Encrypting a directory under Oracle Linux 6 with eCryptFS

I recently was asked on the best way to encrypt a directory under Linux, with a way that did not let root have the key to decrypt the data. Built into Oracle Linux, is a package called eCryptFS. This allows you to encrypt individual files, or directories, as we as entire file systems.

In this example, I will cover how to install the package on OL6, and also how to setup an encrypted directory for a user, that the user can mount and unmount as needed, while controlling a pass phrase.

First, this uses Oracle Linux 6.7 as the base installation.

Our first step is to install the utilities required, as the standard installation does not include them. We will use yum to install the ecryptfs-utils package, and it’s dependencies.

[root@localhost ~]# yum -y install ecryptfs-utils
Loaded plugins: security
Setting up Install Process
public_ol6_UEKR3_latest                                  | 1.2 kB     00:00
public_ol6_addons                                        | 1.2 kB     00:00
public_ol6_latest                                        | 1.4 kB     00:00
Resolving Dependencies
–> Running transaction check
—> Package ecryptfs-utils.x86_64 0:82-6.el6_1.3 will be installed
–> Processing Dependency: libtspi.so.1()(64bit) for package: ecryptfs-utils-82-6.el6_1.3.x86_64
–> Running transaction check
—> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

Package             Arch        Version           Repository              Size
ecryptfs-utils      x86_64      82-6.el6_1.3      public_ol6_latest      147 k
Installing for dependencies:
trousers            x86_64      0.3.13-2.el6      public_ol6_latest      276 k

Transaction Summary
Install       2 Package(s)

Total download size: 423 k
Installed size: 1.3 M
Downloading Packages:
(1/2): ecryptfs-utils-82-6.el6_1.3.x86_64.rpm            | 147 kB     00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm                  | 276 kB     00:00
Total                                           1.2 MB/s | 423 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : trousers-0.3.13-2.el6.x86_64                                 1/2
  Installing : ecryptfs-utils-82-6.el6_1.3.x86_64                           2/2
  Verifying  : trousers-0.3.13-2.el6.x86_64                                 1/2
  Verifying  : ecryptfs-utils-82-6.el6_1.3.x86_64                           2/2

  ecryptfs-utils.x86_64 0:82-6.el6_1.3

Dependency Installed:
  trousers.x86_64 0:0.3.13-2.el6




By default the Kernel module is note loaded, so we will load it, and then verify that the kernel module is available. First we will use modprobe to load it,

[root@localhost ~]# modprobe ecryptfs


Next we will use  modinfo to take a look at the details of the module.

[root@localhost ~]# modinfo ecryptfs filename:       /lib/modules/3.8.13 44.1.1.el6uek.x86_64/kernel/fs/ecryptfs/ecryptfs.ko
license:        GPL
description:    eCryptfs
author:         Michael A. Halcrow <mhalcrow@us.ibm.com>
srcversion:     403D1AFAF6377E012332462
intree:         Y
vermagic:       3.8.13-44.1.1.el6uek.x86_64 SMP mod_unload modversions
parm:           ecryptfs_verbosity:Initial verbosity level (0 or 1; defaults to 0, which is Quiet) (int)
parm:           ecryptfs_message_buf_len:Number of message buffer elements (uint)
parm:           ecryptfs_message_wait_timeout:Maximum number of seconds that an operation will sleep while waiting for a message response from userspace (long)
parm:           ecryptfs_number_of_users:An estimate of the number of concurrent users of eCryptfs (uint)

Next, we need to creat a director for user bubba that will contain the encrypted data. In this case we will use /home/bubba/.encrypted, and will create is when logged in as bubba.

[bubba@localhost ~]$ mkdir /home/bubba/.encrypted

Next, we will make the directory that it will be mounted in, when unencrypted, /home/bubba/encrypted

[bubba@localhost ~]$ mkdir /home/bubba/encrypted


Now, we need to mount the unencrypted mount point, with the source being the encrypted directory. Luckily we installed the ecryptsfs utilities, so we can use the mount command. The command will prompt us for each of the options! In this example, we will use a passphrase, this way the user bubba will be able to mount the directory without root having the key to decrypt the data. The down side, is that the mount will need to be manually done each time it is needed.

[root@localhost ~]#  mount -t ecryptfs /home/bubba/.encrypted /home/bubba/encrypted
Select key type to use for newly created files:
1) tspi
2) openssl
3) passphrase
Selection: 3
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
Mounted eCryptfs
[root@localhost ~]#


With a df, we see that it is now mounted!

[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
                       20G  2.1G   17G  12% /
tmpfs                 3.8G     0  3.8G   0% /dev/shm
/dev/xvda1            477M   57M  391M  13% /boot
                      9.8G   23M  9.2G   1% /home
                      197G   19G  168G  11% /u01
                      9.8G  650M  8.6G   7% /var
                      9.8G   23M  9.2G   1% /home/bubba/encrypted

Now lets create some data in /home/bubba/encrypted…

[bubba@localhost encrypted]$ pwd
[bubba@localhost encrypted]$ echo “secure information” > info.txt
[bubba@localhost encrypted]$ more info.txt
secure information
[bubba@localhost encrypted]$


If we look in /home/bubba/,encrypted we will see that the file in encrypted.

[bubba@localhost encrypted]$ cat /home/bubba/.encrypted/info.txt
csï_òXu”3DUfw`4Cyç#ìwCªsüÿÑí_CONSOLEb°Óë¶èÕOàº#|½ÑHpý>k_<¬F \íÑpÜí¼ø¡°¹ËÌY¿×uEüü½


Next, we can drop all of this into a simple script, will all the mount options, other than the pass phrase stored for easy reuse. In my case I will put it into /usr/local/bin/mount_bubba_test

[root@localhost ~]# cat /usr/local/bin/mount_bubba_test
mount -t ecryptfs /home/bubba/.encrypted /home/bubba/encrypted \
-o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32\


If you new to this, make sure that you have the \ character, as it allows a single command to run across multiple lines. We can now call the script, to mount the file system.

[root@localhost ~]#  /usr/local/bin/mount_bubba_test
Attempting to mount with the following options:
Mounted eCryptfs


The final step is to a a rule into the sudoers file, that will let bubba call the script. We will append the following line to /etc/sudeors

## Allow bubba to mount the encrypted directory
bubba ALL=(ALL) /usr/local/bin/mount_bubba_test

Now, bubba can call sudo to mount his encrypted directory.

[bubba@localhost ~]$ sudo   /usr/local/bin/mount_bubba_test
[sudo] password for bubba:
Attempting to mount with the following options:
Mounted eCryptfs
[bubba@localhost ~]$


All mounted , and ready to go, without root knowing the key! Any questions, clink on the link above to ask.

One thought on “Encrypting a directory under Oracle Linux 6 with eCryptFS

Leave a Reply

Your email address will not be published. Required fields are marked *