Sponsored Link
Install eCryptfs in Ubuntu Intrepid
sudo aptitude install ecryptfs-utils
This will install all the required packages in ubuntu intrepid.
First you need to Create a new directory to encrypt.
mkdir ~/Personal
Now you need to make sure no one will access this folder using the following command
chmod 700 ~/Personal
Mount the ecryptfs to the Personal folder using the following command
sudo mount -t ecryptfs ~/Personal ~/Personal
It will then prompt you to answer a few questions.
Selecting your key type for newly created files
Press "1" to select passphrase
You will be asked to enter and verify your passphrase.
Selecting your encryption cipher
The default option is shown in the [16 ]. If you are not sure of what to select, simply press Enter to select the default. Select key byte and Enable plaintext passthrough
If you want to use unecrypted file inside your secret folder, then select ‘Y’. If not, type ‘N’.
Now go to Places->Home Folder. You should see a Personal drive mounted in the file system.
Testing your secret folder encryption
Now you need to Add some files to the secret folder.
Unmount using the following command
sudo umount ~/Personal
Now you can open Personal folder and check your files.
Creating a launcher for your Private Directory
If you create a launcher on your desktop allows you to mount the Personal folder easily.On your desktop, right click the mouse and select “Create Launcher“.
Enter the following Details
Type: Application in Terminal
Name: PrivateFolder (or your choice)
Command: sudo mount -t ecryptfs /home/ruchi/Personal /home/ruchi/Personal
key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n (Replace ruchi with your own username)
Next time if you want to mount your Personal folder, just click on this launcher. It will pop up a terminal and ask you for your passphrase. Once that is verified, the Personal folder will be mounted in the Home folder.
This will be really useful. Thanks.
If you add that launcher file to ~/.config/autostart/ it should prompt you whenever you login to your desktop environment.
Before using a private encrypted folder to store your secret plans for world domination you should consider the problem of data leakage.
Any application used to access the data might decide to leave ghost copies of the data on the un-encrypted part of your disk (things like nautilus preview thumbnails, print spool etc). Make sure you configure your disk indexing tools (google desktop, tracker, beagle etc.) to ignore the secret folder.
Even if the contents of the files aren’t leaked the filenames themselves may be stored in recently opened file lists.
If you’re going to encrypt (or shred, see previous article) do the whole disk.
I can’t see the mounted folder in places! I don’t know why. I’m going all the way to
Mounted eCryptfs
Then nothing special. some one knows what i’m doing wrong?
My plans to take over the world are almost done but I think Illuminaties are trying to spy on me on facebook…
Thank you
Probably better to use gksudo for the launcher to keep everything homogenious with the general ubuntu/gnome setup.
How is this better than TrueCrypt?
How is this better than TrueCrypt?
It may not be, but it is different.
Having a choice is always better than not having one.
Thanks for the info!
Nice article! I believe that the command ecryptfs-setup-private from the package ecryptfs-utils does something similar, but I may be wrong.
Hi,
I really don’t get why you tell people to do it in such a complicated way. The beauty of ecryptfs in intrepid is, that it is kind of a 1-click install. Just run ecryptfs-setup-private and it will set up an ecryptfs-encrypted directory which will automatically be mounted when you log in (it will be tied to PAM).
How do I encrypt with PGP?
@Dakira
“I really don’t get why you tell people to do it in such a complicated way.”
GUIs are nice if you want to do simple things quickly without having to understand what’s happening ‘under the hood’.
I find they break when you try to do things a bit different (the GUIs never seem to have all the options available at the command-line). They also tend to be less useful when debugging (in case you have a problem).
GUIs are difficult to automate, so having a script-able command-line solution is great if you’re dealing with many boxes/accounts.
With something like crypto I feel that GUIs tends to hide too much (the devil is in the details, so it’s important to know what they are).
@Turd
(please read http://www.gerv.net/hacking/how-to-ask-good-questions and/or http://www.catb.org/~esr/faqs/smart-questions.html)
I use OpenPGP. It support symmetric and asymmetric encryption.
asymmetric cryptography (public/private keys) is too intricate for a simple forum reply like this.
symmetric encryption (secret key) is fairly simple:
$ date > DATA
$ gpg --symmetric DATA
[Enter your key here when requested]
$ ls
DATA DATA.gpg
Choose a good pass-phrase! Most crypto attacks succeed thanks to poorly chosen passwords rather than algorithm/implementation problems.
To decrypt:
$ gpg < DATA.gpg
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
Fri Jan 16 08:48:15 NZDT 2009
gpg: WARNING: message was not integrity protected
One problem with encryptfs-setup-private is that one may not want an encrypted folder that is automatically and always opened when you log in. I certainly would not want such a thing. Being able to do so only when needed is to me very important. The most ideal, rather than using a launcher, would be to have it launch the mounter and ask for the passphrase when the folder is explicitly “accessed”, using something like autofs & the automount daemon perhaps.
Just curious. Is ecryptfs the ‘new standard’ for this.
In the past, I used loopbackfs to create a mountable encrypted folder. Then found it no longer supported when I went from Mandriva 2008 to 2009. They recommended using cryptofilesys/LUKS with a loopback device, which was a pain to set up, since there was no way to put it into fstab. I had to resort to sudo’ing a complicated multi-step script, which after some frustration, I resorted to running in wide-open sudo mode.
Now I see this article, and it looks really easy and nice. So, is it worth migrating my cryptofilesys to ecryptfs? If I do, will I have to migrate it again in the near future? Or is ecryptfs just a nice wrapper around the cryptofilesys/LUKS/loopback stuff?
If it’s not a loopback file, how does it allocate the encrypted space. If it is a loopback file, does it expand itself on demand?
Thanks.
Checked out the ecryptfs site and see that it is indeed very different from what I’ve been using (encrypted loopback block device). And I think I like the loopback device mechanism better, in that the very presence of the encrypted data is non-obvious.
But, my question remains. What is the best loopback encryption mechanism these days? Could it be that I’ve stumbled on it in cryptofilesys/LUKS? I sure hope not, since it’s such a pain to set up, and you need root to mount it.
I keep trying to post this link on what not to do when encrypting.
Keeps bouncing, I’m guessing it’s a content-to-link ration spam detection/rejection thing.
(with any luck I’ve waffled enough now to beat the limit)
http://www.schneier.com/blog/archives/2009/01/stupid_security_1.html
@13: In my opinion that is what luks/cryptsetup and truecrypt are for. ecryptfs is what you’d use to have a secure store for .ssh, .gnupg and such. And these should be available at login. I think the regular user wants an easy solution.. and the advanced user can always check the manpages. You can still mount/unmount the folder anytime you like if you set it up using ecryptfs-setup-private. You only have to remove the pam plugin.
Is it just me, or is an -o option missing in the launcher command description? I mean there:
Command: sudo mount -t ecryptfs /home/ruchi/Personal /home/ruchi/Personal -o
key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n
Anybody actually tested this code?
Anyway, thanks for the article.
And I keep getting this……
Error processing sig; rc = [-22]
Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your system logs; visit .
@Bit Hacker
Did you “Check your system logs”?
What did they say?
http://www.catb.org/~esr/faqs/smart-questions.html
yes.. i receive the same error
Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [openssl] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list
Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [openssl] has empty parameter list
Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [pkcs11-helper] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list
Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [pkcs11-helper] has empty parameter list
Mar 20 09:28:46 emil-ubuntu mount.ecryptfs: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
i make it new ubuntu linux.but i cannot create a folder inside the bin. please help me
yes, use parameter -o
It’s fairly obvious that this will not work since the mount command is issued by root and it will only pertain to root’s private encrypted directory. I hope I’m wrong on this since I’ve seen the same thing in the Ubuntu community documentation.
Try if for yourself.
Using ecryptfs-mount-private evades this problem however but that needs to be issued by the relevant user.
To mount a folder using your login password as passphrase, make a launcher with following Command:
gnome-terminal -x bash -c “read -s -p \”Enter password: \” PASS; echo; echo $PASS | sudo -S mount -t ecryptfs ~/Private ~/Private -o key=passphrase:passwd=$PASS,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no; PASS=foo; sleep 3″
I guess it’s not very secure, but if you are lazy and just want to hide something from not very tech savvy people, it’s enough. 🙂
error 22 : check you’ve got it unmounted before you try to remount it. It could be you have the mount point occupied