0

I have an install with home encryption (ecryptfs), it works fine, but am running out of space on that first disk, I have a second disk plugged in and formatted to ext4. Is it possible to use the same mechanism used by the encrypted home (pam+unlock-passphrase+mount) for some folders on that disk, for example Images. I want to avoid having to type a password twice. If possible I would like to avoid an encrypted file-system since there will probably be multiple users.

Am looking into customizing ecryptfs-setup-private, but if there is a simpler way, thanks for pointing to it !

Arthur Lutz
  • 11

1 Answers1

0

Creating a new encrypted folder and moving the files into it should work, it maintains them in an encrypted state on-disk the whole time. But it's the automatic decrypt on login that may be a problem.

Creating a custom PAM module that can take the login passphrase and use it to decrypt/mount anything else (eCryptFS, EncFS, LUKS, etc) would be a general purpose solution...

Normally, ecryptfs-setup-private would work, but eCryptFS does not support nested encrypted folders (one eCryptFS with one key, inside another eCryptFS with a different key) so having an encrypted home may cause problems, but you can try a few other answers and see if one works:

Script inside your home that runs at login

Since your home's already encrypted, having a script there isn't as bad as usual, you could even keep the passphrase in plaintext in the script too (normally a terrible idea, but encrypted home).

First, get a script to run at login:

  1. A .desktop file in ~/.config/autostart will get run on login, telling it to run a bash script that mounts your encrypted folder should work. Since your home is already encrypted, you could store the other mount passphrase in the bash script, not perfect security but still encrypted on disk, if you didn't want to enter it each time. For example ~/.config/autostart/test.desktop. A very basic one like this should work:

        [Desktop Entry]
    Type=Application
    Exec=/home/user/.config/autostart/runme.sh

    Or to wait a few seconds before starting (ex. give the desktop time to initialize before prompting for a passphrase) and run as root, try this:

    [Desktop Entry]
Type=Application
Exec=sudo bash -c "sleep 5; /home/user/.config/autostart/runme.sh"

  2. Then, find a script to decrypt your other folder. If you're using EncFS then it would only be basically one line, but eCryptFS is different. The easiest might be to (temporarily) create a new user, have that user run ecryptfs-migrate-home or ecryptfs-setup-private and then copy the resulting encrypted folder to your new location.

The following script assumes it's a second encrypted home you want to mount:

#!/bin/sh -e
#
# ecryptfs-mount-single
# Modified by Xen2050 from:
#
#    ecryptfs-recover-private
#    Copyright (C) 2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@ubuntu.com>
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, version 2 of the License.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

error() {
    echo "ERROR: $@" 1>&2
    echo "Usage:  ecryptfs-mount-single [--rw] [encrypted private dir] [mountpoint]"
    echo "\tWill attempt to mount [encrypted private dir (.Private)] to [mountpoint]"
    echo "\twith standard options: ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
    echo "\n\t--rw\tmount with read-write access (optional)"
    echo "\t[mountpoint] will attempt to be created if it does not exist"
    exit 1
}

info() {
    echo "INFO: $@"
}

# We need root access to do the mount
[ "$(id -u)" = "0" ] || error "This program must be run as root."

# Handle parameters
opts="ro"
if [ "$1" = "--rw" ]; then
    opts="rw"
    shift
fi

if [ -d "$1" ]; then
    # Allow for target directories on the command line
    d="$1"
    # Only supplying one directory
else

    error "No private directory found; it must be supplied."
fi

if [ ! -d "$2" ]; then
    mkdir -p "$2" || error "mountpoint $2 does not exist, can not create"
fi
    # mount directory on the command line
    tmpdir=$2

# Determine if filename encryption is on
ls "$d/ECRYPTFS_FNEK_ENCRYPTED"* >/dev/null 2>&1 && fnek="--fnek" || fnek=
if [ -f "$d/../.ecryptfs/wrapped-passphrase" ]; then
    info "Found your wrapped-passphrase"
    echo -n "Do you know your LOGIN passphrase? [Y/n] "
    lpw=$(head -n1)
    case "$lpw" in
        y|Y|"")
            # Use the wrapped-passphrase, if available
            info "Enter your LOGIN passphrase..."
            ecryptfs-insert-wrapped-passphrase-into-keyring "$d/../.ecryptfs/wrapped-passphrase"
            sigs=$(sed -e "s/[^0-9a-f]//g" "$d/../.ecryptfs/Private.sig")
            use_mount_passphrase=0
        ;;
        *)
            use_mount_passphrase=1
        ;;
    esac
else
    # Fall back to mount passphrase
    info "Could not find your wrapped passphrase file."
    use_mount_passphrase=1
fi
if [ "$use_mount_passphrase" = "1" ]; then
        info "To recover this directory, you MUST have your original MOUNT passphrase."
    info "When you first setup your encrypted private directory, you were told to record"
    info "your MOUNT passphrase."
    info "It should be 32 characters long, consisting of [0-9] and [a-f]."
    echo
    echo -n "Enter your MOUNT passphrase: "
    stty_orig=$(stty -g)
    stty -echo
    passphrase=$(head -n1)
    stty $stty_orig
    echo
    sigs=$(printf "%s\0" "$passphrase" | ecryptfs-add-passphrase $fnek | grep "^Inserted" | sed -e "s/^.*\[//" -e "s/\].*$//" -e "s/[^0-9a-f]//g")
fi
case $(echo "$sigs" | wc -l) in
    1)
        mount_sig=$(echo "$sigs" | head -n1)
        fnek_sig=
        mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
    ;;
    2)
        mount_sig=$(echo "$sigs" | head -n1)
        fnek_sig=$(echo "$sigs" | tail -n1)
        mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
    ;;
    *)
        continue
    ;;
esac
(keyctl list @u | grep -qs "$mount_sig") || error "The key required to access this private data is not available."
(keyctl list @u | grep -qs "$fnek_sig") || error "The key required to access this private data is not available."
if mount -i -t ecryptfs -o "$mount_opts" "$d" "$tmpdir"; then
    info "Success!  Private data mounted at [$tmpdir]."
else
    error "Failed to mount private data at [$tmpdir]."
fi

Unmounting before/when logging out, and maybe removing the keys from the kernel keyring (with keyctl clear or purge, sudo keyctl clear @u clears all) are probably good ideas. I had a 2nd folder mounted inside an encrypted home, and logged out, it apparently unmounted the 2nd folder (not in /proc/mounts) but still showed up in mount.

Modified ecryptfs-setup-private

May have the most problems because of the already eCryptFS encrypted home...

Use a ~/.Private underlying directory containing encrypted data (OR a link from ~/.Private to a different folder elsewhere), but change the mountpoint folder to a different one:

  1. Run ecryptfs-setup-private then

  2. Move/create a new mountpoint folder

    mv ~/Private /path/to/new/folder

  3. Change the contents of ~/.ecryptfs/Private.mnt (file containing path of the private directory mountpoint) to the new mountpoint folder

    echo /path/to/new/folder > ~/.ecryptfs/Private.mnt

If the ~/.ecryptfs/auto-mount and ~/.ecryptfs/auto-umount files exist the folder will be automatically mounted/unmounted on login/logout.

For manual mounting/decrypting (password will be required), run ecryptfs-mount-private

For manual unmounting, run ecryptfs-umount-private

Community
  • 1
Xen2050
  • 8,705