There is a new version of this tutorial available for Debian 8 (Jessie).

How To Encrypt Directories/Partitions With eCryptfs On Debian Squeeze

eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. You can use it to encrypt partitions and also directories that don't use a partition of their own, no matter the underlying filesystem, partition type, etc. This tutorial shows how to use eCryptfs to encrypt a directory on Debian Squeeze.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this tutorial I will encrypt my home directory, /home/falko/, which is located on the / partition (i.e., /home/falko/ is an ordinary directory and does not use a partition of its own).

 

2 Installing eCryptfs

eCryptfs can easily be installed as follows:

apt-get install ecryptfs-utils

 

3 Encrypting A Directory

I will now encrypt my home directory /home/falko/. As there are already (unencrypted) files in that directory, I must take a backup of them so that I can restore them to the then encrypted /home/falko/ directory later on (otherwise these filles cannot be accessed/read while the directory is encrypted):

cp -pfr /home/falko/ /tmp/

I can now encrypt the directory /home/falko/ by mounting it with the file system type ecryptfs:

mount -t ecryptfs /home/falko /home/falko

When you do this for the first time, you will have to answer a few questions:

[email protected]:~# mount -t ecryptfs /home/falko /home/falko
Passphrase: <-- some_passphrase
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: <-- ENTER
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: <-- ENTER
Enable plaintext passthrough (y/n) [n]: <-- ENTER
Enable filename encryption (y/n) [n]: <-- ENTER
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=bd28c38da9fc938b
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : <-- yes
Would you like to append sig [bd28c38da9fc938b] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : <-- yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
[email protected]:~#

Take a look at the output of

mount

and you should see that /home/falko/ is now encrypted:

[email protected]:~# mount
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/home/falko on /home/falko type ecryptfs (rw,ecryptfs_sig=bd28c38da9fc938b,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
[email protected]:~#

Let's restore our backup to the now encrypted directory /home/falko/ and delete the backup afterwards:

cp -pfr /tmp/falko/ /home/
rm -fr /tmp/falko/

For testing purposes, let's copy some other file, e.g. /etc/hosts, to /home/falko/ to check if it really gets encrypted:

cp /etc/hosts /home/falko

While /home/falko/ is mounted with the ecryptfs file system type, it should be possible to read the contents of /home/falko/hosts:

cat /home/falko/hosts

Now unmount /home/falko/...

umount /home/falko

... and try again to read /home/falko/hosts, and you should get some cryptic stuff:

cat /home/falko/hosts
?æËÊÀû5)í}Ó`§wʽ.ÂçµÔyiIezz°Ñd¦R,`Ëi,0ñ*úÐ%^-']YÑj÷#6÷¨Y-]«é²ùô<f$øRø'<Ö·"íó®9ÛQ¨yÂsçOÂ@%Ⱦ®ý?VÔCx'Ųز(t±õÓ´XÏxïhÌ3pé±t
S[Tåj´0KhóÖÄ  IÚYçàÉü~ZA#æ;mâ²Îí]úÞþ
d#ß÷ݹ¥ùªeÐðº¦%ÎmK+÷ý)ôÞGįÁ©
                             <na_Yý1ZÂ+ðú¶RE}´ !¥ð_(-)ÇzÃسÒÜ¿¦´«ºÀH=Üï´        Hú.`{ðßâËw
qü
  Ç(½©V¿òÀѳE¾T%Ë9»¯v¡óÐ5S
©9¶è-

 

4 How To Automatically Mount An Encrypted Partiton At Boot Time

Of course, we don't want to mount /home/falko/ manually each time - it would be nicer if could be mounted automatically at boot time. To do this we need a passphrase file, and for security reasons I want this passphrase file to be located on a USB key.

Plug in a USB key and run

fdisk -l

to find out its device name and file system type:

[email protected]:~# fdisk -l
 
Disk /dev/sda: 32.2 GB, 32212254720 bytes
255 heads, 63 sectors/track, 3916 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00035e35
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        3793    30461952   83  Linux
/dev/sda2            3793        3917      992257    5  Extended
/dev/sda5            3793        3917      992256   82  Linux swap / Solaris
 
Disk /dev/sdb: 8086 MB, 8086617600 bytes
255 heads, 63 sectors/track, 983 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000e439f
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1         983     7895916    b  W95 FAT32
[email protected]:~#

In my case the device name is /dev/sdb1, and it uses a FAT32 file system.

Let's mount the USB key to /mnt/usb:

mkdir /mnt/usb
mount /dev/sdb1 /mnt/usb

Take a look at the output of

mount

... and you should see that it got mounted with the file system type vfat (FAT32) - we will need this information later on for our /etc/fstab file:

[email protected]:~# mount
/dev/sda1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sdb1 on /mnt/usb type vfat (rw)
[email protected]:~#

Now take a look at the contents of /root/.ecryptfs/sig-cache.txt:

cat /root/.ecryptfs/sig-cache.txt
bd28c38da9fc938b

We need this signature for the file /root/.ecryptfsrc which we create as follows:

vi /root/.ecryptfsrc

Please make sure that you use the signature from the /root/.ecryptfs/sig-cache.txt file in the ecryptfs_sig line:

key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=bd28c38da9fc938b
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

Now we create the passphrase file on our USB key:

vi /mnt/usb/passwd_file.txt
passphrase_passwd=some_passphrase

Make sure that you use the correct passphrase, i.e., the passphrase that you would use if you mounted the directory manually.

Next open /etc/fstab...

vi /etc/fstab

... and add the following two lines (make sure you use the correct file system type for your USB key - vfat in my case):

[...]
/dev/sdb1       /mnt/usb        vfat    ro      0 0
/home/falko /home/falko ecryptfs defaults 0 0

(It is important the the line for the USB key comes before the line for the encrypted partition because the USB key needs to be mounted before the encrypted partition can be mounted!)

Then reboot the system:

reboot

If everything goes fine, your encrypted partition should automatically be mounted after the reboot. However, it is possible that your system cannot mount your USB key during boot, which means your encrypted partition cannot be mounted either. If this happens, edit /etc/rc.local (this script is executed at the end of the boot process)...

vi /etc/rc.local

... and add the line /bin/mount -a before the exit 0 line:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/bin/mount -a
exit 0

This will (re-)mount all partitions (including your USB key and the encrypted partition) at the end of the boot process.

 

5 Links

Share this page:

16 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

Brilliant article.  Thanks a lot for this.

By: Rich
Reply  

Does anyone use this for database partitions and how does it affect I/O performance?

Thanks

Rich

By: Anonymous
Reply  

Hi,

 Nicely explained...You can also do encrypt your partitions using LUKS. It uses the dm-crypt module to do this. Cryptsetup utility can be used to encrypt your filesystem's using aes encryption.

 But there are limitations like file level encryption is not avialable..and limit in no of keys for accessing a block device, etc..

 http://www.slashroot.in/encrypting-linux-partition-using-luks

 Thanks..

By: Anonymous
Reply  

Be carefully if you backup files to /tmp directory. System will clean this /tmp directory automatically every time on reboot.
 
But thank you for your excellent encrypting guide :)

By: Anonymous
Reply  

Very good article, I now understand what really encrypted home directory is.
Before I thought is file, mounted as encrypted file system with loop flag.

By: Anonymous
Reply  

Very helpful. Thank you.

By: Anonymous
Reply  

Well, this is my next move. But i have to get rid of encfs first...

Thanks for sharing.

Giuseppe 

By: drjaymez
Reply  

Great guide. I tweaked it by using by USB drives UUID in /etc/fstab so that even if the drive /dev/sd* changes it will still work.

By: Mike Halcrow
Reply  

Linux 4.1 will have native encryption in EXT4. Anyone currently stacking eCryptfs on EXT4 will want to look into using that instead.

By: ed
Reply  

How did get UUID to update "/root/.ecryptfsrc" on boot ?

By: aay
Reply  

commands for manual mounting via ssh console? thanks

By: dont work
Reply  

 [email protected]:/usr/local/etc $ sudo mount -t ecryptfs /usr/local/etc/ /usr/local/etc/Select key type to use for newly created files: 1) passphrase 2) tspiSelection: 1Passphrase:Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16Selection [aes]: 1Select key bytes: 1) 16 2) 32 3) 24Selection [16]: 1Enable plaintext passthrough (y/n) [n]: nEnable filename encryption (y/n) [n]: nAttempting to mount with the following options:  ecryptfs_unlink_sigs  ecryptfs_key_bytes=16  ecryptfs_cipher=aes  ecryptfs_sig=634755cadcbd34e5WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],it looks like you have never mounted with this keybefore. This could mean that you have typed yourpassphrase wrong.Would you like to proceed with the mount (yes/no)? : yesWould you like to append sig [634755cadcbd34e5] to[/root/.ecryptfs/sig-cache.txt]in order to avoid this warning in the future (yes/no)? : yesSuccessfully appended new sig to user sig cache fileMounted [email protected]:/usr/local/etc $ sudo [email protected]:/usr/local/etc $ cat test2.txtfdishfidsjfijdisfjisdjfijdi[email protected]:/usr/local/etc $ sudo umount /usr/local/etc/Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with [email protected]:/usr/local/etc $ cat [email protected]rypi:/usr/local/etc $

 

dont work. file ist not encrypted. on raspberry. mhhhh

By: till
Reply  

Works fine on x86 computers, so maybe it's a raspi specifc issue.

By: Mauricio
Reply  

Excellent Article. works on raspberry pi also. a reboot is needed before the first time you mount or you will get this message..

---

Selection [16]: 

Error attempting to evaluate mount options: [-22] Invalid argument

Check your system logs for details on why this happened.

Try updating your ecryptfs-utils package, and/or

submit a bug report on https://bugs.launchpad.net/ecryptfs

---

TEST: -- /media/ext-orig is an external hd drive --

[email protected]:~ $ cp /etc/hosts /media/ext-orig/backup/

[email protected]:~ $ cat /media/ext-orig/backup/hosts

127.0.0.1 localhost

::1 localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

 

127.0.1.1 raspberrypi

[email protected]:~ $ sudo umount /media/ext-orig/backup

[email protected]:~ $ cat /media/ext-orig/ibm_backup/hosts

f

bi<5O]lJ4&[email protected]*_^lEBgXG>\5w98aj

 

and so on..

 

Thanks a lot!

 

By: Justin
Reply  

Hi, this has been a great help. Thank you for posting it! I do have one issue that I cannot seem to get past. On boot, it boots to emergency mode. If I simply press enter, it works just fine and goes into the UI. Is there any way to get around the emergency mode part and seamlessly go to the login?

By: ali
Reply  

Tnxxxx a lot.

i will test it on the weekend.