File System Encryption

big-honey-badgerIn TarHeel Linux 6, we have a way to encrypt file system.  The eCryptfs provides the ability to encrypt data and files on a per-file basis instead of the entire disk as in block encryption.  The eCryptfs system sits on top of the current file system to provide the encryption later, that is why it is also known as the pseudo-file system.  The file operations which are sent to the underlying file system are intercepted by eCryptfs and encrypted.

First, install the package.

yum install ecryptfs-utils

The package, trousers, will also be installed as a dependency.

In order to limit confusion, we mount the directory with eCryptfs using the underlying partition name.  For example, we are encrypting /home directory and we use eCryptfs to mount that as home.

When you mount the directory, you need to provide several options like passphrase, cipher, and key bytes.

mount -t ecryptfs /home /home

Here is an example.

[root@tarheellinux ~]# mount -t ecryptfs /home /home
Select key type to use for newly created files: 
 1) passphrase
 2) openssl
 3) tspi
Selection: 1
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=a07162da41d0bcb8
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [a07162da41d0bcb8] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
[root@tarheellinux ~]#

Then, if you invoke the df command, you will be able to see the eCryptfs encryption layer (highlighted).

[root@tarheellinux ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2              40G  3.5G   34G  10% /
tmpfs                 1.9G  284K  1.9G   1% /dev/shm
/dev/sda1             504M   39M  440M   9% /boot
/dev/sda7             405G  237M  385G   1% /home
/dev/sda3             7.9G  147M  7.4G   2% /tmp
/dev/sda5             4.0G  379M  3.4G  10% /var
/home                 405G  237M  385G   1% /home
[root@tarheellinux ~]#

Now, all files saved in /home will be encrypted.  To remove the eCryptfs encryption layer, run this command as root.

umount /home

Once the eCryptfs encryption layer is removed, all encrypted files are all protected.

Mount the directory with eCryptfs and enter the same options and passphrase to gain access to the encrypted files again.