ecryptfs

How to set up eCryptFS in will be introduced in this post. We can store encrypted in one eCryptFS directory, the manual way. The content can be seen only after it is mounted as eCryptFS file system. Otherwise, the users can only see garbled characters in the files.

本文将介绍如何在设置eCryptFS。 我们可以将加密手动存储在一个eCryptFS目录中。 仅当将内容安装为eCryptFS文件系统后，才能看到该内容。 否则，用户只能在文件中看到乱码。

Note that this will cover the “manual way” which you may find a little bit different from other tutorials which uses the ecryptfs-setup-private, ecryptfs-mount-private and ecrypt-umount-private tools. The benefit of this method is that you will only need to keep the passphrase only. No ~/.ecryptfs directory is required. And after a directory is mounted, it will not be automatically unmounted after the user session is closed.

请注意，本将介绍“手动方式”，您可能会发现它与使用ecryptfs-setup-private ， ecryptfs-mount-private和ecrypt-umount-private工具的其他教程有些不同。 这种方法的好处是您只需要保留密码短语。 不需要~/.ecryptfs目录。 挂载目录后，在关闭用户会话后将不会自动卸载该目录。

Here, we use Fedora 22 as the example platform.

在这里，我们使用Fedora 22作为示例平台。

安装eCryptFS工具 (Install eCryptFS tools)

First, install utils for ecryptfs:

首先，为cryptfs安装utils：

# dnf install ecryptfs-utils

将ecryptfs模块添加到Linux内核 (Add ecryptfs module to Linux Kernel)

Load the ecryptfs kernel module:

加载ecryptfs内核模块：

# modprobe ecryptfs

挂载ecryptfs (Mount ecryptfs)

If we store encrypted file in /home/zma/.private directory and mount it to /home/zma/private/:

如果我们将加密文件存储在/home/zma/.private目录中，然后将其安装到/home/zma/private/ ：

# mount -t ecryptfs /home/zma/.private /home/zma/private

For the first time you mount the ecryptfs directory, it will ask you to set up the encryption as follows.

首次安装ecryptfs目录时，它将要求您按以下步骤设置加密。

Select key type to use for newly created files:  1) tspi 2) passphrase 3) pkcs11-helperSelection: 2Passphrase: Select cipher:  1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16Selection [aes]: 1Select key bytes:  1) 16 2) 32 3) 24Selection [16]: 2Enable plaintext passthrough (y/n) [n]: nEnable filename encryption (y/n) [n]: yFilename Encryption Key (FNEK) Signature [a-signature-here]: Attempting to mount with the following options:  ecryptfs_unlink_sigs  ecryptfs_fnek_sig=a-signature-here  ecryptfs_key_bytes=32  ecryptfs_cipher=aes  ecryptfs_sig=a-signature-hereWARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong.Would you like to proceed with the mount (yes/no)? : yesWould you like to append sig [a-signature-here] to[/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yesSuccessfully appended new sig to user sig cache fileMounted eCryptfs

For the later mounting, it will ask you the info again. You must provide the same choices here to mount the directory correctly. Otherwise, you will see “garbage” content.

对于以后的安装，它将再次询问您信息。 您必须在此处提供相同的选择才能正确安装目录。 否则，您将看到“垃圾”内容。

To make this easier by not choosing so many options, you may store a command as an alias or a script as follows:

要通过不选择太多选项来简化此操作，可以将命令存储为别名或脚本，如下所示：

mount -t ecryptfs /home/zma/.private /home/zma/private \-o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y

The mount process will be like:

挂载过程将类似于：

# mount -t ecryptfs /home/zma/.private /home/zma/private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=yPassphrase: ENTER YOUR PASSPHRASE HEREFilename Encryption Key (FNEK) Signature [a-signature-here]: Attempting to mount with the following options:  ecryptfs_unlink_sigs  ecryptfs_fnek_sig=a-signature-here  ecryptfs_key_bytes=32  ecryptfs_cipher=aes  ecryptfs_sig=a-signature-hereMounted eCryptfs

If you do not want to see the FNEK message anymore, you can add the option ecryptfs_fnek_sig=THE_SIGNATURE_ABOVE with the signature printed to the mount command.

如果您不想再看到FNEK消息，则可以添加选项ecryptfs_fnek_sig=THE_SIGNATURE_ABOVE ，并将签名打印到mount命令中。

After it is mounted, you can check it:

挂载后，您可以检查它：

# df -hTFilesystem                      Type      Size  Used Avail Use% Mounted on.../home/zma/.private              ecryptfs  473G  4.7G  449G   2% /home/zma/private

Then you can read/write from/to files under /home/zma/.private as a normal directory.

然后，您可以将/home/zma/.private下的文件读/写为普通目录。

Umount加密 (Umount ecryptfs)

# umount /home/zma/private

Try to less a file under /home/zma/.private. You will only see encrypted binary files.

尝试less /home/zma/.private下的文件。 您只会看到加密的二进制文件。

When you want to read your files, mount this directory again and your files will be back :)

当您想读取文件时，再次挂载该目录，您的文件将返回:)

翻译自:

ecryptfs