How to encrypt files, directories and partitions in Linux (using eCryptFS and Cryptsetup)

  • ecryptfs/ECryptfs@wiki/ecryptfs@man is a filesystem-level encryption, kernel-native stacked cryptographic filesystem for Linux (not FUSE-based). Only certain files or directories are encrypted selectively. EncFS is a filesystem in user-space/FUSE.
# install
$ sudo apt-get install ecryptfs-utils | yum install ecryptfs-utils | sudo pacman -S ecryptfs-utils
$ sudo modprobe ecryptfs

# creates encrypted ~/.Private and decrypted ~/Private; PAM-module will at login automatically decrypted ~/.Private into ~/Private, and at logout unmounted ~/Private and encrypted ~/Private back into the ~/.Private
$ ecryptfs-setup-private

# mount/encrypt /srv w/ layover where lower directory is same as mount-point
$ mount -t ecryptfs /srv /srv

# unmount to hide data
$ unmount /srv

# automatically mounting
$ cat /mnt/usb/passwd_file.txt
passphrase_passwd=[secrets]
# ecryptfs_sig must be same as /root/.ecryptfs/sig-cache.txt
$ cat /root/.ecryptfsrc
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
$ cat /etc/fstab
/dev/sdb1       /mnt/usb        ext3     ro       0 0
/srv            /srv            ecryptfs defaults 0 0

From How to encrypt files and directories with eCryptFS on Linux and How To Encrypt Directories/Partitions With eCryptfs On Debian Squeeze

  • DMCrypt+LUKS is full-disk encryption solutions which means that the entire disk is encrypted. CipherShed is an TrueCrypt-fork opensource alternative.
# install
$ sudo apt-get install cryptsetup | sudo yum install cryptsetup-luks

# encrypt /dev/xvdc; asked for passphrase
$ cryptsetup -y -v luksFormat /dev/xvdc
# initialize volume
$ cryptsetup luksOpen /dev/xvdc backup2
$ ls -l /dev/mapper/backup2
$ cryptsetup -v status backup2

# zero-out, create filesystem and mount LUKS partition
$ pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
$ mkfs.ext4 /dev/mapper/backup2
$ mkdir /backup2 ; mount /dev/mapper/backup2 /backup2

# unmount and secure data
$ umount /backup2
$ cryptsetup luksClose backup2

# remount encrypted partition
$ cryptsetup luksOpen /dev/xvdc backup2
$ mount /dev/mapper/backup2 /backup2

# change LUKS passphrase
$ cryptsetup luksDump /dev/xvdc
$ cryptsetup luksAddKey /dev/xvdc
$ cryptsetup luksRemoveKey /dev/xvdc

From Linux Hard Disk Encryption With DMCrypt+LUKS

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s