Ecryptfs¶

• Contenu
• Ecryptfs
  • La méthod root
    • Configuration
    • Utilisation:
  • La méthode userland
    • Configuration
    • Utilisation

La méthod root¶

• Permet de choisir le répertoire crypté
• Utilise une passephrase
• Ne dépends pas de logiciel exterieur

Configuration¶

Création des répertoires

# mkdir -m 500 -p mysecretdir
# mkdir -m 700 -p .mysecretdir

Initialisation du répertoire crypté:

# sudo mount -t ecryptfs -o no_sig_cache .mysecretdir mysecretdir

Passphrase: *your_passphrase*
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: *<enter>*
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: *<enter>*
Enable plaintext passthrough (y/n) [n]: *<enter>*
Enable filename encryption (y/n) [n] : *y*
Filename Encryption Key (FNEK) Signature [XXXXXXXXXXXXXXXXXXX]: *<enter>*
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=XXXXXXXXXXXXXX
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=XXXXXXXXXXXXXX
Mounted eCryptfs

On peux memoriser les options choisi dans son /etc/fstab comme ceci pour quelle ne soit pas redemandé à chaque montage:

/home/sileht/.mysecretdir /home/sileht/mysecretdir ecryptfs noauto,ecryptfs_enable_filename_crypto=y,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=XXXXXXXXXXXXXX,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=XXXXXXXXXXXXXX,ecryptfs_passthrough=no,no_sig_cache 0 0

Utilisation:¶

si il n'est pas monté:

# sudo mount mysecretdir

Puis,

# echo "TEST" > mysecretdir/test
# sudo umount mysecretdir

# find .mysecretdir 
.mysecretdir
.mysecretdir/ECRYPTFS_FNEK_ENCRYPTED.FWZSxtNBzRhUc-T0igL-f2xajxDl2TU2MN3yqm0Itm4EZOA0-Ks4Ul599k--

# sudo mount mysecretdir 
Passphrase: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=5ef7964dfddb60a0
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=5ef7964dfddb60a0
Mounted eCryptfs

# cat mysecretdir/test 
TEST

La méthode userland¶

• Le répertoire crypté est forcément Private et .Private
• Ce mountage est automatiquement monté/démonté à l'ouverture/fermeture de session (optionnel)
• Utilise le mot de passe de login et le trousseau de clé de la session utilisateur

Configuration¶

# ecryptfs-setup-private [--noautomount]
Enter your login passphrase [sileht]: *<login password>*
Enter your mount passphrase [leave blank to generate one]: *<enter>*

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring
Inserted auth tok with sig [adb24429adf745ac] into the user session keyring
Testing succeeded.

Logout, and log back in to begin using your encrypted directory.

Et c'est tout!

Utilisation¶

# ecryptfs-mount-private 
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

# echo TEST > Private/test

# ecryptfs-umount-private
# find .Private
.Private
.Private/ECRYPTFS_FNEK_ENCRYPTED.FWahgYEdfTR3f-RdHuZMGUBU4uG4WV898FA9hmsdE.MuvMqujcoOMMUII---

# ecryptfs-mount-private 
Enter your login passphrase: *<login password>*
Inserted auth tok with sig [00c5d51878ceb7a2] into the user session keyring

# cat Private/test
TEST