Hands-on lab – encrypting other directories with eCryptfs

Encrypting other directories is a simple matter of mounting them with the ecryptfs filesystem:

  1. Create a secrets directory in the top level of the filesystem, and encrypt it. Note how you list the directory name twice, because you also need to specify a mount point. Essentially, you're using the directory that you're mounting as its own mount point:
sudo mkdir /secrets
sudo mount -t ecryptfs /secrets /secrets
  1. Enter your desired passphrase, and choose the encryption algorithm and the key length:
donnie@ubuntu2:~$ sudo mount -t ecryptfs /secrets /secrets
[sudo] password for donnie:
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
. . .
. . .
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:

Go with the default of aes, and 16 bytes for the key. 

  1. Go with the default of no for plaintext passthrough, and with yes for filename encryption:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
  1. Go with the default Filename Encryption Key and verify the mounting options:
Filename Encryption Key (FNEK) Signature [e339e1ebf3d58c36]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=e339e1ebf3d58c36
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=e339e1ebf3d58c36
  1. This warning only comes up when you mount the directory for the first time. For the final two questions, type yes in order to prevent that warning from coming up again:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [e339e1ebf3d58c36] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
donnie@ubuntu2:~$
  1. Just for fun, create a file within your new encrypted secrets directory, and then unmount the directory. Then, try to do a directory listing:
cd /secrets
sudo vim secret_stuff.txt
cd
sudo umount /secrets
ls -l /secrets

donnie@ubuntu2:/secrets$ ls -l
total 12
-rw-r--r-- 1 root root 12288 Oct 31 18:24 ECRYPTFS_FNEK_ENCRYPTED.FXbXCS5fwxKABUQtEPlumGPaN-RGvqd13yybkpTr1eCVWVHdr-lrmi1X9Vu-mLM-A-VeqIdN6KNZGcs-
donnie@ubuntu2:/secrets$

By choosing to encrypt filenames, nobody can even tell what files you have when the directory is unmounted. When you're ready to access your encrypted files again, just remount the directory the same as you did before.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.8.247