Last Updated or created 2023-02-13
Some directories on my fileserver are encrypted using ecryptfs.
eCryptfs is a POSIX-compliant enterprise cryptographic stacked filesystem for Linux. eCryptfs stores cryptographic metadata in the header of each file, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of “gnupg as a filesystem”.
Example crypted directory using filename encryption
ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ8BRz0z5p9C2Pu2HZg-mmv---/ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ-Jx6RlQrLhDhdZ9IrcCOAE-- ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ8BRz0z5p9C2Pu2HZg-mmv---/ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ.cE4XNdvLLui2EamsqU2rE-- ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ8BRz0z5p9C2Pu2HZg-mmv---/ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ1J..MuVpsw6kaCgwYCwJXk--
Adhoc mounting
You can use the same dir for mounting!
Filenames are encrypted also.
Use umount go back to the crypted state
NOTE: You can write files to the crypted dir, if you are NOT using filename encryption, you can’t see which one is crypted and which is not.
Use the script below to get hints of the readable files!
mount -t ecryptfs securedir securedir Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxxxxx]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=xxxxxxxxxxxxxxxxxx ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=xxxxxxxxxxxxxxxxxxx Mounted eCryptfs
Crypting disks for travel/backup
For this i’m using Luks
The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.
While most disk encryption software implements different, incompatible, and undocumented formats , LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner
Formatting a disk and mounting
cryptsetup luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb1: Verify passphrase: root@workstation:~# cryptsetup luksOpen /dev/sdb1 crypto Enter passphrase for /dev/sdb1: root@workstation:~# mkfs.ext4 /dev/mapper/crypto mke2fs 1.44.1 (24-Mar-2018) Creating filesystem with 244188672 4k blocks and 61054976 inodes Filesystem UUID: 844eb9ee-d4da-4dfd-9d94-b62987e96b93 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848 Allocating group tables: done Writing inode tables: done Creating journal (262144 blocks): done Writing superblocks and filesystem accounting information: done root@workstation:~# mount /dev/mapper/crypto /backup/
Umount and close
umount /backup cryptsetup luksClose crypto
File crypt checker (checks for data files which COULD be crypted)
#!/bin/bash find secure -type f -exec file {} \;| egrep -v "ASCII text|MS Windows shortcut|ISO-8859 text|image data|PDF document|PC bitmap|Composite Document File|WebM|ISO Media|Microsoft Word|HTML| Microsoft Excel|Matroska|vCard|Microsoft ASF|Web/ P|RIFF|MPEG|RealMedia|UTF\-8 Unicode|Zip archive data|Macromedia Flash|RAR archive|EPUB document|Adobe Photoshop Image|AppleDouble|OpenType|empty|gzip compressed data|MS Windows|OpenDocument|Paint Shop Pro|executable|PostScript document| Rich Text|audio data|SVG Scalable|UDF filesystem|very short file|Web Open Font Format|IFF |TrueType|BeautifulWatches|MTS:" > data-or-not OR
File crypt checker ( When the directory is in crypted state )
All files should be raw data
#!/bin/bash find secure -type f -exec file {} \;| egrep -v data$ > notcrypted-files