1

When my laptop gets stolen, it would be nice to have my documents safely inaccessible in my custom folder (not ~/Private, but e.g. ~/.docs), where I also plan to move keyring and some configs. I don't want a whole encrypted home.

How can it be done?

  1. I have ecrypts-utils installed
  2. I ran sudo chmod 700 ~/.docs
  3. I mounted a folder sudo mount -t ecrypts ~/.docs ~/.docs
  4. Moved files in there
  5. Unmount folder sudo umount ~/.docs
  6. Content is encrypted

Than I have to run step 3 again (with all settings) to decrypt files again. How can I make it work on logout/login?

Xen2050
  • 8,705
Sebastian
  • 1,188
  • 2
  • 14
  • 29
  • Combined with http://askubuntu.com/a/159009/158442 – muru Dec 11 '15 at 19:12
  • I'm not sure that would be secure. If you automate the process, someone could change your password using the passwd command in grub rescue mode, and then just login to your account, which would automatically decrypt your files. – SuperSluether Dec 11 '15 at 20:34
  • @SuperSluether that's not how eCryptFS normally works, it's locked with your login passphrase and just forcing a new passphrase doesn't change the eCryptFS locked files - still need the old passphrase. But a custom login script written by someone, that could even have the passphrase in plain text or ROT13'd, that's a different story – Xen2050 Dec 11 '15 at 20:38
  • @Xen2050 Oh... Thanks for the info. I figured eCryptFS had to be more secure than that, I just wasn't sure how. – SuperSluether Dec 11 '15 at 20:39
  • @SuperSluether I dug through the man pages, some web pages, and I think even a little source code to figure out just how an encrypted home works with eCryptFS a while ago, check out the answer at http://superuser.com/questions/850793/ecryptfs-encrypted-home-explanation/850814#850814 – Xen2050 Dec 11 '15 at 21:04

1 Answers1

3

ecryptfs-setup-private can do all those things for you, in a private folder called ~/.Private that gets mounted as ~/Private just use it, and we can modify it's folder names below.

Or even encrypt your entire home folder with ecryptfs-migrate-home would be a good idea.

They'll both do exactly what you want, auto mounting on login & unmounting on logout. Why re-invent the wheel with your own potentially unsafe (password handling can be tricky) custom scripts? And unless you're using symbolic links, if you're copying files back & forth between plain folders and encrypted folders, you'll likely be leaving behind the unencrypted deleted files, just waiting to be read with an undelete or free space search command.

A solution is to use a ~/.Private underlying directory containing encrypted data (OR a link from ~/.Private to a different folder elsewhere), but change the mountpoint folder to a different one (thanks to Sebastian):

  1. Run ecryptfs-setup-private then

  2. Move/create a new mountpoint folder

    mv ~/Private /path/to/new/folder

  3. Change the contents of ~/.ecryptfs/Private.mnt (file containing path of the private directory mountpoint) to the new mountpoint folder

    echo /path/to/new/folder > ~/.ecryptfs/Private.mnt

If the ~/.ecryptfs/auto-mount and ~/.ecryptfs/auto-umount files exist the folder will be automatically mounted/unmounted on login/logout.

For manual mounting/decrypting (password will be required), run ecryptfs-mount-private

For manual unmounting, run ecryptfs-umount-private

Xen2050
  • 8,705
  • Well, thank you, but is there a way how to use folder other than ~/Private? – Sebastian Dec 11 '15 at 21:04
  • I tried editing the script, changing the "PRIVATE_DIR=Private" to a different name, it does not appear to work, maybe because the PAM module pam_ecryptfs.so only wants to look at folders named ".Private" (like an encrypted home). You're welcome to give it a try though, it's just a plain bash script, you can have at it with a text editor. I ran cp -v \which ecryptfs-setup-private` setup-mod.sh && sed -i -e 's/PRIVATE_DIR="Private"/PRIVATE_DIR="docs"/g' setup-mod.sh` to copy & change the variable, then run the script. – Xen2050 Dec 11 '15 at 21:37
  • Actually, forgot about this other post, http://askubuntu.com/questions/574110/how-to-use-ecryptfs-with-a-random-directory , yours sounds like it might be a duplicate of it – Xen2050 Dec 11 '15 at 21:40
  • It works! The mount point ("upper directory") for the encrypted folder will be at ~/Private by default, however you can manually change this right after the setup command has finished running, by doing:

    $ mv ~/Private /path/to/new/folder $ echo /path/to/new/folder > ~/.ecryptfs/Private.mnt

     – Sebastian Dec 11 '15 at 21:59
  • That's good, mine's probably a different version or desktop, etc. Also have a script to mount a random eCryptFS folder, it's a modified ecryptfs-recover-private script, the bottom "*This script does work*" one, doesn't look like you need it but it might be handy in the future – Xen2050 Dec 11 '15 at 22:07