1
eCryptfs PAM-based Mount
3
Mike Halcrow <mhalcrow@us.ibm.com>
6
eCryptfs Mounting Overview
8
eCryptfs is set up in the Open Client to automatically mount on user
9
login. The default mount is an overlay mount on top of
10
~/Confidential/, and it uses a passphrase-based key.
12
eCryptfs requires that the user's mount passphrase be inserted into
13
the user session keyring in order to access the files under the
14
~/Confidential/ mount point. The mount passphrase is wrapped
15
(encrypted) with the user's login passphrase and is stored in the
16
~/.ecryptfs/wrapped-passphrase file. When the user logs in, the
17
eCryptfs PAM module intercepts the user's login passphrase, uses it to
18
decrypt the wrapped mount passphrase, and inserts the unwrapped mount
19
passphrase into the user session keyring.
21
Once the user has logged in, his ~/.bash_profile script is executed by
22
the Bash shell. A segment of code in ~/.bash_profile checks for the
23
existence of a ~/.ecryptfs/auto-mount file. If this file exists, then
24
code is executed to mount ~/Confidential/ via eCryptfs.
26
When the user changes his login credentials, the eCryptfs PAM module
27
unwraps the mount passphrase in ~/.ecryptfs/wrapped-passphrase with
28
the user's old passphrase and rewraps the mount passphrase into
29
~/.ecryptfs/wrapped-passphrase with the user's new passphrase.
31
For more information on eCryptfs, see the Linux Journal article on
32
eCryptfs at <http://www.linuxjournal.com/article/9400> or visit
33
the eCryptfs web site at <http://ecryptfs.sf.net>
38
In order for these operations to complete successfully, the eCryptfs
39
PAM module needs to be inserted into the PAM stack in
40
/etc/pam.d/system-auth, an entry needs to be in /etc/fstab for the
41
user's ~/Confidential/ directory, the ~/.ecryptfs/auto-mount and
42
~/.ecryptfs/wrapped-passphrase files need to exist, and the mount code
43
needs to be in the user's ~/.bash_profile script.
45
The following shell script attempts to set all of this up
48
http://downloads.sourceforge.net/ecryptfs/ecryptfs-setup-pam-wrapped.sh
50
Root executes this script in the following manner:
52
./ecryptfs-setup-pam-wrapped.sh user "mount_passphrase" "login_passphrase"
54
Where 'user' is the username, 'mount_passphrase' is the passphrase
55
used for encrypting files under the eCryptfs mount point, and
56
'login_passphrase' is the user's current login passphrase.
61
These instructions detail how to carry out the manual steps that the
62
ecryptfs-setup-pam-wrapped.sh tries to do for you automatically.
64
The following line needs to be added to /etc/pam.d/system-auth,
65
immediately below the line referencing the pam_unix.so module in the
68
auth required pam_ecryptfs.so unwrap
70
The following line needs to be added to /etc/pam.d/system-auth,
71
immediately above the line referencing the pam_unix.so module in the
74
password required pam_ecryptfs.so
76
The following line needs to be added to /etc/fstab:
78
/home/user/Confidential /home/user/Confidential ecryptfs rw,ecryptfs_sig=deadbeefbaadf00d,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,user,noauto, 0 0
80
Where 'user' is the username and 'deadbeefbaadf00d' is the mount
81
passphrase signature/identifier value. This signature is in /etc/mtab
82
after you perform a manual eCryptfs mount.
84
The following shell code needs to be appended to the user's
87
if test -e $HOME/.ecryptfs/auto-mount; then
88
mount | grep "$HOME/Confidential type ecryptfs"
90
mount -i $HOME/Confidential
95
The following file must exist:
97
~/.ecryptfs/auto-mount
99
The following file must contain the mount passphrase, encrypted with
100
the user's login passphrase:
102
~/.ecryptfs/wrapped-passphrase
104
The `ecryptfs-wrap-passphrase' command line utility can be used to
107
ecryptfs_wrap_passphrase ~/.ecryptfs/wrapped-passphrase "passphrase to wrap" "wrapping passphrase"
109
With these elements in place, the user should be able to log in and
110
have his eCryptfs mount point be created automatically.
115
Problem: The ~/Confidential/ directory is not being mounted on login.
116
Problem: The ~/Confidential/ directory is mounted on login, but
117
the files under the ~/Confidential/ directory cannot be read.
119
Solution: Your ~/.ecryptfs/wrapped-passphrase file may be
120
incorrect. Run ecryptfs-wrap-passphrase to recreate it if
121
that is the case. Otherwise, the PAM stack is not set up
122
correctly. Otherwise, the code to mount your
123
~/Confidential directory is not in your ~/.bash_profile
126
Problem: The ~/Confidential/ directory mounts on console login
127
but not on GDM login.
129
Solution: Make sure you have the most recent
130
ecryptfs-utils package.
132
Problem: Attempts to authenticate to the gnome-screensaver
133
application result in a long pause and a failed attempt.
135
Solution: Your PAM stack is not set up correctly. Make
136
certain that /etc/pam.d/gnome-screensaver does not point
137
to a file in the auth context that includes
140
Problem: How to I backup my encrypted files?
142
Solution: Unmount your ~/Confidential directory so that
143
the lower filesystem files (in encrypted state) show up at
144
that path location, and then copy the files in that
145
directory to another storage device.
147
Problem: How do I recover encrypted files from a backup?
149
Solution: Place the encrypted files into a directory
150
(e.g., /secret) and perform an eCryptfs mount (e.g., mount
151
-t ecryptfs /secret /secret), using your mount passphrase
152
when prompted. If you are unsure of which cipher to
153
select, choose AES-128.
155
Problem: Can I access the lower encrypted files of an active
158
Solution: This is not a good idea. See
159
<http://ecryptfs.sourceforge.net/ecryptfs-faq.html#access_lower>
added
removed
doc/ecryptfs-pam-doc.txt
