January 9, 2009 · Security · Email This Post

Sponsored Link
eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux.It provides advanced key management and policy features. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decryptable with the proper key, and there is no need to keep track of any additional information aside from what is already in the encrypted file itself. Think of eCryptfs as a sort of "gnupgfs".eCryptfs is a native Linux filesystem. The kernel module component of eCryptfs is part of the Linux kernel since 2.6.19.

Install eCryptfs in Ubuntu Intrepid

sudo aptitude install ecryptfs-utils

This will install all the required packages in ubuntu intrepid.

First you need to Create a new directory to encrypt.

mkdir ~/Personal

Now you need to make sure no one will access this folder using the following command

chmod 700 ~/Personal

Mount the ecryptfs to the Personal folder using the following command

sudo mount -t ecryptfs ~/Personal ~/Personal

It will then prompt you to answer a few questions.

Selecting your key type for newly created files

Press "1" to select passphrase

You will be asked to enter and verify your passphrase.

Selecting your encryption cipher

The default option is shown in the [16 ]. If you are not sure of what to select, simply press Enter to select the default. Select key byte and  Enable plaintext passthrough

If you want to use unecrypted file inside your secret folder, then select ‘Y’. If not, type ‘N’.

Now go to  Places->Home Folder. You should see a Personal drive mounted in the file system.

Testing  your secret folder encryption

Now you need to Add some files to the secret folder.

Unmount using the following command

sudo umount ~/Personal

Now you can open Personal folder and check your files.

Creating a launcher for your Private Directory

If you create a launcher on your desktop allows you to mount the Personal folder easily.On your desktop, right click the mouse and select “Create Launcher“.

Enter the following Details

Type: Application in Terminal
Name: PrivateFolder (or your choice)
Command: sudo mount -t ecryptfs /home/ruchi/Personal /home/ruchi/Personal
key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n  (Replace ruchi with your own username)

Next time if you want to mount your Personal folder, just click on this launcher. It will pop up a terminal and ask you for your passphrase. Once that is verified, the Personal folder will be mounted in the Home folder.


Sponsored Link

Incoming search terms:

Related posts

26 Comments to “How to Create a Private Encrypted Folder On Ubuntu 8.10 (Intrepid)”

  1. Neowster says:

    This will be really useful. Thanks.

    [Reply]

  2. Alan Trick says:

    If you add that launcher file to ~/.config/autostart/ it should prompt you whenever you login to your desktop environment.

    [Reply]

  3. Thomas says:

    Before using a private encrypted folder to store your secret plans for world domination you should consider the problem of data leakage.

    Any application used to access the data might decide to leave ghost copies of the data on the un-encrypted part of your disk (things like nautilus preview thumbnails, print spool etc). Make sure you configure your disk indexing tools (google desktop, tracker, beagle etc.) to ignore the secret folder.

    Even if the contents of the files aren’t leaked the filenames themselves may be stored in recently opened file lists.

    If you’re going to encrypt (or shred, see previous article) do the whole disk.

    [Reply]

  4. tellos says:

    I can’t see the mounted folder in places! I don’t know why. I’m going all the way to

    Mounted eCryptfs

    Then nothing special. some one knows what i’m doing wrong?

    My plans to take over the world are almost done but I think Illuminaties are trying to spy on me on facebook…

    Thank you

    [Reply]

  5. mg says:

    Probably better to use gksudo for the launcher to keep everything homogenious with the general ubuntu/gnome setup.

    [Reply]

  6. How is this better than TrueCrypt?

    [Reply]

  7. Thomas says:

    How is this better than TrueCrypt?

    It may not be, but it is different.

    Having a choice is always better than not having one.

    [Reply]

  8. dreik says:

    Thanks for the info!

    [Reply]

  9. Martin says:

    Nice article! I believe that the command ecryptfs-setup-private from the package ecryptfs-utils does something similar, but I may be wrong.

    [Reply]

  10. dakira says:

    Hi,

    I really don’t get why you tell people to do it in such a complicated way. The beauty of ecryptfs in intrepid is, that it is kind of a 1-click install. Just run ecryptfs-setup-private and it will set up an ecryptfs-encrypted directory which will automatically be mounted when you log in (it will be tied to PAM).

    [Reply]

  11. turd says:

    How do I encrypt with PGP?

    [Reply]

  12. Thomas says:

    @Dakira
    “I really don’t get why you tell people to do it in such a complicated way.”

    GUIs are nice if you want to do simple things quickly without having to understand what’s happening ‘under the hood’.
    I find they break when you try to do things a bit different (the GUIs never seem to have all the options available at the command-line). They also tend to be less useful when debugging (in case you have a problem).
    GUIs are difficult to automate, so having a script-able command-line solution is great if you’re dealing with many boxes/accounts.
    With something like crypto I feel that GUIs tends to hide too much (the devil is in the details, so it’s important to know what they are).

    @Turd
    (please read http://www.gerv.net/hacking/how-to-ask-good-questions and/or http://www.catb.org/~esr/faqs/smart-questions.html)
    I use OpenPGP. It support symmetric and asymmetric encryption.
    asymmetric cryptography (public/private keys) is too intricate for a simple forum reply like this.
    symmetric encryption (secret key) is fairly simple:

    $ date > DATA
    $ gpg --symmetric DATA
    [Enter your key here when requested]
    $ ls
    DATA DATA.gpg

    Choose a good pass-phrase! Most crypto attacks succeed thanks to poorly chosen passwords rather than algorithm/implementation problems.

    To decrypt:

    $ gpg < DATA.gpg
    gpg: CAST5 encrypted data
    gpg: encrypted with 1 passphrase
    Fri Jan 16 08:48:15 NZDT 2009
    gpg: WARNING: message was not integrity protected

    [Reply]

  13. David Sugar says:

    One problem with encryptfs-setup-private is that one may not want an encrypted folder that is automatically and always opened when you log in. I certainly would not want such a thing. Being able to do so only when needed is to me very important. The most ideal, rather than using a launcher, would be to have it launch the mounter and ask for the passphrase when the folder is explicitly “accessed”, using something like autofs & the automount daemon perhaps.

    [Reply]

  14. littlenoodles says:

    Just curious. Is ecryptfs the ‘new standard’ for this.

    In the past, I used loopbackfs to create a mountable encrypted folder. Then found it no longer supported when I went from Mandriva 2008 to 2009. They recommended using cryptofilesys/LUKS with a loopback device, which was a pain to set up, since there was no way to put it into fstab. I had to resort to sudo’ing a complicated multi-step script, which after some frustration, I resorted to running in wide-open sudo mode.

    Now I see this article, and it looks really easy and nice. So, is it worth migrating my cryptofilesys to ecryptfs? If I do, will I have to migrate it again in the near future? Or is ecryptfs just a nice wrapper around the cryptofilesys/LUKS/loopback stuff?

    If it’s not a loopback file, how does it allocate the encrypted space. If it is a loopback file, does it expand itself on demand?

    Thanks.

    [Reply]

  15. littlenoodles says:

    Checked out the ecryptfs site and see that it is indeed very different from what I’ve been using (encrypted loopback block device). And I think I like the loopback device mechanism better, in that the very presence of the encrypted data is non-obvious.

    But, my question remains. What is the best loopback encryption mechanism these days? Could it be that I’ve stumbled on it in cryptofilesys/LUKS? I sure hope not, since it’s such a pain to set up, and you need root to mount it.

    [Reply]

  16. Thomas says:

    I keep trying to post this link on what not to do when encrypting.
    Keeps bouncing, I’m guessing it’s a content-to-link ration spam detection/rejection thing.
    (with any luck I’ve waffled enough now to beat the limit)

    http://www.schneier.com/blog/archives/2009/01/stupid_security_1.html

    [Reply]

  17. dakira says:

    @13: In my opinion that is what luks/cryptsetup and truecrypt are for. ecryptfs is what you’d use to have a secure store for .ssh, .gnupg and such. And these should be available at login. I think the regular user wants an easy solution.. and the advanced user can always check the manpages. You can still mount/unmount the folder anytime you like if you set it up using ecryptfs-setup-private. You only have to remove the pam plugin.

    [Reply]

  18. Seth Kriticos says:

    Is it just me, or is an -o option missing in the launcher command description? I mean there:


    Command: sudo mount -t ecryptfs /home/ruchi/Personal /home/ruchi/Personal -o
    key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n

    Anybody actually tested this code?
    Anyway, thanks for the article.

    [Reply]

  19. Bit Hacker says:

    And I keep getting this……

    Error processing sig; rc = [-22]
    Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your system logs; visit .

    [Reply]

  20. Thomas says:

    @Bit Hacker

    Did you “Check your system logs”?

    What did they say?

    http://www.catb.org/~esr/faqs/smart-questions.html

    [Reply]

  21. Ed says:

    yes.. i receive the same error

    Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]

    Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [openssl] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list

    Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [openssl] has empty parameter list

    Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [pkcs11-helper] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list

    Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [pkcs11-helper] has empty parameter list

    Mar 20 09:28:46 emil-ubuntu mount.ecryptfs: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]

    [Reply]

  22. sathish says:

    i make it new ubuntu linux.but i cannot create a folder inside the bin. please help me

    [Reply]

  23. yes says:

    yes, use parameter -o

    [Reply]

  24. Hello says:

    It’s fairly obvious that this will not work since the mount command is issued by root and it will only pertain to root’s private encrypted directory. I hope I’m wrong on this since I’ve seen the same thing in the Ubuntu community documentation.

    Try if for yourself.

    Using ecryptfs-mount-private evades this problem however but that needs to be issued by the relevant user.

    [Reply]

  25. Vladimir M says:

    To mount a folder using your login password as passphrase, make a launcher with following Command:

    gnome-terminal -x bash -c “read -s -p \”Enter password: \” PASS; echo; echo $PASS | sudo -S mount -t ecryptfs ~/Private ~/Private -o key=passphrase:passwd=$PASS,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no; PASS=foo; sleep 3″

    I guess it’s not very secure, but if you are lazy and just want to hide something from not very tech savvy people, it’s enough. :)

    [Reply]

  26. m says:

    error 22 : check you’ve got it unmounted before you try to remount it. It could be you have the mount point occupied

    [Reply]

Leave a Reply