Now is a good time to introduce two commonly used cryptography terms that you should understand before continuing:
- Cryptographic context: This term refers to all the choices you have made, including key type, algorithm, key size, and passphrases;
- Authentication token: This term originally referred to hardware devices used by people in order to be identified and authorized. Now it includes software tokens such as passphrases and key files.
With the df command, you can now list the file systems mounted and see the /data/confidential directory mounted over itself. This means that the eCryptfs layer is working over the native /data file systems, and you can perform on-the-fly file encryption/decryption. All the typical operations on files and directories (create, modify, delete) are accomplished in a completely transparent way.
Note that the first mount of an eCryptfs file system, when the cryptographic context is going to be defined, has to be done as root. The next mount(s) could be issued by all the users who own the authorization token. After mounting all the file properties, the directories on an eCryptfs file system remain the same as those on the lower file system.
To make the protected directory inaccessible, you umount the eCryptfs file system:
After unmounting, you continue to see all the files you previously created or edited. However, if you try to access them, you realize that their content is completely scrambled. Also, the sizes of the files are larger, because eCryptfs adds a header to each file to embed the metadata needed for encryption.
If you run the keyctl utility again to query the kernel keyring service, you get:
-3 --alswrv 0 -1 keyring: _uid_ses.0
279774249 --alswrv 0 -1 \_ keyring: _uid.0
344543112 --alswrv 0 0 \_ user: b866e7a3accdf162
This output compared with the previous one shows that eCryptfs has added a session key. This key, as its name suggests, remains valid during the user session. This means that if you unmount the eCryptfs and then mount it again without exiting from the session, you don't need to type the passphrase again. To erase the session key from the kernel keyring, you must run:
keyctl clear @u
USB Pen Drives for Passphrases
The previous section suggested using a USB pen drive to store the private key. The weakness of the passphrase method is its reliance on simplicity and brevity. On the other hand, it is very difficult to use a long, complex yet meaningless string unless you have hardware support. For example, mount a USB pen drive under /usb and edit a file inserting the row:
Save it with any name (say, foo.txt) under /usb. Then mount the eCryptfs file system in non-interactive mode, assigning options accordingly:
mount -t ecryptfs –o \
With no further steps, the eCryptfs file system /data/confidential is mounted as before. You don't need to remember the passphrase anymore. Of course it is crucial to keep the USB pen secure, otherwise you will not be able to access your data and the security of your files will be jeopardized.
When you finish with the confidential directory, run the small script edown.sh, which erases the session key from the kernel keyring:
keyctl clear @u