Projet

Général

Profil

Ecryptfs » Historique » Version 2

Version 1 (Mehdi Abaakouk, 02/06/2013 21:12) → Version 2/7 (Mehdi Abaakouk, 02/06/2013 21:13)

{{>toc}}
h1. Ecryptfs

h2. La méthod root

* Permet de choisir le répertoire crypté
* Utilise une passephrase
* Ne dépends pas de logiciel exterieur

h3. Configuration

Création des répertoires

<pre>
# mkdir -m 500 -p mysecretdir
# mkdir -m 700 -p .mysecretdir
</pre>

Initialisation du répertoire crypté:

<pre>
# sudo mount -t ecryptfs -o no_sig_cache .mysecretdir mysecretdir

Passphrase: *your_passphrase*
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: *<enter>*
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: *<enter>*
Enable plaintext passthrough (y/n) [n]: *<enter>*
Enable filename encryption (y/n) [n] : *y*
Filename Encryption Key (FNEK) Signature [XXXXXXXXXXXXXXXXXXX]: *<enter>*
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=XXXXXXXXXXXXXX
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=XXXXXXXXXXXXXX
Mounted eCryptfs
</pre>

On peux memoriser les options choisi dans son /etc/fstab comme ceci pour quelle ne soit pas redemandé à chaque montage:

<pre>
/home/sileht/.mysecretdir /home/sileht/mysecretdir ecryptfs noauto,ecryptfs_enable_filename_crypto=y,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=XXXXXXXXXXXXXX,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=XXXXXXXXXXXXXX,ecryptfs_passthrough=no,no_sig_cache 0 0
</pre>

h3. Utilisation:

si il n'est pas monté:

<pre>
# sudo mount mysecretdir
</pre>

Puis,

<pre>
# echo "TEST" > mysecretdir/test
# sudo umount mysecretdir

# find .mysecretdir
.mysecretdir
.mysecretdir/ECRYPTFS_FNEK_ENCRYPTED.FWZSxtNBzRhUc-T0igL-f2xajxDl2TU2MN3yqm0Itm4EZOA0-Ks4Ul599k--

# sudo mount mysecretdir
Passphrase:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=5ef7964dfddb60a0
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5ef7964dfddb60a0
Mounted eCryptfs

# cat mysecretdir/test
TEST

</pre>


h2. La méthode userland

* Le répertoire crypté est forcément Private et .Private
* Ce mountage est automatiquement monté/démonté à l'ouverture/fermeture de session (optionnel)
* Utilise le mot de passe de login et le trousseau de clé de la session utilisateur

h3. Configuration

<pre>
# ecryptfs-setup-private [--noautomount]
Enter your login passphrase [sileht]: *<login password>*
Enter your mount passphrase [leave blank to generate one]: *<enter>*

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Testing succeeded.

Logout, and log back in to begin using your encrypted directory.
</pre>

Et c'est tout!

h3. Utilisation

<pre>
# ecryptfs-mount-private
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

# echo TEST > Private/test

# ecryptfs-umount-private
# find .Private
.Private
.Private/ECRYPTFS_FNEK_ENCRYPTED.FWahgYEdfTR3f-RdHuZMGUBU4uG4WV898FA9hmsdE.MuvMqujcoOMMUII---

# ecryptfs-mount-private
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

# cat Private/test
TEST
</pre>