As already stated ecryptfs is not a solution for my problem as my home folder is already encrypted by ecryptfs. Moving the "Ubuntu One" folder out of the home tree isn't a solution either as then the rest of the "Ubuntu One" content isn't encrypted anymore.
I've decided to use EncFS instead. Setting up en encrypted folder is pretty simple. But how to get it mounted automatically so applications can use it to store config files? There are some solutions:
- pam_mount
- gnome-encfs
- autofs
- afuse
I don't like idea 1 because I don't want to use the same password for EncFS as my login password.
Solution 2 I don't like on one hand because there's no apt package available for Ubuntu and on the other hand I don't want to have the EncFS folder only mounted just after logging in. If something fails or it the folder gets unmounted every subsequent access will fail.
Solution 3 just doesn't work. I've been using autofs for quite some time to mount CIFS shares and folders through sshfs but EncFS is just not supported. I've played around with several scripts to mount EncFS by autofs but that became too complex and error-prone.
So what I'm currently using is solution 4. Afuse is available as an apt package. Afuse automatically mounts the EncFS folder as soon the folder is accessed and unmounts it again after some idle time.
Here are the quick steps how to set everything up (maybe I add some details in future):
- install afuse
- create the "Ubuntu One" folder to store the encrypted content
Example:
~/Ubuntu\ One/.encrypted
- create a folder as a top folder for afuse to mount folders within
Example:
~/.fuse
- create some helper scripts
- create an autostart entry in Gnome to launch afuse
The unencrypted EncFS folder gets mounted underneath ~/.fuse. In my case the folder with the unencrypted content is named U1Enc, therefore all data stays in ~/.fuse/U1Enc. For my convenience I created a link from ~/U1Enc to ~/.fuse/U1Enc to get there easier.
The ideas and helper scripts I found on several web sites. Here come the links:
Automounting FUSE filesystems
autofs: encfs over sshfs
I use the following scripts:
~/.afuse-fstab
U1Enc encfs --ondemand --idle=5 --extpass="/home/xxx/.creds/U1.encfs.sh" /home/xxx/Ubuntu\ One/.encrypted %m
~/.creds/U1.encfs.sh (marked as executable and only accessable by the user themself)
#!/bin/sh
echo PASSWORD_FOR_ENCFS_IN_CLEARTEXT
~/bin/afuse-handler.pl (marked as executable and with ~/bin in $PATH)
#!/usr/bin/perl -w
$fstab="$ENV{HOME}/.afuse-fstab";
$afusedir=$ARGV[0];
$afuse_mountpoint=$ARGV[1];
print "afusedir:$afusedir\n";
print "afuse_mountpoint:$afuse_mountpoint\n";
system("logger -t afuse 1:$ARGV[0] 2:$ARGV[1]");
open(FSTAB, $fstab ) or die("Can not open afuse-fstab at $fstab\n");
while( <FSTAB> ) {
if( /^$afusedir/ ) {
s/[^\s\/]+[\s]*//;
s/%r/$afusedir/g;
s/%m/$afuse_mountpoint/g;
chomp;
$cmd = $_;
print "$cmd\n";
system($_) == 0
or die "execution of FUSE filesystem failed!\n"
. "command:$cmd\n"
. "reason:$?\n";
}
}
and finally ~/bin/afuse.start.sh (marked again as executable) which I registered with Gnome/System/Settings to start afuse after log in
#!/bin/sh
afuse -o mount_template="/home/xxx/bin/afuse-handler.pl %r %m" -o unmount_template="fusermount -u -z %m" ~/.fuse
The last script launches afuse which starts the afuse-handler to mount the EncFS folder underneath ~/.fuse as soon it gets accessed. The afuse.handler itself checks the .afuse-fstab how to mount the folder. The EncFS password is echoed out by U1.encfs.sh so no user intervention is needed (as this file is stored in my home folder it get's encrypted by ecryptfs so I don't see there a big security issue).
Take care of different EncFS versions. On Natty currently EncFS version 1.7.4 gets installed. That doesn't play well with an older 1.6 version on Maverick. I had to update EncFS on Maverick to 1.7.4 as well (done this by pinning apt/preferences).
Running ecryptfs-setup-swap
makes permanent changes to /etc/fstab
and /etc/crypttab
that ensure your swap space is encrypted at every boot.
A random key is generated and used to encrypt swap at each boot.
The only exception to the above occurs if you add new swap files or swap partitions after you've run ecryptfs-setup-swap
, as it only operates on the swap space present at that time.
Full disclosure: I'm the author and maintainer of eCryptfs and ecryptfs-setup-swap
.
Best Answer
You're only looking at the the super-easy scripts like
ecryptsfs-setup-private
andecryptsfs-mount-private
, they use the more "generic" tools you seem to be looking for:mount.ecryptfs
andecryptfs-add-passphrase
. See theirman
pages for more info.And the link Rinzwind posted has all the info you need, further down the page under Manual Setup. They're quite long, but the very very short version would be:
The "Manual Setup" way (archlinux wiki)
First choose an ALIAS as you like. Through this section, ALIAS will be secret. Create the required directories/files:
The
~/.secret
directory will hold the encrypted data. The~/secret
directory is the mount point where~/.secret
will be mounted as an ecryptfs filesystem.[Now create the actual mount passphrase (the easy scripts will pick a pseudo-random 32 characters from
/dev/urandom
), make it a good one]Write the output signature (ecryptfs_sig) from the previous command to ~/.ecryptfs/secret.sig:
A second passphrase for filename encryption may be used. If you choose so, add it to the keyring:
If you run the command above, append its output signature (ecryptfs_fnek_sig) to ~/.ecryptfs/secret.sig:
Finally, to mount ~/.secret on ~/secret:
To unmount ~/.secret:
Or you could really get your hands dirty yourself and follow the Without ecryptfs-utils directions.
Or if you already looked at the easy scripts
ecryptsfs-setup-private
&ecryptsfs-mount-private
, you might be able to copy those and edit them to point to your preferred directories, with a little bit of skill & patience.Or just store the passphrase(s) yourself somehow (securely preferably) and do like the
man ecryptfs
page's example (must read the man pages):Aside about encrypted home folders and an encrypted folder inside home - nested eCryptfs folders
And, an encrypted home folder normally stores files in
/home/.ecryptfs/user/
, while an encrypted Private folder has files inside your own home folder. You can not use both at the same time, eCryptfs will not do nested encrypted folders. But having an encrypted home, and encrypted folders outside of your home is ok.I just tried creating a new user with an encrypted home
sudo adduser --encrypt-home jack
It created a
/home/.ecryptfs/
folder, with:/home/.ecryptfs/jack/.ecryptfs/
- wrapped passphrase & config files to automount jack's home on login/home/.ecryptfs/jack/.Private/
- actual encrypted home files, mounted to/home/jack/
when logged in.And also the
/home/jack/
folder, but it contained a link that stays there whether logged in or not:/home/jack/.ecryptfs/ -> /home/.ecryptfs/jack/.ecryptfs
Next I logged in as jack, but the link was still there, so trying to run
ecryptfs-setup-private
caused it to look in/home/jack/.ecryptfs/
but really see the existing files in/home/.ecryptfs/jack/.ecryptfs
so it failed to create another password file & fail withERROR: wrapped-passphrase file already exists, use --force to overwrite.
Trying the "ALIAS" steps above, using a .secret folder inside the encrypted home failed, with these errors:
Mount on filesystem of type eCryptfs explicitly disallowed due to known incompatibilities
Reading sb failed; rc = [-22]
"Nesting encrypted directories inside of encrypted directories is not supported with eCryptfs. Sorry." - eCryptfs author & maintainer
Changing the ALIAS folder outside of jack's home, trying
/tmp/.secret/
&/tmp/secret/
works. BUT if jack log's out the new encrypted folder will stay mounted, so you have to unmount it (umount.ecryptfs_private secret
).