gnome-terminal -x bash -c “read -s -p \”Enter password: \” PASS; echo; echo $PASS | sudo -S mount -t ecryptfs ~/Private ~/Private -o key=passphrase:passwd=$PASS,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no; PASS=foo; sleep 3″

I guess it’s not very secure, but if you are lazy and just want to hide something from not very tech savvy people, it’s enough.

Try if for yourself.

Using ecryptfs-mount-private evades this problem however but that needs to be issued by the relevant user.

Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]

Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [openssl] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list

Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [openssl] has empty parameter list

Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [pkcs11-helper] does not have a subgraph transition node; attempting to build a linear subgraph from its parameter list

Mar 20 09:28:39 emil-ubuntu mount.ecryptfs: Key module [pkcs11-helper] has empty parameter list

Mar 20 09:28:46 emil-ubuntu mount.ecryptfs: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]

Did you “Check your system logs”?

What did they say?

http://www.catb.org/~esr/faqs/smart-questions.html

Error processing sig; rc = [-22]
Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your system logs; visit .


Command: sudo mount -t ecryptfs /home/ruchi/Personal /home/ruchi/Personal -o
key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n


Anybody actually tested this code?
Anyway, thanks for the article.

http://www.schneier.com/blog/archives/2009/01/stupid_security_1.html

But, my question remains. What is the best loopback encryption mechanism these days? Could it be that I’ve stumbled on it in cryptofilesys/LUKS? I sure hope not, since it’s such a pain to set up, and you need root to mount it.

In the past, I used loopbackfs to create a mountable encrypted folder. Then found it no longer supported when I went from Mandriva 2008 to 2009. They recommended using cryptofilesys/LUKS with a loopback device, which was a pain to set up, since there was no way to put it into fstab. I had to resort to sudo’ing a complicated multi-step script, which after some frustration, I resorted to running in wide-open sudo mode.

Now I see this article, and it looks really easy and nice. So, is it worth migrating my cryptofilesys to ecryptfs? If I do, will I have to migrate it again in the near future? Or is ecryptfs just a nice wrapper around the cryptofilesys/LUKS/loopback stuff?

If it’s not a loopback file, how does it allocate the encrypted space. If it is a loopback file, does it expand itself on demand?

Thanks.

GUIs are nice if you want to do simple things quickly without having to understand what’s happening ‘under the hood’.
I find they break when you try to do things a bit different (the GUIs never seem to have all the options available at the command-line). They also tend to be less useful when debugging (in case you have a problem).
GUIs are difficult to automate, so having a script-able command-line solution is great if you’re dealing with many boxes/accounts.
With something like crypto I feel that GUIs tends to hide too much (the devil is in the details, so it’s important to know what they are).

@Turd
(please read http://www.gerv.net/hacking/how-to-ask-good-questions and/or http://www.catb.org/~esr/faqs/smart-questions.html)
I use OpenPGP. It support symmetric and asymmetric encryption.
asymmetric cryptography (public/private keys) is too intricate for a simple forum reply like this.
symmetric encryption (secret key) is fairly simple:

$ date > DATA
$ gpg --symmetric DATA
[Enter your key here when requested]
$ ls
DATA DATA.gpg

Choose a good pass-phrase! Most crypto attacks succeed thanks to poorly chosen passwords rather than algorithm/implementation problems.

To decrypt:

$ gpg < DATA.gpg
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
Fri Jan 16 08:48:15 NZDT 2009
gpg: WARNING: message was not integrity protected


I really don’t get why you tell people to do it in such a complicated way. The beauty of ecryptfs in intrepid is, that it is kind of a 1-click install. Just run ecryptfs-setup-private and it will set up an ecryptfs-encrypted directory which will automatically be mounted when you log in (it will be tied to PAM).

It may not be, but it is different.

Having a choice is always better than not having one.