Technical Solutions

Creating a Secure File System in Linux Using ecrypts

Posted Thursday, 18 April 2013 01:00

As a web designer and a computer support service provider I keep a lot of my customers information and need it to be secure in case of theft. To do this I use the ecrypt file system.

This is a basic guide to creating an encrypted file system. In my case I encrypt all sensitive information and the backups of the whole system. My system is a file server running Ubuntu 10.10 and a desktop machine / storage server running Kubuntu 11.10. On the file server I have an encrypted  samba share that contains all my customer critical data. The encryption code is held on a USB device secured to the server room bricks and mortar. For the storage server the encryption code is held on the file-server in the encrypted area. Therefore if the server is stollen the encryption key will not be available and if the storage server is stolen the encryption key will not be available. If both systems are stolen the enrytion key(s) will not be available. Therefore a conciderably more secure solution than a vanilla installation.

Requirements

The ecrypts file system need to be installed.

sudo apt-get install  ecryptfs-utils

A usb pen drive if you wish to store your key on a usb drive.

A backup of your passphrases or all will be lost !

Server Setup


For this example I'm going to encypt a directory called /ToBeEncrypted and mount it as /Encrypted

sudo mount -t ecryptfs /ToBeEncrypted /Encrypted

  • You will be prompted for a passphrase. This should be a secure password. I use this generator Password Generator. There appears to be an issue with using ( or ) in the password. You will get spurios errors if you do so.
  • I accept the defaults aes, 32, Plain Text Passthrough (N), Filename Encrytion I set to (Y), Accept the FNEK
  • As this is the first time you have mounted this mount you will be asked if you want to proceed (yes)
  • Would you like to append sig (yes)
  • Keep a record of all the options you have selected.
To mount this share in fstab you need to update a file /root/.ecrytfsrc with the information used to mount the share. An example is shown below

key=passphrase:passphrase_passwd_file=/media/usb/passwd_file.txt
ecryptfs_unlink_sigs
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=cbea2d2b4cda6971
ecryptfs_fnek_sig=cbea2d2b4cda6971
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=y

Then chmod 600 .ecrptfsrc

You now need to create the passwd_file.txt. Which looks like this:

passphrase_passwd=PASSPHRASEGENERATEDABOVE

If you are using a USB drive to store the passwd_file.txt then remember to mount it in fstab as needs to be availabe during boot.

Modify the fstab to have the following line:

/ToBeEncryted /Encrypted ecryptfs user,_netdev 0 0

Now the share should auto mount at reboot.

Mount as a Samba Share


In samba you can now share the /Encryted Directory

Setting up the Storage Server

Repeat the process above using a different passphrase and using the directory for your backups. The only changes are:

  • In the .ecryptsrc file the key=passphrase line needs to point to the mounted secure share on the server

key=passphrase:passphrase_passwd_file=/media/server/secureshare/passwd_file.txt

My backup is done by rsyncing the server to the storage servers encryted area. Providing me with a reasonable level of encrytion.
Please feel free to leave comments/corrections
Read 2364 times Last modified on Wednesday, 29 October 2014 08:38

Contact

Invalid Input
Invalid e-mail address
Invalid Input
Invalid Input
Invalid Input
This form collects your name , email, and phone number so that we can get back to you. Please indicate that you consent to this below and then you will be able to contact us via this form.
Invalid Input

Find Us

 

Contact Details

Sussex PC Works
9 Barclays Court,
Skeyne Drive,
Pulborough RH20 2BG
UK

Tel: 01903680683

©2018 Rhino All rights reserved

This site uses cookies and other tracking technologies to assist with navigation and analyse your use of our website and services.