Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


eCryptfs: Single-File Encryption in Linux : Page 3

Encrypt your files transparently in Linux with eCryptfs, an enterprise-class stacked cryptographic file system.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Now is a good time to introduce two commonly used cryptography terms that you should understand before continuing:
  • Cryptographic context: This term refers to all the choices you have made, including key type, algorithm, key size, and passphrases;
  • Authentication token: This term originally referred to hardware devices used by people in order to be identified and authorized. Now it includes software tokens such as passphrases and key files.

With the df command, you can now list the file systems mounted and see the /data/confidential directory mounted over itself. This means that the eCryptfs layer is working over the native /data file systems, and you can perform on-the-fly file encryption/decryption. All the typical operations on files and directories (create, modify, delete) are accomplished in a completely transparent way.

Note that the first mount of an eCryptfs file system, when the cryptographic context is going to be defined, has to be done as root. The next mount(s) could be issued by all the users who own the authorization token. After mounting all the file properties, the directories on an eCryptfs file system remain the same as those on the lower file system.

To make the protected directory inaccessible, you umount the eCryptfs file system:

umount /data/confidential

After unmounting, you continue to see all the files you previously created or edited. However, if you try to access them, you realize that their content is completely scrambled. Also, the sizes of the files are larger, because eCryptfs adds a header to each file to embed the metadata needed for encryption.

If you run the keyctl utility again to query the kernel keyring service, you get:

keyctl show Session Keyring -3 --alswrv 0 -1 keyring: _uid_ses.0 279774249 --alswrv 0 -1 \_ keyring: _uid.0 344543112 --alswrv 0 0 \_ user: b866e7a3accdf162

This output compared with the previous one shows that eCryptfs has added a session key. This key, as its name suggests, remains valid during the user session. This means that if you unmount the eCryptfs and then mount it again without exiting from the session, you don't need to type the passphrase again. To erase the session key from the kernel keyring, you must run:

keyctl clear @u

USB Pen Drives for Passphrases
The previous section suggested using a USB pen drive to store the private key. The weakness of the passphrase method is its reliance on simplicity and brevity. On the other hand, it is very difficult to use a long, complex yet meaningless string unless you have hardware support. For example, mount a USB pen drive under /usb and edit a file inserting the row:


Save it with any name (say, foo.txt) under /usb. Then mount the eCryptfs file system in non-interactive mode, assigning options accordingly:

mount -t ecryptfs –o \ key=passphrase:passfile=/usb/foo.txt, \ ecryptfs_cipher=aes, \ ecryptfs_key_bytes=32, \ ecryptfs_passthrough=no, \ no_sig_cache \ /data/confidential /data/confidential

With no further steps, the eCryptfs file system /data/confidential is mounted as before. You don't need to remember the passphrase anymore. Of course it is crucial to keep the USB pen secure, otherwise you will not be able to access your data and the security of your files will be jeopardized.

When you finish with the confidential directory, run the small script edown.sh, which erases the session key from the kernel keyring:

#!/bin/sh PEN_MOUNT_POINT=/usb CONFIDENTIAL_DIR=/data/confidential /bin/umount ${CONFIDENTIAL_DIR} /bin/umount ${PEN_MOUNT_POINT} keyctl clear @u

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date