How to Encrypt Your File System part one
1.
Working with Encryption and Linux
http://en.wikipedia.org/wiki/List_of_cryptographic_file_systems
There are basically three options when talking about encrypting your data on a Linux system. The options are: (1) encrypting a single file, (2) encrypting a directory (with or without a virtual disk), or (3) encrypting a physical block device. Encrypting files is fairly straightforward and there are various tools for doing this. For example, there is bcrypt, ncrypt, and Pad which is a one-time pad encryption tool. The most popular tool is probably Gnupg. It comes with just about every Linux distribution. However, the point of this article is about encrypted file systems for Linux so it will focus on the other two options
2.
Encrypting Directories or File Systems
As previous mentioned one approach to encryption is to actually encrypt a directory tree or to encrypt a file system. This approach does not focus on the block device itself, but instead focuses on the file system or even a directory such as a user’s home directory. This allows you to encrypt just user data or project data which is likely to be more important than the OS
3.
ecryptfs
One of the most known Linux file system encryption solutions is called ecryptfs (Enterprise Cryptographic Filesystem). It has been in the kernel since version 2.6.19 and is fully configured in some distributions. It is still undergoing development so be careful with any data you use with ecryptfs. However, there are a large number of reports of people successfully using it, particularly with Ubuntu.
Ecryptfs is a what is called a “stackable” file system that “stacks” on top of other file systems (called the lower file system) such ext2/3, jfs, xfs, etc. (any file system that has extended attributes). It encrypts and decrypts the files as they are being written to or read from the lower file system. It operates on the files one at a time instead of at a block device or partition level. The metadata associated with the file is stored with the file itself on the lower file system. This can make the encrypted files a little larger than the decrypted version but there are some clear advantages to this approach:
- It allows files from different users to use different encryption keys, controlling access to the data
- You can move or copy the files to a different location and they can be decrypted with the correct key (encryption of whole partitions or devices requires a different process before the files can be accessed).
- You can give the file to other users and they can decrypt it as long as the correct key is given to them as well.
- You can use typical backup processes that use incremental processes because they can easily detect differences in files in the lower file system. This is almost impossible with encrypted partitions or block devices.
A few quick disadvantages:
- It takes CPU cycles to perform the encryption and the requirements are not small
- Since there is some time involved to encrypt the file system, the speed (performance) of the file system is definitely less than the lower file system. In fact, it can be quite a bit less in some cases. So don’t use an encrypted file system if performance is a key consideration or unless security (encryption) is an extremely important requirement.
As you might expect there is a kernel component and a userspace component to ecryptfs. The kernel component is fairly easy and has been in the kernel since 2.6.19. It is included with some distributions such as Ubuntu. If you build your own kernel or to need to modify an existing kernel then be sure that you have the following options enabled:
- The “MD5 digest” and “AES cipher algorithms” options should be enabled (look under theCrypotgraphic API section)
- The “Enable access key retention support” option should be enabled in the Security options section.
- The “eCrypt filesystem layer support (EXPERIMENTAL)” option should be enabled in theFilesystems/Miscellaneous filesystems section/subsection.
For these options, the “Prompt for development and/or incomplete code/drivers” option must be enabled in the main section. See this article for details on kernel options. Also note that by default ecryptfs uses the AES cipher but other options can be specified.
The userspace tools for ecryptfs can be obtained from the ecryptfs site. Follow the directions from the website that explain how to build and install the tools.
Assuming that ecryptfs is active, either in the kernel or as a module, then you can proceed to configure your account to use ecryptfs. A simple way to get started is to just mount an ecryptfs file system in your account (i.e. a single directory).
mount -t ecryptfs /home/laytonjb/private /home/laytonjb/private
The first path is the lower directory (the lower file system where the data is actually stored). In this cases the full path is used. The second path is the ecryptfs mount point. In this example, they are the same, but they don’t have to be. But for this particular example, the lower file system and the mount point are the same to help ensure that ecryptfs has access to the files in the lower file system. Any file that is written to /home/laytonjb/private is encrypted and written to /home/laytonjb/private on the lower file system. So effectively, it looks like the directory, /home/laytonjb/private, is encrypted.
Ecryptfs uses a configuration file,
.ecryptfsrc, when mounting a file system. The file is located in the user’s home directory and contains various options. The mount first reads this file but if all of the information is not there, it will prompt you for more information. The most important option is typically a pass phrase or a cipher (encryption process) but the configuration file also allows you to specify encryption ciphers.
To decrypt a file in this example, just copy it from the mount point to an non-encrypted directory. For example,
$ cp /home/laytonjb/private/file1.txt /home/laytonjb/public/file1.txt
Ecryptfs will decrypt the file, file1.txt, and it will be put in the directory, /home/laytonjb/public which is not an encrypted file system.
This quick example shows how to create an encrypted directory in your /home account. It is also possible to encrypt a user’s entire /home. This can be done by root or by the user (as long as they have permission for the mount point - which they should).
Recently there was a security issue found in ecryptfs that allows the pass phrase associated with a mount to be written into the logs on an Ubuntu installation. Even though the log was only readable by root, it does mean the the ecryptfs passphrase is on the system in decrypted form.
Finally, there are some blogs and tutorials that describe the intricate details of how to use ecryptfs.
- devx article
- Ubuntu tutorial
- Ecryptfs tutorial
4.
EncFS
There is another option for encrypted file systems - EncFS. The interesting aspect of this file system is that is based on FUSE. For those not familiar with FUSE, it is a kernel module that allows access to the VFS in the kernel. Consequently you can create a file system entirely in user-space using the FUSE API.
EncFS is somewhat similar to ecryptfs in that it does require a new file system. Rather EncFS encrypts the file and stores it in a specific directory (a lower file system using the terminology of ecryptfs). The EncFS introduction states that encfs is defined as a “Pass-through filesystem vs encrypted block device”. While a bit complicated this description is very accurate - EncFS is stackable file system in the same vein as ecryptfs.
Building and installing EncFS is fairly easy to install. The first thing to check is if your kernel is FUSE capable. Many distributions have FUSE capable kernels so be sure to check your distribution. If not, you can download FUSE from the website and install it.
Next, you download the latest copy of EncFS from the website. The current version as of this article is 1.5-2 date September 7, 2008. It has a few dependencies:
- FUSE version 2.6 or newer
- rlog - C++ logging library
- OpenSSL versions 0.9.6 through 0.9.8 (other version are untested)
- boost - a C++ utility library - version 1.34 or later
Be sure these dependencies are installed prior to building EncFS
Once everything is installed then mounting an EncFS file system is fairly easy.
$ encfs /home/laytonjb/private /home/laytonjb/private
The syntax is fairly similar to ecryptfs - the first path is the lower file system path (the directory that stores the encrypted data). The second path is the mount point for the file system. Notice that you can mount it just like you did ecryptfs so the lower file system is the same as the mount point.
To umount a file system is a little different since it uses FUSE. In this case, you have to use a FUSE command:
$ fusermount -u /home/laytonjb/private
There are lots of tips on using EncFS floating around. Here is a quick sample:
- This link is a good (and detailed) description of a user’s experience using EncFS.
- This is a good blog that talks about EncFS and has a couple of good tips for practical user
- There is also a good presentation of how to use EncFS with Debian
- There is a nice blog that talks about using EncFS in three easy steps
- There is another HOWTO on using EncFS (a simple but effective one)
There are also some nifty tools and scripts floating around the web for using EncFS. Perhaps the best one is pam-encfs. PAM stands for Pluggable Authentication Module and they can be used for a variety of things including activating processes or scripts upon login. Pam-encfs mounts any EncFS file system when you log in.