Ecryptfs » Historique » Version 2
Version 1 (Mehdi Abaakouk, 02/06/2013 21:12) → Version 2/7 (Mehdi Abaakouk, 02/06/2013 21:13)
{{>toc}}
h1. Ecryptfs
h2. La méthod root
* Permet de choisir le répertoire crypté
* Utilise une passephrase
* Ne dépends pas de logiciel exterieur
h3. Configuration
Création des répertoires
<pre>
# mkdir -m 500 -p mysecretdir
# mkdir -m 700 -p .mysecretdir
</pre>
Initialisation du répertoire crypté:
<pre>
# sudo mount -t ecryptfs -o no_sig_cache .mysecretdir mysecretdir
Passphrase: *your_passphrase*
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: *<enter>*
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: *<enter>*
Enable plaintext passthrough (y/n) [n]: *<enter>*
Enable filename encryption (y/n) [n] : *y*
Filename Encryption Key (FNEK) Signature [XXXXXXXXXXXXXXXXXXX]: *<enter>*
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=XXXXXXXXXXXXXX
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=XXXXXXXXXXXXXX
Mounted eCryptfs
</pre>
On peux memoriser les options choisi dans son /etc/fstab comme ceci pour quelle ne soit pas redemandé à chaque montage:
<pre>
/home/sileht/.mysecretdir /home/sileht/mysecretdir ecryptfs noauto,ecryptfs_enable_filename_crypto=y,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=XXXXXXXXXXXXXX,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=XXXXXXXXXXXXXX,ecryptfs_passthrough=no,no_sig_cache 0 0
</pre>
h3. Utilisation:
si il n'est pas monté:
<pre>
# sudo mount mysecretdir
</pre>
Puis,
<pre>
# echo "TEST" > mysecretdir/test
# sudo umount mysecretdir
# find .mysecretdir
.mysecretdir
.mysecretdir/ECRYPTFS_FNEK_ENCRYPTED.FWZSxtNBzRhUc-T0igL-f2xajxDl2TU2MN3yqm0Itm4EZOA0-Ks4Ul599k--
# sudo mount mysecretdir
Passphrase:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=5ef7964dfddb60a0
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5ef7964dfddb60a0
Mounted eCryptfs
# cat mysecretdir/test
TEST
</pre>
h2. La méthode userland
* Le répertoire crypté est forcément Private et .Private
* Ce mountage est automatiquement monté/démonté à l'ouverture/fermeture de session (optionnel)
* Utilise le mot de passe de login et le trousseau de clé de la session utilisateur
h3. Configuration
<pre>
# ecryptfs-setup-private [--noautomount]
Enter your login passphrase [sileht]: *<login password>*
Enter your mount passphrase [leave blank to generate one]: *<enter>*
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
Testing mount/write/umount/read...
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Testing succeeded.
Logout, and log back in to begin using your encrypted directory.
</pre>
Et c'est tout!
h3. Utilisation
<pre>
# ecryptfs-mount-private
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
# echo TEST > Private/test
# ecryptfs-umount-private
# find .Private
.Private
.Private/ECRYPTFS_FNEK_ENCRYPTED.FWahgYEdfTR3f-RdHuZMGUBU4uG4WV898FA9hmsdE.MuvMqujcoOMMUII---
# ecryptfs-mount-private
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
# cat Private/test
TEST
</pre>
h1. Ecryptfs
h2. La méthod root
* Permet de choisir le répertoire crypté
* Utilise une passephrase
* Ne dépends pas de logiciel exterieur
h3. Configuration
Création des répertoires
<pre>
# mkdir -m 500 -p mysecretdir
# mkdir -m 700 -p .mysecretdir
</pre>
Initialisation du répertoire crypté:
<pre>
# sudo mount -t ecryptfs -o no_sig_cache .mysecretdir mysecretdir
Passphrase: *your_passphrase*
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: *<enter>*
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: *<enter>*
Enable plaintext passthrough (y/n) [n]: *<enter>*
Enable filename encryption (y/n) [n] : *y*
Filename Encryption Key (FNEK) Signature [XXXXXXXXXXXXXXXXXXX]: *<enter>*
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=XXXXXXXXXXXXXX
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=XXXXXXXXXXXXXX
Mounted eCryptfs
</pre>
On peux memoriser les options choisi dans son /etc/fstab comme ceci pour quelle ne soit pas redemandé à chaque montage:
<pre>
/home/sileht/.mysecretdir /home/sileht/mysecretdir ecryptfs noauto,ecryptfs_enable_filename_crypto=y,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=XXXXXXXXXXXXXX,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=XXXXXXXXXXXXXX,ecryptfs_passthrough=no,no_sig_cache 0 0
</pre>
h3. Utilisation:
si il n'est pas monté:
<pre>
# sudo mount mysecretdir
</pre>
Puis,
<pre>
# echo "TEST" > mysecretdir/test
# sudo umount mysecretdir
# find .mysecretdir
.mysecretdir
.mysecretdir/ECRYPTFS_FNEK_ENCRYPTED.FWZSxtNBzRhUc-T0igL-f2xajxDl2TU2MN3yqm0Itm4EZOA0-Ks4Ul599k--
# sudo mount mysecretdir
Passphrase:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=5ef7964dfddb60a0
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5ef7964dfddb60a0
Mounted eCryptfs
# cat mysecretdir/test
TEST
</pre>
h2. La méthode userland
* Le répertoire crypté est forcément Private et .Private
* Ce mountage est automatiquement monté/démonté à l'ouverture/fermeture de session (optionnel)
* Utilise le mot de passe de login et le trousseau de clé de la session utilisateur
h3. Configuration
<pre>
# ecryptfs-setup-private [--noautomount]
Enter your login passphrase [sileht]: *<login password>*
Enter your mount passphrase [leave blank to generate one]: *<enter>*
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
Testing mount/write/umount/read...
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Testing succeeded.
Logout, and log back in to begin using your encrypted directory.
</pre>
Et c'est tout!
h3. Utilisation
<pre>
# ecryptfs-mount-private
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
# echo TEST > Private/test
# ecryptfs-umount-private
# find .Private
.Private
.Private/ECRYPTFS_FNEK_ENCRYPTED.FWahgYEdfTR3f-RdHuZMGUBU4uG4WV898FA9hmsdE.MuvMqujcoOMMUII---
# ecryptfs-mount-private
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
# cat Private/test
TEST
</pre>