I recently was asked on the best way to encrypt a directory under Linux, with a way that did not let root have the key to decrypt the data. Built into Oracle Linux, is a package called eCryptFS. This allows you to encrypt individual files, or directories, as we as entire file systems.
In this example, I will cover how to install the package on OL6, and also how to setup an encrypted directory for a user, that the user can mount and unmount as needed, while controlling a pass phrase.
First, this uses Oracle Linux 6.7 as the base installation.
Our first step is to install the utilities required, as the standard installation does not include them. We will use yum to install the ecryptfs-utils package, and it’s dependencies.
[root@localhost ~]# yum -y install ecryptfs-utils
Loaded plugins: security
Setting up Install Process
public_ol6_UEKR3_latest | 1.2 kB 00:00
public_ol6_addons | 1.2 kB 00:00
public_ol6_latest | 1.4 kB 00:00
Resolving Dependencies
–> Running transaction check
—> Package ecryptfs-utils.x86_64 0:82-6.el6_1.3 will be installed
–> Processing Dependency: libtspi.so.1()(64bit) for package: ecryptfs-utils-82-6.el6_1.3.x86_64
–> Running transaction check
—> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
–> Finished Dependency ResolutionDependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ecryptfs-utils x86_64 82-6.el6_1.3 public_ol6_latest 147 k
Installing for dependencies:
trousers x86_64 0.3.13-2.el6 public_ol6_latest 276 kTransaction Summary
================================================================================
Install 2 Package(s)Total download size: 423 k
Installed size: 1.3 M
Downloading Packages:
(1/2): ecryptfs-utils-82-6.el6_1.3.x86_64.rpm | 147 kB 00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm | 276 kB 00:00
——————————————————————————–
Total 1.2 MB/s | 423 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : trousers-0.3.13-2.el6.x86_64 1/2
Installing : ecryptfs-utils-82-6.el6_1.3.x86_64 2/2
Verifying : trousers-0.3.13-2.el6.x86_64 1/2
Verifying : ecryptfs-utils-82-6.el6_1.3.x86_64 2/2Installed:
ecryptfs-utils.x86_64 0:82-6.el6_1.3Dependency Installed:
trousers.x86_64 0:0.3.13-2.el6Complete!
By default the Kernel module is note loaded, so we will load it, and then verify that the kernel module is available. First we will use modprobe to load it,
[root@localhost ~]# modprobe ecryptfs
Next we will use modinfo to take a look at the details of the module.
[root@localhost ~]# modinfo ecryptfs filename: /lib/modules/3.8.13 44.1.1.el6uek.x86_64/kernel/fs/ecryptfs/ecryptfs.ko
license: GPL
description: eCryptfs
author: Michael A. Halcrow <mhalcrow@us.ibm.com>
srcversion: 403D1AFAF6377E012332462
depends:
intree: Y
vermagic: 3.8.13-44.1.1.el6uek.x86_64 SMP mod_unload modversions
parm: ecryptfs_verbosity:Initial verbosity level (0 or 1; defaults to 0, which is Quiet) (int)
parm: ecryptfs_message_buf_len:Number of message buffer elements (uint)
parm: ecryptfs_message_wait_timeout:Maximum number of seconds that an operation will sleep while waiting for a message response from userspace (long)
parm: ecryptfs_number_of_users:An estimate of the number of concurrent users of eCryptfs (uint)
Next, we need to creat a director for user bubba that will contain the encrypted data. In this case we will use /home/bubba/.encrypted, and will create is when logged in as bubba.
[bubba@localhost ~]$ mkdir /home/bubba/.encrypted
Next, we will make the directory that it will be mounted in, when unencrypted, /home/bubba/encrypted
[bubba@localhost ~]$ mkdir /home/bubba/encrypted
Now, we need to mount the unencrypted mount point, with the source being the encrypted directory. Luckily we installed the ecryptsfs utilities, so we can use the mount command. The command will prompt us for each of the options! In this example, we will use a passphrase, this way the user bubba will be able to mount the directory without root having the key to decrypt the data. The down side, is that the mount will need to be manually done each time it is needed.
[root@localhost ~]# mount -t ecryptfs /home/bubba/.encrypted /home/bubba/encrypted
Select key type to use for newly created files:
1) tspi
2) openssl
3) passphrase
Selection: 3
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=62b0d3ebb69ae8d5
Mounted eCryptfs
[root@localhost ~]#
With a df, we see that it is now mounted!
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_ol6-lv_root
20G 2.1G 17G 12% /
tmpfs 3.8G 0 3.8G 0% /dev/shm
/dev/xvda1 477M 57M 391M 13% /boot
/dev/mapper/vg_ol6-lv_home
9.8G 23M 9.2G 1% /home
/dev/mapper/vg_ol6-lv_u01
197G 19G 168G 11% /u01
/dev/mapper/vg_ol6-lv_var
9.8G 650M 8.6G 7% /var
/home/bubba/.encrypted
9.8G 23M 9.2G 1% /home/bubba/encrypted
Now lets create some data in /home/bubba/encrypted…
[bubba@localhost encrypted]$ pwd
/home/bubba/encrypted
[bubba@localhost encrypted]$ echo “secure information” > info.txt
[bubba@localhost encrypted]$ more info.txt
secure information
[bubba@localhost encrypted]$
If we look in /home/bubba/,encrypted we will see that the file in encrypted.
[bubba@localhost encrypted]$ cat /home/bubba/.encrypted/info.txt
csï_òXu”3DUfw`4Cyç#ìwCªsüÿÑí_CONSOLEb°Óë¶èÕOàº#|½ÑHpý>k_<¬F \íÑpÜí¼ø¡°¹ËÌY¿×uEüü½
ñÓ0ê,$÷$ï”Ð^¤H4fåN
Next, we can drop all of this into a simple script, will all the mount options, other than the pass phrase stored for easy reuse. In my case I will put it into /usr/local/bin/mount_bubba_test
[root@localhost ~]# cat /usr/local/bin/mount_bubba_test
mount -t ecryptfs /home/bubba/.encrypted /home/bubba/encrypted \
-o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32\
,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n
If you new to this, make sure that you have the \ character, as it allows a single command to run across multiple lines. We can now call the script, to mount the file system.
[root@localhost ~]# /usr/local/bin/mount_bubba_test
Passphrase:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=62b0d3ebb69ae8d5
Mounted eCryptfs
The final step is to a a rule into the sudoers file, that will let bubba call the script. We will append the following line to /etc/sudeors
## Allow bubba to mount the encrypted directory
bubba ALL=(ALL) /usr/local/bin/mount_bubba_test
Now, bubba can call sudo to mount his encrypted directory.
[bubba@localhost ~]$ sudo /usr/local/bin/mount_bubba_test
[sudo] password for bubba:
Passphrase:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=62b0d3ebb69ae8d5
Mounted eCryptfs
[bubba@localhost ~]$
All mounted , and ready to go, without root knowing the key! Any questions, clink on the link above to ask.
Thanks for the tip, I just used it to solve an issue with my PCI audit and it worked great!