Linux crypt methods i’m using.

Last Updated or created 2023-02-13

Some directories on my fileserver are encrypted using ecryptfs.

eCryptfs is a POSIX-compliant enterprise cryptographic stacked filesystem for Linux. eCryptfs stores cryptographic metadata in the header of each file, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself. You may think of eCryptfs as a sort of “gnupg as a filesystem”.

Example crypted directory using filename encryption

ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ8BRz0z5p9C2Pu2HZg-mmv---/ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ-Jx6RlQrLhDhdZ9IrcCOAE--
ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ8BRz0z5p9C2Pu2HZg-mmv---/ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ.cE4XNdvLLui2EamsqU2rE--
ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ8BRz0z5p9C2Pu2HZg-mmv---/ECRYPTFS_FNEK_ENCRYPTED.FWYQ.y58tWRY7EQqyVPxxMk11BuiLpk8jXCQ1J..MuVpsw6kaCgwYCwJXk--

Adhoc mounting

You can use the same dir for mounting!
Filenames are encrypted also.
Use umount go back to the crypted state

NOTE: You can write files to the crypted dir, if you are NOT using filename encryption, you can’t see which one is crypted and which is not.
Use the script below to get hints of the readable files!

mount -t ecryptfs securedir securedir
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxxxxx]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=xxxxxxxxxxxxxxxxxx
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=xxxxxxxxxxxxxxxxxxx
Mounted eCryptfs

Crypting disks for travel/backup

For this i’m using Luks

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.

While most disk encryption software implements different, incompatible, and undocumented formats , LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner

Formatting a disk and mounting

cryptsetup luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:
root@workstation:~# cryptsetup luksOpen /dev/sdb1 crypto
Enter passphrase for /dev/sdb1:
root@workstation:~# mkfs.ext4 /dev/mapper/crypto
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 244188672 4k blocks and 61054976 inodes
Filesystem UUID: 844eb9ee-d4da-4dfd-9d94-b62987e96b93
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
        102400000, 214990848

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

root@workstation:~# mount /dev/mapper/crypto /backup/

Umount and close

umount /backup
cryptsetup luksClose crypto

File crypt checker (checks for data files which COULD be crypted)

#!/bin/bash
find secure -type f  -exec file {} \;| egrep -v "ASCII text|MS Windows shortcut|ISO-8859 text|image data|PDF document|PC bitmap|Composite Document File|WebM|ISO Media|Microsoft Word|HTML| Microsoft Excel|Matroska|vCard|Microsoft ASF|Web/
P|RIFF|MPEG|RealMedia|UTF\-8 Unicode|Zip archive data|Macromedia Flash|RAR archive|EPUB document|Adobe Photoshop Image|AppleDouble|OpenType|empty|gzip compressed data|MS Windows|OpenDocument|Paint Shop Pro|executable|PostScript document|
Rich Text|audio data|SVG Scalable|UDF filesystem|very short file|Web Open Font Format|IFF |TrueType|BeautifulWatches|MTS:" > data-or-not

OR 

File crypt checker ( When the directory is in crypted state )
All files should be raw data

#!/bin/bash
find secure -type f  -exec file {} \;| egrep -v data$  > notcrypted-files
Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *