ecryptfs made straightforward

Using ecryptfs outside of Ubuntu's very controlled environment can be tedious.

I wanted to have a fully automated script that could simply mount an ecryptfs partition given a single key (roughly along these lines):

ecryptfs-mount PATH KEY

Here are the main objective:

  • non-interactive
  • mount the encrypted partition on any host

An important point, is that we don't try to protect against compromission of the main host's root access. We just try to produce an encrypted filesystems that we can send externally (with rsync for example) safely. The host will have the key accessible by root anyway.

As I didn't have much time, I might have missed a simpler alternative so feel free to comment on this please. My knowledge on ecryptfs and security in general is very limited.

You'll find a breakdown of the process first and then a ecryptfs-mount script that support copy paste and will make all this easier.

Requirements

You'll need to install ecryptfs-utils which provides a few scripts that can be alleviated to achieve our goals.

Overview

As ecryptfs seems to require the usage of kernel key rings, we'll convolutedly insert the key in the kernel keyring prior the mounting.

Breakdown

Say your key is stored in the $KEY environment variable:

$ tmp_wrapped_file=/tmp/wrapped-file
$ salt=ANYTHING
$ echo -en "$KEY\n$salt" | ecryptfs-wrap-passphrase "$tmp_wrapped_file"

We have to create this 'wrapped' passphrase file before insertion in keyring:

$ echo -n "$salt" | ecryptfs-insert-wrapped-passphrase-into-keyring "$tmp_wrapped_file"

This last commands outputs your key signature (here 9f3193d42b4df62):

Inserted auth tok with sig [9f3193d42b4df62] into the user session keyring

Let's say that you store this one in $SIG and that $PATH_TO_CRYPT the path to the folder you want to mount with ecryptfs:

mount -i -t ecryptfs $PATH_TO_CRYPT $PATH_TO_CRYPT \
      -o ecryptfs_enable_filename_crypto=y,ecryptfs_passthrough=n,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig=$SIG,ecryptfs_fnek_sig=$SIG,ecryptfs_unlink_sigs=y

In the given options, you have:

  • the four first are to be chosen to your convenience. Go get some general information to get the options you'd like. (These are ecryptfs_enable_filename_crypto, ecryptfs_passthrough, ecryptfs_key_bytes, ecryptfs_cipher)
  • the three remaining are part of the circumvolution needed to make this work:
    • Both ecryptfs_sig, ecryptfs_fnek_sig are the ids of the key in the kernel keyring.
    • At last the ecryptfs_unlink_sigs=y will unregister the key in the kernel.

And notice the -i option to mount that bypass the "helpers" of ecryptfs-utils.

Actual script

I'm providing a ecryptfs-mount script on github. It's straight forward to use:

ecryptfs-mount PATH KEY

Don't forget to umount if finished.