eCryptfs: A stacked cryptographic filesystem for Linux eCryptfs is free software. Please see the file COPYING for details. For documentation, please see the files in the doc/ subdirectory. For building and installation instructions please see the INSTALL file. Maintainer: Phillip Hellewell Lead developer: Michael A. Halcrow Developers: Michael C. Thompson Kent Yoder Trevor Highland Tyler Hicks Theresa Nelson Current Release Version: 13 Web Site: http://ecryptfs.sf.net As you should do with any filesystem, make sure to maintain a backup copy of any data you write into eCryptfs. In addition, you should reliably store your secret keys in a secure location. eCryptfs uses industry-standard cryptographic ciphers, key generation, and passphrase protection mechanisms; without your salt/passphrase or private key, nobody will be able to retrieve your data. eCryptfs requires the userspace tools downloadable from the SourceForge site: Requirements include: - Kernel version 2.6.19 or above - Build crypto API support with at least one symmetric key cipher - Build key retention support - If you have an older kernel, try the latest eCryptfs full package release to build a stand-alone kernel module - Userspace tools obtainable from the site listed above; requirements for the userspace tools are: - David Howells' userspace keyring headers and libraries (version 1.0 or higher) - Finding its way into some distro's - Obtainable from - libgcrypt - Part of most distro's; install the development package - If you need to build from source, you probably will want these: - - KERNEL BUILD OPTIONS Code maturity level options ---> [*] Prompt for development and/or incomplete code/drivers Security options ---> Enable access key retention support Cryptographic options ---> MD5 digest algorithm AES cipher algorithms File systems ---> Miscellaneous filesystems ---> eCrypt filesystem layer support (EXPERIMENTAL) NOTES eCryptfs is still in a developmental stage. When you upgrade the eCryptfs kernel module, it is possible that the eCryptfs file format has been updated. For this reason you should copy your files to an unencrypted location and then copy the files back into the new eCryptfs mount point to migrate the files. BUILD AND INSTALL INSTRUCTIONS 1) Consult the INSTALL file. In the majority of cases, this step should involve the standard procedure for Linux packages: % ./configure --prefix=/usr && make && make install If you are running a version of eCryptfs that ships as part of kernel version 2.6.18-rc6-mm2 or earlier, you need to pass the --enable-old-auth-tok option to the ./configure script. 2) Make sure that you have sysfs mounted and that a valid entry for the sysfs mount point is in your /etc/mtab file. INTERACTIVE MOUNTING Create a new directory into which eCryptfs will write its encrypted files (i.e., /root/crypt). Then, create the mount point directory (i.e., /mnt/crypt). Here is an example of how you might mount eCryptfs: mount -t ecryptfs /root/crypt /mnt/crypt Note that you can also perform a layover mount (essentially, converting an existing path into an eCryptfs mount point) to reduce the likelihood of contention between eCryptfs and other applications for access to the lower files; this is generally the recommended way to mount eCryptfs: mount -t ecryptfs /secret /secret Navigate the menus to select your preferred mount options. NON-INTERACTIVE MOUNTING eCryptfs supports mounting through command-line options. You can do so by passing groups of name=value attribute pairs as a -o option to the mount helper. Each key type has a set of name=value pairs associated with it. For instance, the ``passphrase'' key type can accept a ``passwd=XXX'' name=value pair and a ``salt=XXX'' name=value pair. Attributes that apply to a particular key type immediately follow the key type specifier ``key=XXX'' and are separated by colon's. Attributes that do not apply to any specific key type (general attributes) are separated by comma's. The option string will take the form: name1=value1,key=alias:name2=value2:name3=value3,name4=value4,name5=value5 name1=value1, name4=value4, and name5=value5 are all generic global attributes that can apply to any key type. name2=value2 and name3=value3 are specific to the key type. A BNF grammar for the option set follows: ::= ::= (a | b | c | ... | z) ::= ( | ) ::= ::= ( | ) ::= ( | ) ::= ::= ::= "=" ::= ("," | ) ::= (":" | ) ::= "key=" ( | ) ::= ( | ) ::= ( | ) Values read from a file should be specified with name value pairs. For example, a passphrase may be specified in a file by adding the following line to the file: passwd= Currently supported aliases and attributes include: key alias passphrase: passwd= passfile=/path/to/file passfd= passstdin (default) salt= key alias openssl: keyfile=/path/to/key passwd= passfile=/path/to/file passfd= passstdin (default) Currently supported general attributes include: cipher= Currently supported ciphers include: aes blowfish des3_ede cast5 cast6 twofish ecryptfs_key_bytes= With the exception of AES-192, eCryptfs requires that the keysize be a multiple of the block size. passthrough Allows for non-eCryptfs files to be read and written from within an eCryptfs mount. This option is disabled by default. verbosity= 0 eCryptfs will not prompt the user for unspecified options 1 (default) eCryptfs will request unspecified options to be completed If you wish to have the same passphrase used in previous passphrase mounts and store it in a file (*not* recommended unless you can provide sufficient protection of the file itself), you can take the following steps: (Previous mount; specify passphrase on command line) mount -t ecryptfs /mnt/dev /mnt/dir -o key=passphrase:passwd=my_password (Next mount; have passphrase read from a passfile) echo "passwd=my_password" > ~/my_ecryptfs_password mount -t ecryptfs /mnt/dev /mnt/dir -o key=passphrase:passfile=~/my_ecryptfs_password Saving your unencrypted passphrase to a file on the same disk that contains your encrypted files defeats the purpose of using a cryptographic filesystem in the first place. You should instead store the file that contains your passphrase on a physically secure medium, such as a USB flash drive that you keep locked in a drawer, if you choose to store it to a file at all. In general, it is probably best to just type in your passphrase via stdin every time you need to perform a mount. Future versions of eCryptfs will allow hardware token devices, such as a TPM chip, to protect your secret keys. TESTING A NEW MOUNT POINT Try writing a new file: echo "Hello, World" > /secret/hello.txt The operation will complete. When you unmount eCryptfs, you will Notice that there is a new file in /secret that is at least 12288 bytes in size (depending on your host page size). This is the encrypted underlying file for what you just wrote. To test reading, from start to finish, you need to clear the user session keyring: keyctl clear @u Then umount /secret and mount again per the instructions given above. cat /secret/hello.txt PAM MODULE You can use the PAM module to automatically use a key based on your login passphrase, which can then be used to perform an eCryptfs mount non-interactively. Perform an eCryptfs mount as root, using your user login: root# mount -t ecryptfs /secret /secret Then, grab your raw mount parameters from root# grep "ecryptfs" /etc/mtab You should get something like this: --- /secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0 --- Add ``user'' to the mount options: --- /secret /secret ecryptfs user,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0 --- Append your edited line to your /etc/fstab file. Now it's time to test the mount. root# umount /secret Verify that eCryptfs is not mounted. Then, log in as the regular user. Manually add your passphrase to the user session keyring via the ecryptfs-manager utility. Then, perform the mount, while telling the mount application to not call the mount helper: user# mount -i /secret Verify that eCryptfs mounted correctly. Then, unmount: user# umount /secret Clear your user session keyring: user# keyctl clear @u Add the mount command into your login script (e.g., ~/.bash_profile): --- mount -i /secret --- Finally, add this to the appropriate /etc/pam* file (e.g., /etc/pam.d/login): --- auth required pam_ecryptfs.so --- From another window, try logging in as the user. If all went well, the eCryptfs PAM module will insert a key derived from your login passphrase into the user session keyring. Then, the login script will perform the mount, using the parameters in your /etc/fstab. NOTES eCryptfs shipping in kernel version 2.6.19 does not support public key. To determine what your current kernel supports, load the ecryptfs module and view the contents of fs/ecryptfs/version_str under your sysfs mount point. eCryptfs should only be mounted on (1) empty directories or (2) directories containing files only created by eCryptfs. If you mount a directory that has pre-existing files not created by eCryptfs, then behavior is undefined. Do not run eCryptfs in higher verbosity levels unless you are doing so for the sole purpose of development, since secret values will be written out to the system log in that case. TROUBLESHOOTING See . For the most up-to-date FAQ, see . BUGS Please send bug reports to the lead developer, an eCryptfs mailing list hosted from SourceForge, or to the SourceForge bug tracker for the eCryptfs project. For kernel bugs, please follow the procedure detailed in the kernel documentation (Documentation/oops-tracing.txt) to help us figure out what is happening. Mike Halcrow mhalcrow@us.ibm.com