eCryptfs: Single-File Encryption in Linux : Page 2

General setup  --->
    [*] Prompt for development and/or incomplete code/drivers
File systems  --->
    Miscellaneous file systems  --->
         eCrypt file system layer support (EXPERIMENTAL)
Security options  --->
    [*] Enable access key retention support
-*- Cryptographic API  --->
    {M}   AES cipher algorithms
       AES cipher algorithms (i586)

Notice that with key retention support, this snippet activates the key management service offered by the kernel since version 2.6.10.X. With the cryptographic API, it also implements the best digest, cipher, and compression algorithms available. When the configuration is complete, you compile, link, and install the kernel.

Next, you insert the necessary modules:

modprobe ecryptfs
modprobe aes
modprobe md5

eCryptfs needs helper programs to run in the user space and manage the communication with the kernel. For this purpose, you install two packages, ecryptfs-utils and keyutils, with this command:

apt-get install ecryptfs-utils keyutils

Before proceeding to mount the eCryptfs file system, run the keyctl utility to query the kernel key-retention system about the keyring status:

keyctl show    
Session Keyring
       -3 --alswrv      0    -1  keyring: _uid_ses.0
279774249 --alswrv      0    -1   \_ keyring: _uid.0

Please keep this output in mind for future comparison.

For this example, the server directory /data contains all enterprise information that is shareable, with secret data relegated on /data/confidential subdirectory. Using the encryption features of eCryptfs means mounting the /data/confidential directory over a mount point, specifying the value ecryptfs as a file system type. Usually, you chose the source directory itself as a target mount point, but that is not mandatory. In this case, use the following mount operation:

mount -t ecryptfs /data/confidential /data/confidential

This operation kicks off a set of interactive questions that help to learn the details of the ecryptfs implementation. The first question asks about the key type, which is important for understanding the encryption method used. This example follows two possible choices: passphrase and openssl.

• Passphrase encryption: This is the simplest but weakest way to protect your data. If you choose it, at least try to write down a long and complex passphrase.

  
  Select key type to use for newly created files:
   1) pkcs11-helper
   2) tspi
   3) passphrase
   4) openssl
  Selection: 3
  Passphrase:
  

• openssl encryption: This choice is definitively better. It represents public key encryption, implemented here via the OpenSSL eCryptfs module. With OpenSSL encryption, you will have a passphrase that unlocks a key involved in file encryption operations. Typically, you must keep the passphrase (long but not too complex) in your mind and the key in your pocket.

Before mounting the eCryptfs file system, you have to create a pair of public/private keys. For this purpose, you run ecryptfs-manager, the user space utility that talks to the kernel key-management system:

ecryptfs-manager   
eCryptfs key management menu
-------------------------------
        1. Add passphrase key to keyring
        2. Add public key to keyring
        3. Generate new public/private keypair
        4. Exit
Make selection: 3

Select key type to use for newly created files: 
 1) openssl
Selection: 1

As specified in several Remote Filesystem Checkers (RFCs), a PEM file may contain certificates or private keys enclosed between the appropriate BEGIN/END lines. You can save this file containing the private key on a USB pen drive mounted under /usb:

SSL key file path [/usb/key.pem]:
Passphrase:

Now you can mount the eCryptfs file system as before:

1. Choose openssl as the key type.
2. Tell the system to read the private key from the USB pen drive.
3. Input the passphrase to unlock it:

   
   Select key type to use for newly created files: 
    1) pkcs11-helper
    2) tspi
    3) passphrase
    4) openssl
   Selection: 4
   PEM key file [/usb/key.pem]: /usb/key.pem
   Method of providing the passphrase: 
    1) openssl_passwd: Enter on Console
    2) openssl_passwd_file: File Containing Passphrase
    3) openssl_passwd_fd: File Descriptor for File Containing Passphrase
   Selection [openssl_passwd]:
   Passphrase:
   

Regardless of the key type you choose, you must now select the algorithm to be used for encryption. AES could be the best option:

Select cipher: 
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (loaded)
3) des: blocksize = 8; min keysize = 8; max keysize = 8 (loaded)
4) arc4: blocksize = 1; min keysize = 1; max keysize = 256 (loaded)
Selection [aes]: aes

Thirty-two bytes is quite a good key size length for AES:

Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 32

eCryptfs allows users to read unencrypted files that are under /data/confidential. Although this feature could be useful in some situations, you can pass on it for this example:

Enable plaintext passthrough (y/n) [n]: n

The system then tries to mount the file system and asks if it is the first time you have mounted the file system with such a key or if you mistyped the passphrase. Actually, the system keeps a hash of the passphrase in the file $HOME/.ecryptfs/sig-cache.txt, and if the file is missing or the hash on file doesn't match with the hash of the typed passphrase, it warns the user. You can turn off this feature by answering no to the last question.

Attempting to mount with the following options:
  ecryptfs_key_bytes=32
  ecryptfs_cipher=aes
  ecryptfs_sig=b866e7a3accdf162

WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
/before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? yes
Would you like to append sig [b866e7a3accdf162] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? no
Mounted eCryptfs