Thursday, December 26, 2024
Google search engine
HomeSecurity & TestingEncrypt Files and Directories on Linux using eCryptFS

Encrypt Files and Directories on Linux using eCryptFS

.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

This guide demonstrates how to encrypt files and directories on Linux using eCryptFS. But before we commence on it, we need to understand a few concepts.

What is eCryptFS?

With the increased importance of privacy and security nowadays, encryption plays an important role in ensuring the protection of confidential data. The following mechanisms are used in encryption:

  • Full disk encryption- here, the entire disk or partition in which the filesystem is stored becomes encrypted. Tools used include Loop-AES, DMCrypt, CipherShed e.t.c
  • File system-level encryption- such as EncFS and eCryptFS mounted on any directory at the top of the main file system

eCryptFS derived from Erez Zadok’s Cryptfs, and the FiST framework for stacked filesystems is a POSIX-compliant enterprise cryptographic file system for Linux. With ecryptFS, we can easily create an encrypted directory and store confidential data.

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}}

It was originally authored by Michael Halcrow and the IBM Linux Technology Center and is currently maintained by Dustin Kirkland and Tyler Hicks from Canonical.

With this information, we are set to dive into the installation and use of eCryptFS.

Step 1: Install eCryptFS on Linux

eCryptFS is available in many Linux distros’ default repositories and can be installed with the below commands:

##Install eCryptFS on CentOS 8/REL 8/Rocky Linux 8/AlmaLinux
sudo yum install epel-release
sudo yum install ecryptfs-utils

## Install eCryptFS on Arch Linux
sudo pacman -S ecryptfs-utils

##Install eCryptFS on Debian/Ubuntu
sudo apt-get install ecryptfs-utils

##Install eCryptFS on openSUSE
sudo zypper --install ecryptfs-utils 

Step 2: Encrypt Directories With eCryptfs On Linux

With eCryptfs installed on your Linux system, we are set to encrypt directories. the general syntax to encrypt a directory with eCryptfs is:

mount -t ecryptfs [source directory] [Destintaion directory] -o [options]

You are required to replace the Destination directory with your own directory. Let’s take a practical example using the directory /demo on my system. The command here will be:

sudo mount -t ecryptfs demo/ demo/

You will enter the below information to encrypt your directory

Passphrase: enter your passphrase
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 1
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: n
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=213dac44e46bb873
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [213dac44e46bb873] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

Step 3: Verify the Encryption

With these steps correctly done, your directory will be encrypted and mounted. You can verify this by issuing the command.

 mount | grep ecryptfs

Sample Output for the above command.

How To Encrypt Files and Directories on Linux using eCryptFS 15

Dive further into verification by creating a file. Let’s say a file.txt file in the encrypted folder.

sudo vi demo/file.txt

In the file add a simple text such as.

This is a demo file

Save and exit. Now we will try and read the contents of the file using the cat command.

$ cat demo/file.txt 
This is a demo file

This file is encrypted but still, you can view the content because it is mounted. On is able to view the contents as long as the file is mounted. When you unmount it, the file contents cannot be viewed.

Let’s verify it by unmounting the mounted directory. the syntax used is:

sudo umount [mounted_directory]

In our case, the command will be:

sudo umount demo

With the directory now unmounted, we will try and view the contents of the file using the similar command we used above.

cat demo/file.txt 

Sample Output.

How To Encrypt Files and Directories on Linux using eCryptFS 16

To view the file, you will now need to remount the directory and enter the same passphrase you used before while mounting it.

sudo mount -t ecryptfs demo/ demo/

Here enter the same passphrase you used:

Passphrase: enter your passphrase
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 1
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: n
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=213dac44e46bb873
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [213dac44e46bb873] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

You can view the contents of the file again.

Step 4: Mount the Directory automatically on Boot.

Each time your system boots, you will be required to remount your directory in order to view the contents. This can be tiresome at times. to curb this situation, you can configure eCryptFS to automatically mount the directory on boot.

Now in this guide, we will use a USB stick. Plug the USB stick into your system and identify the device using:

fdisk -l

Sample Output.

How To Encrypt Files and Directories on Linux using eCryptFS 17

From this output, my USB stick is /dev/sdb3

Create a mount point at /mnt/flashdisk as below.

sudo mkdir /mnt/flashdisk

Mount the USB stick to this created mount point:

sudo mount /dev/sdb3 /mnt/flashdisk

Now copy the signature from the output of this command:

$ sudo cat /root/.ecryptfs/sig-cache.txt
213dac44e46bb873

Create a signature using the command:

sudo vi /root/.ecryptfsrc

In the file, paste the copied signature as shown

key=passphrase:passphrase_passwd_file=/mnt/flashdisk/key_file.txt
ecryptfs_sig=213dac44e46bb873
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

Create a passphrase on the USB stick

sudo vi /mnt/flashdisk/key_file.txt

In the file, add the below content replacing mypassphrase with your own passphrase

passphrase_passwd=mypassphrase

The next step is to edit the fstab file.

sudo vi /etc/fstab

In the file add the following lines

/dev/sdb3       /mnt/flashdisk        ext3    ro      0 0
/home/thor/demo /home/thor/demo ecryptfs defaults 0 0

In the above fstab file, replace the device and document roots appropriately.

Now save this file and reboot your system. When the device powers on, the home/thor/demo should be mounted using eCryptfs.

That is it! In this guide, we have learned how to encrypt Files and Directories on Linux using eCryptFS. I have also demonstrated how to view the contents of the encrypted file. I hope this article was of value.

See more on our page:

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}

RELATED ARTICLES

Most Popular

Recent Comments