-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathecryptfs.html
363 lines (353 loc) · 19.8 KB
/
ecryptfs.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
<!DOCTYPE html>
<!--
(The MIT License)
Copyright (c) 2016 Kura
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the 'Software'), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-->
<html lang="en">
<head id="head">
<meta charset="utf-8">
<meta name="viewport"
content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<link rel="alternate" href="https://nekopy.github.io" hreflang="en" />
<link rel="dns-prefetch" href="https://nekopy.github.io">
<link rel="dns-prefetch" href="//code.getmdl.io">
<link rel="shortcut icon" href="https://nekopy.github.io/favicon.ico">
<title>Directory Encryption with eCryptfs</title>
</head>
<body>
<div class="eevee-layout mdl-layout mdl-js-layout mdl-color--grey-50">
<header class="eevee-header mdl-color--grey-50 mdl-color-text--grey-800"
itemscope itemtype="http://schema.org/WPHeader">
<div class="mdl-layout__header-row" id="top">
<div aria-expanded="false" role="button" tabindex="0"
class="mdl-layout__drawer-button mdl-color-text--accent eevee-mobile-button mdl-layout--small-screen-only">
<i class="material-icons"></i>
</div>
<span class="eevee-logo mdl-color-text--accent mdl-layout-title">
<h2>
<a href="https://nekopy.github.io" rel="bookmark"
title="stderr">
stderr
</a>
</h2>
</span>
<div class="mdl-layout-spacer" role="presentation"></div>
<nav class="eevee-nav mdl-navigation mdl-layout--large-screen-only"
itemscope itemtype="http://schema.org/SiteNavigationElement"
aria-label="Header navigation">
<a class="mdl-color-text--accent mdl-navigation__link"
href="https://github.com/nekopy" itemprop="url" rel="bookmark">
Profile
</a>
</nav>
</div>
</header>
<div class="eevee-mobile-header mdl-layout__drawer mdl-color--white"
aria-hidden="true">
<span class="mdl-layout-title">
<h2 class="eevee-mobile-logo mdl-color-text--accent">
stderr
</h2>
</span>
<div class="mdl-navigation mdl-color--white">
<nav class="eevee-nav mdl-navigation" itemscope
itemtype="http://schema.org/SiteNavigationElement"
aria-label="Header navigation">
<a class="mdl-color-text--accent mdl-navigation__link"
href="https://nekopy.github.io" itemprop="url" rel="bookmark">
Home
</a>
<a class="mdl-color-text--accent mdl-navigation__link"
href="https://github.com/nekopy" itemprop="url" rel="bookmark">
Profile
</a>
</nav>
</div>
</div>
<div class="eevee-ribbon mdl-color--primary-dark" role="presentation">
</div>
<main class="eevee-main mdl-layout__content">
<div class="eevee-container mdl-grid">
<div role="presentation"
class="mdl-cell mdl-cell--2-col mdl-cell--hide-tablet mdl-cell--hide-phone">
</div>
<div class="eevee-content mdl-color--white mdl-shadow--4dp mdl-color-text--grey-800 mdl-cell mdl-cell--8-col"
aria-label="Main content">
<article itemscope itemtype="http://schema.org/BlogPosting">
<meta itemprop="accessibilityControl" content="fullKeyboardControl">
<meta itemprop="accessibilityControl" content="fullMouseControl">
<meta itemprop="accessibilityControl" content="bookmarks">
<meta itemprop="accessibilityControl" content="captions">
<meta itemprop="accessibilityControl" content="alternativeText">
<meta itemprop="accessibilityControl" content="index">
<meta itemprop="accessibilityControl" content="readingOrder">
<meta itemprop="accessibilityControl" content="structuralNavigation">
<meta itemprop="accessibilityControl" content="tableOfContents">
<meta itemprop="accessibilityHazard" content="noFlashingHazard">
<meta itemprop="accessibilityHazard" content="noMotionSimulationHazard">
<meta itemprop="accessibilityHazard" content="noSoundHazard">
<meta itemprop="accessibilityAPI" content="ARIA">
<div itemprop="author" itemscope
itemtype="https://schema.org/Person" role="presentation">
<a href="https://nekopy.github.io/author/nekopy.html" class="hidden"
itemprop="url" role="presentation">
<span class="hidden" itemprop="name" role="presentation">
neko.py
</span>
</a>
</div>
<meta itemprop="keywords"
content="ecryptfs,shred,linux,encryption,security,privacy">
<meta itemprop="keywords" content="linux">
<div class="eevee-meta eevee-share">
<div class="mdl-layout-spacer"></div>
<div>
<ul class="social-share mdl-navigation">
<li class="social-share__link social-share__link--twitter">
<a href="https://twitter.com/intent/tweet?text=Directory%20Encryption%20with%20eCryptfs&url=https%3A//nekopy.github.io/ecryptfs.html"
title="Share 'Directory Encryption with eCryptfs' on Twitter"
onclick="window.open(this.href, 'twitter-share', 'width=550,height=235'); return false;">
<i class="fa fa-twitter" aria-hidden="true"></i>
</a>
</li>
<li class="social-share__link social-share__link--facebook">
<a href="https://www.facebook.com/sharer/sharer.php?u=https%3A//nekopy.github.io/ecryptfs.html"
title="Share 'Directory Encryption with eCryptfs' on Facebook"
onclick="window.open(this.href, 'facebook-share', 'width=580,height=296'); return false;">
<i class="fa fa-facebook" aria-hidden="true"></i>
</a>
</li>
<li class="social-share__link social-share__link--google-plus">
<a href="https://plus.google.com/share?url=https%3A//nekopy.github.io/ecryptfs.html"
title="Share 'Directory Encryption with eCryptfs' on Google+"
onclick="window.open(this.href, 'google-plus-share', 'width=490,height=530');return false;">
<i class="fa fa-google" aria-hidden="true"></i>
</a>
</li>
<li class="social-share__link social-share__link--email">
<a href="mailto:?subject=Directory%20Encryption%20with%20eCryptfs&body=Directory%20Encryption%20with%20eCryptfs%20-%20https%3A//nekopy.github.io/ecryptfs.html%0A%0AEncrypting%20folders%20on%20Fedora%20easily%20using%20eCryptfs' via email">
<i class="material-icons" aria-hidden="true"></i>
</a>
</li>
</ul>
</div>
</div>
<div class="eevee-article">
<div class="eevee-meta mdl-color-text--grey-500">
<time datetime="2017-03-10T21:24:05-08:00"
itemprop="datePublished">
Fri 10 March 2017
</time>
</div>
<h1 itemprop="name">
<a href="https://nekopy.github.io/ecryptfs.html" rel="bookmark"
title="Permalink to 'Directory Encryption with eCryptfs'"
itemprop="url">
Directory Encryption with eCryptfs
</a>
</h1>
<section itemprop="articleBody" class="article-content">
<p>A couple nights ago I decided to finally get some encryption up and running with eCryptfs.</p>
<p><img alt="eCryptfs Honey Badger Mascot" src="http://ecryptfs.org/img/big-honey-badger.png"></p>
<p>I have a buddy who's using GPG to do their encryption, however this wasnt really the right choice for me. The primary issue was that the GPG tools I was looking at tend to just deal with a single file. The recommended way of using GPG on folders is to tar them up and encrypt them. To me this approach is really annoying. I dont want to untar some files whenever I want to use them. So after some further digging I wound up coming across the recommendation of using eCryptfs. </p>
<p>eCryptfs is, as the name suggests, actually an encrypted filesystem and abstraction layer. The way it works is by introducing a kernel module which handles mounting the encrypted files on disk, and decrypts/encrypts file I/O on the fly. This way, you never actually have files decrypted on disk. Judging from the files, you can even set it up to work on your swap space. </p>
<p>The issue I have with it right now is that it's <em>slow</em>. I'm trying to move some very large files, and it's grinding my laptop to a halt. As you might have seen in my other post, my laptop is relatively chunky. However, since this is overhead, I'm gonna give it the benefit of the doubt and finish moving the files to where I want them before I throw in the towel and try something else. But really, it hurt. I would have written this blog post on the 7th but the kernel module brought even vim to a halt. And since its in the kernel, I can't just hop in and set a good nice value...</p>
<p>Anyway, to set it up, it's mega simple. You wanna grab ecryptfs-utils from your package repos. </p>
<p>For me, in order to use them I needed to add myself to a new group called ecryptfs.</p>
<p>Fun little trick I learned is that once you're in the group, you can get your system to honor the new group without needing to reboot by using the newgrp command.</p>
<div class="highlight"><pre><span></span>newgrp ecrypts
</pre></div>
<p>Good stuff. Now that we're all set there, we wanna use the default eCryptfs setup. You do this like so:</p>
<div class="highlight"><pre><span></span>ecryptfs-setup-private
</pre></div>
<p>This is gonna get you all configured with some new juicy ecryptfs space in a folder called .Private in your home directory and it's going to automatically set up a mount which allows you to access the files in a folder called Private when you login. There's two passwords you set up. One is the normal login password. This should match your account password and will be used for decrypting the folder when you mount it at login time. The other is actually to be used for recovery in case your OS dies or whatever. You can recover ecryptfs stuff using ecryptfs-recover-private in case your OS gets fucked or something. </p>
<p>So my next step was obviously to move all my private goodies like accounting records into my new Private folder. And after that, I obviously wanted to protect myself a little by shredding the files that I'd copied in. But there's a problem. I use ext4, which to my understanding is a journaling filesystem. This means that writes arent all done immediately. However, you can flush the journal buffer with the shell command sync. The shred man page says the following goodies:</p>
<blockquote>
<p>CAUTION: Note that shred relies on a very important assumption: that the file system over‐
writes data in place. This is the traditional way to do things, but many modern file sys‐
tem designs do not satisfy this assumption. The following are examples of file systems on
which shred is not effective, or is not guaranteed to be effective in all file system
modes:</p>
<ul>
<li>
<p>log-structured or journaled file systems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)</p>
</li>
<li>
<p>file systems that write redundant data and carry on even if some writes fail, such as RAID-based file systems</p>
</li>
<li>
<p>file systems that make snapshots, such as Network Appliance's NFS server</p>
</li>
<li>
<p>file systems that cache in temporary locations, such as NFS version 3 clients</p>
</li>
<li>
<p>compressed file systems</p>
</li>
</ul>
<p>In the case of ext3 file systems, the above disclaimer applies (and shred is thus of lim‐
ited effectiveness) only in data=journal mode, which journals file data in addition to
just metadata. In both the data=ordered (default) and data=writeback modes, shred works
as usual. Ext3 journaling modes can be changed by adding the data=something option to the
mount options for a particular file system in the /etc/fstab file, as documented in the
mount man page (man mount).</p>
</blockquote>
<p>And there's a lot of internet paranoia on the same subject. However someone out there made a good point... A journaling filesystem will only journal for a little while. We can forcibly flush that using a sync. They proposed the following code which should flush the shred before deleting it. I wrapped it all up nice in a shell function.</p>
<div class="highlight"><pre><span></span>jshred<span class="o">()</span> <span class="o">{</span>
shred -v -n <span class="m">1</span> <span class="nv">$1</span>
sync
shred -v -n <span class="m">0</span> -z -u <span class="nv">$1</span>
<span class="o">}</span>
</pre></div>
<p>This is going to nuke the file with random garbage before deleting it. </p>
<p>I've got a lot of crap to move into my encrypted folder and I wanna get to playing games tonight, so I think that's enough for one night.</p>
</section>
</div>
</article>
</div>
</div>
</main>
<div class="eevee-pagination__container eevee-container mdl-grid">
<div role="presentation"
class="mdl-cell mdl-cell--2-col mdl-cell--hide-tablet mdl-cell--hide-phone">
</div>
<div class="mdl-color-text--grey-800 mdl-cell mdl-cell--8-col">
<nav class="eevee-pagination mdl-cell mdl-cell--12-col" itemscope
itemtype="http://schema.org/SiteNavigationElement"
aria-label="Pagination">
<div class="eevee-spacer"></div>
</nav> </div>
</div>
<footer class="mdl-mega-footer" itemscope
itemtype="http://schema.org/SiteNavigationElement">
<div class="mdl-mega-footer--top-section">
<div class="mdl-mega-footer--drop-down-section">
<ul class="mdl-mega-footer--link-list">
<li>
<a href="#top" itemprop="url"
title="Back to the top of the page">
Back to the top of the page
</a>
</li>
</ul>
</div>
</div>
<div class="mdl-mega-footer--middle-section" itemscope
itemtype="http://schema.org/SiteNavigationElement"
aria-label="Footer navigation">
<div class="mdl-mega-footer--drop-down-section">
<h1 class="mdl-mega-footer--heading">Menu</h1>
<ul class="mdl-mega-footer--link-list">
<li>
<a href="https://github.com/nekopy" itemprop="url" rel="bookmark">
Profile
</a>
</li>
</ul>
</div>
<div class="mdl-mega-footer--drop-down-section">
<h1 class="mdl-mega-footer--heading">Categories</h1>
<ul class="mdl-mega-footer--link-list">
<li>
<a href="https://nekopy.github.io/category/linux.html" itemprop="url"
rel="bookmark">
linux
</a>
</li>
<li>
<a href="https://nekopy.github.io/category/misc.html" itemprop="url"
rel="bookmark">
misc
</a>
</li>
<li>
<a href="https://nekopy.github.io/category/web-analysis.html" itemprop="url"
rel="bookmark">
Web Analysis
</a>
</li>
</ul>
</div>
<div class="mdl-mega-footer--drop-down-section">
<h1 class="mdl-mega-footer--heading">Social</h1>
<ul class="mdl-mega-footer--link-list">
<li>
<a href="https://discord.gg/Baka" itemprop="url" rel="bookmark">
Bakabot Discord
</a>
</li>
</ul>
</div>
<div class="mdl-mega-footer--drop-down-section">
<h1 class="mdl-mega-footer--heading">Links</h1>
<ul class="mdl-mega-footer--link-list">
<li>
<a href="http://getpelican.com/" itemprop="url" rel="bookmark">
Pelican
</a>
</li>
<li>
<a href="https://www.eff.org/" itemprop="url" rel="bookmark">
EFF
</a>
</li>
<li>
<a href="https://fsf.org/" itemprop="url" rel="bookmark">
The Free Software Foundation
</a>
</li>
<li>
<a href="https://creativecommons.org/" itemprop="url" rel="bookmark">
Creative Commons
</a>
</li>
</ul>
</div>
</div> <div class="mdl-mega-footer--bottom-section">
<div class="mdl-logo">
<a href="https://nekopy.github.io" rel="bookmark" itemprop="url"
title="stderr">
stderr
</a>
</div>
<ul class="eevee-footer mdl-mega-footer--link-list">
<li>Powered by love & rainbow sparkles.</li>
<li><a href="https://kura.io/eevee/" title="Eevee">Eevee</a> theme by <a href="https://kura.io/" title="kura.io">kura.io</a></li>
<li>
<iframe src="https://keroserene.net/snowflake/embed.html" width="88" height="16" frameborder="0" scrolling="no"></iframe>
</li>
</ul>
</div>
</footer>
</div>
<link rel="stylesheet"
href="//code.getmdl.io/1.1.3/material.blue_grey-indigo.min.css">
<link rel="stylesheet" type="text/css"
href="https://nekopy.github.io/theme/css/font-awesome.css">
<link rel="stylesheet" type="text/css"
href="https://nekopy.github.io/theme/css/material-icons.css">
<link rel="stylesheet" type="text/css"
href="https://nekopy.github.io/theme/css/pygments.css">
<link rel="stylesheet" type="text/css"
href="https://nekopy.github.io/theme/css/eevee.css">
<link rel="stylesheet" type="text/css"
href="https://nekopy.github.io/theme/css/custom.css">
<script async src="https://nekopy.github.io/theme/js/material.js">
</script>
</body>
</html>