eCryptfs is a kernel-native cryptographic filesystem. It’s also a stacked filesystem, eCryptfs must work on top of another filesystem such as Ext3. This means that you don’t need to allocate space for eCryptfs, it will grow and shrink as you add files to it.
eCryptfs will be used in Ubuntu 8.10 to provide an encrypted private directory for every user. I set up my own private directory in Ubuntu 8.04. It’s not a user friendly solution like it will be in the next version of Ubuntu, but it’s not too difficult to simplify mounting and unmounting with some launchers.
Install eCryptfs from the package ecryptfs-utils (click the link to install), or by running the command below in your terminal:
sudo apt-get install ecryptfs-utils
Create a new directory to encrypt. I used a directory called Private in my home folder:
You don’t want other users on your system snooping on your Private directory, change its permissions to deny anyone but your user access:
chmod 700 ~/Private
Mount a new eCryptfs filesystem in your new folder:
sudo mount -t ecryptfs ~/Private ~/Private
You’ll be asked some questions by eCryptfs. I selected to use a passphrase, the default AES encryption, and 16-byte key length. Notice the defaults, indicated in square brackets, if you’re not sure about an option. (If you’re wondering about the “plaintext passthrough” option like I was, it allows non-encrypted files to be used inside the mount. I selected to turn this off.) eCryptfs will notice that this is the first time you have used your passphrase, and will ask if it can save a hash so it doesn’t have to warn you every time.
Once the mount finishes, try and add some files to your encrypted folder. Unmount the encrypted folder to secure it:
sudo umount ~/Private
If you open the Private directory now, you’ll still see all the filenames. But opening a file will reveal that its contents are encrypted. I examined my test plain text file in a hex editor, and it certainly looks encrypted:
Remounting the Private directory can be done with the same mount command we used before. However, you’ll still be asked for the key type, your passphrase, the cipher, and the key length. Who wants to remember all of that and enter it every time?
You can avoid this by providing some options with the mount command. This mount command specifies enough options that you should only be prompted for your passphrase:
sudo mount -t ecryptfs ~/Private ~/Private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n
Want to streamline mounting and unmounting the your private directory? In Ubuntu 8.10 all of this will be done automatically when you log in and out. For until then, I just created two simple launchers in GNOME, one for mounting and one for unmounting my private directory.
Create a new launcher by right-clicking on your desktop and selecting
Launcher. Change the type to
Application in Terminal. Paste in the command
you’re using to either mount or unmount. If you’re using a tilda (~) character
in your commands to refer to your home directory, you need to specify the whole
path instead if you’re using sudo. (It seems that using a GNOME launcher with
sudo will cause a tilda to point to root’s home. In a normal terminal it would
point to your own home.)
These launchers should open a terminal, take any input needed, close the terminal, and perform the eCryptfs mount/unmount.
I’ve also written previously about simple file encryption with OpenSSL.