin/perl -w
$fstab="$ENV{HOME}/.afuse-fstab";
$afusedir=$ARGV[0];
$afuse_mountpoint=$ARGV[1];
print "afusedir:$afusedir\n";
print "afuse_mountpoint:$afuse_mountpoint\n";
system("logger -t afuse 1:$ARGV[0] 2:$ARGV[1]");
open(FSTAB, $fstab ) or die("Can not open afuse-fstab at $fstab\n");
while( <FSTAB> ) {
if( /^$afusedir/ ) {
s/[^\s\/]+[\s]*//;
s/%r/$afusedir/g;
s/%m/$afuse_mountpoint/g;
chomp;
$cmd = $_;
print "$cmd\n";
system($_) == 0
or die "execution of FUSE filesystem failed!\n"
. "command:$cmd\n"
. "reason:$?\n";
}
}
and finally ~/bin/afuse.start.sh (marked again as executable) which I registered with Gnome/System/Settings to start afuse after log in
#!/bin/sh
afuse -o mount_template="/home/xxx/bin/afuse-handler.pl %r %m" -o unmount_template="fusermount -u -z %m" ~/.fuse
The last script launches afuse which starts the afuse-handler to mount the EncFS folder underneath ~/.fuse as soon it gets accessed. The afuse.handler itself checks the .afuse-fstab how to mount the folder. The EncFS password is echoed out by U1.encfs.sh so no user intervention is needed (as this file is stored in my home folder it get's encrypted by ecryptfs so I don't see there a big security issue).
Take care of different EncFS versions. On Natty currently EncFS version 1.7.4 gets installed. That doesn't play well with an older 1.6 version on Maverick. I had to update EncFS on Maverick to 1.7.4 as well (done this by pinning apt/preferences).
The best way to recover is by using the ecryptfs-recover-private utility from a LiveISO.
I say that because this will ensure that your recovery happens in a safe, repeatable, read-only environment.
That said, you certainly can run ecryptfs-recover-private on a running system. But I'd strongly recommend that you log out all instances of the user you're trying to recover, and then login as root or some other user.
Best Answer
NB: This answer is correct, but another - newer and faster - way exists requiring only a single step with
ecryptfs-recover-private
. Make sure to check all answers below.To get access to the data on your stick and to copy files onto it you need to mount the eCryptfs. This involves several steps:
First you should insert your stick. If Ubuntu doesn't mount it automatically (It usually does.), you should mount it.
Now you should find a directory called
.Private
. If you did a default installation, this directory should sit in/media/DISK/home/.ecryptfs/USERNAME/.Private
. In this exampleDISK
is the directory where your stick is mounted andUSERNAME
is the name of the user you entered at installation. If you can't find it yourself open a terminal and enterI assume in the following steps that the directory is in
/media/DISK/home/.ecryptfs/USERNAME/.Private
.You need the mount password. This is different from your login pasword. Enter the following command into a terminal:
You have to enter the login password from the installation of your USB-Ubuntu (not your usual password). The command outputs a passphrase. Write this down or copy it into a file.
The password enables you to unlock the directory. You need to do it in two steps:
The first command adds your passphrase to the kernel keyring and the second tries to mount your
.Private
to the directory/media/myUSB
. If the latte doesn't exist, you have to create it first:The
mount
command will ask again for the login password. Next it will ask for a bunch of stuff.aes
and16
).n
for plaintext passthrough.y
for filename encryption.ecryptfs-add-passphrase --fnek
command you just typed. There are two lines starting withInserted auth tok …
. Insert the value in square brackets of the second output (123456789abcdef0
).Now you can access the files in
/media/myUSB
and can copy from and to the directory or subdirectories.A large part of my description is from "Live CD method of opening a encrypted home directory".