Securing your private data with the Enterprise Cryptographic Filesystem

These days, it isn't hard to see why privacy is a huge concern. With BlackHat hackers, state surveillance, and big corporation data-mining (to name just a few), your personal information is often at great risk. There are quite a few different ways to secure your information. Some work better than others, especially under certain circumstances. Although the many "best techniques" could be argued at length, the point of this article is just to familiarize the reader with a simple approach using Enterprise Cryptographic Filesystem (eCryptfs).

eCryptfs is a POSIX-compliant filesystem-level encrypted file system that's been part of the mainline Linux kernel since 2.6.19. However, many distributions will still require you to install the userland tools before you can start using it. Using Debian or Fedora, this should be pretty simple. Unlike full-disk encryption, a filesystem-level encryption will sit on top of your existing filesystem, working seamlessly with various standards like the EXT family, XFS, Btrfs, and even network shares like NFS and SMB.

The advantage to using a filesystem-level encryption as opposed to full-disk is overhead and performance. Since it can be selectively applied to specific folders, you don't have to waste time and resources encrypting data that you know is unimportant or public.

Preparing the userland tools

Usually, it's as simple as installing the ecryptfs-utils package of your distribution to prepare your system. On a Debian-based system, you can type: # apt-get install ecryptfs-utils

On a RedHat-based system, use yum instead: # yum install ecryptfs-utils

Creating an encrypted folder

Though there are many ways to implement this, I will show you how to manually setup a simple encrypted folder. It's a lot easier than you might think. First, let's create the folder to encrypt: $ mkdir ~/Private

Once the folder is created, we can easily mount it with the eCryptfs filesystem type. Using no options, eCryptfs will prompt you for various settings to be used. You should be able to create config files in your ~/.ecryptfs/ directory to store these settings if you don't want to be prompted for them each time you mount. Or you can just pass the options on to eCryptfs when mounting. Here, we will mount with the later: $ sudo mount -t ecryptfs ~/Private ~/Private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y

Summarizing the options here:

• We are going to choose a passphrase rather than RSA keys to protect our data
• We will use AES data encryption to protect the data (this is highly recommended. Don't use DES, for example)
• We will set the key size to 32 bytes
• We will disable passthrough (this will stop unencrypted files from being used inside the mount. It's generally considered safer to keep this disabled)
• Finally, we will encrypt filenames on the private volume

At this point, eCryptfs will create a filename encryption key (fnek), which is the master key used for encryption and decryption of your data. If you are prompted to "Add signature to cache", simply acknowledge "yes"; this will allow a signature hash of the key to be stored so that the key can be verified when generated from your passphrase. From then on, any mismatch in the fnek signature will be reported upon mounting, which can suggest either:

• you typed your encryption password incorrectly
• or there has been corruption in the encrypted store

Once the volume is mounted, your fnek_sig should be displayed, and you can use the following the mount it in the future: $ sudo mount -t ecryptfs ~/Private ~/Private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=xxxxxxxxxxxxxxxx

(Just remember to replace xxxxxxxxxxxxxxxx with your actual fnek_sig hash.)

You can now place files and folder inside ~/Private/ that you want to keep protected. Once you are ready, unmount the volume to keep it safe from prying eyes: $ sudo umount ~/Private

And we're done! to make your mount commands shorter, you can store the relevant entry in /etc/fstab, and then you can use the shorthand: $sudo mount ~/Private

The automated method

If you are less inclined to setup encrypted folders by hand, you can use the ecryptfs-setup-private utility to automate the whole process for you. $ ecryptfs-setup-private

You will be prompted for your login passphrase (your login password), and a mount passphrase (which will be used to create the fnek.) Using this method, two new folders will be created for you:

• ~/.Private stores your encrypted data
• ~/Private displays the unencrypted data that you can access and manipulate

Once you log out, the ~/Private directory is automatically unmounted and its contents are encrypted back into the ~/.Private directory. eCryptfs will take care of setting up the proper automation so that your folder is available to you when you log in (using PAM to access the fnek.)

Considering how easy these utilities are to use and manage, there should no longer be a reason people are not protecting their sensitive data with encryption.