1385
1385
<sect2 id="generating-a-csr" status="review">
1386
1386
<title>Generating a Certificate Signing Request (CSR)</title>
1387
<para>Whether you are getting a certificate from a CA or generating your own
1388
self-signed certificate, the first step is to generate a key.
1389
Whether you are getting a certificate from a CA or generating your own
1390
self-signed certificate, the first step is to generate a key.
1394
If the certificate will be used by service daemons, such as Apache, Postfix, Dovecot, etc,
1395
a key without a passphrase is often appropriate. Not having a passphrase allows the services
1396
to start without manual intervention, usually the preferred way to start a daemon.
1400
This section will cover generating a key with a passphrase, and one without. The non-passphrase
1401
key will then be used to generate a certificate that can be used with various service daemons.
1391
To generate the <emphasis>keys</emphasis> for the Certificate Signing Request (CSR) run the
1392
following command from a terminal prompt:
1406
Running your secure service without a passphrase is convenient because you will not
1407
need to enter the passphrase every time you start your secure service. But it is
1408
insecure and a compromise of the key means a compromise of the server as well.
1413
To generate the <emphasis>keys</emphasis> for the Certificate Signing Request (CSR) run the
1414
following command from a terminal prompt:
1395
1418
<command>openssl genrsa -des3 -out server.key 1024</command>
1417
1440
correctly, the server key is generated and stored in the
1418
1441
<filename>server.key</filename> file.
1423
You can also run your secure service without a passphrase.
1424
This is convenient because you will not need to enter the
1425
passphrase every time you start your secure service. But it
1426
is highly insecure and a compromise of the key means a
1427
compromise of the server as well.
1432
In any case, you can choose to run your secure service without
1433
a passphrase by leaving out the -des3 switch in the generation
1434
phase or by issuing the following command at a terminal prompt:
1445
Now create the insecure key, the one without a passphrase, and shuffle
1438
1450
<command>openssl rsa -in server.key -out server.key.insecure</command>
1451
<command>mv server.key server.key.secure</command>
1452
<command>mv server.key.insecure server.key</command>
1441
Once you run the above command, the insecure key will be stored
1442
in the <filename>server.key.insecure</filename> file. You can use this
1456
The insecure key is now named <filename>server.key</filename>, and you can use this
1443
1457
file to generate the CSR without passphrase.
1447
1461
To create the CSR, run the following command at a terminal prompt:
1450
1465
<command>openssl req -new -key server.key -out server.csr</command>
1677
1692
</itemizedlist>
1695
<sect1 id="ecryptfs" status="review">
1696
<title>eCryptfs</title>
1699
<emphasis>eCryptfs</emphasis> is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on
1700
top of the filesystem layer <emphasis>eCryptfs</emphasis> protects files no matter the underlying filesystem, partition
1705
During installation there is an option to encrypt the <filename role="directory">/home</filename> partition. This will automatically
1706
configure everything needed to encrypt and mount the partition.
1710
As an example, this section will cover configuring <filename role="directory">/srv</filename> to be encrypted using eCryptfs.
1713
<sect2 id="ecryptfs-usage" status="review">
1714
<title>Using eCryptfs</title>
1717
First, install the necessary packages. From a terminal prompt enter:
1721
<command>sudo apt-get install ecryptfs-utils</command>
1725
Now mount the partition to be encrypted:
1729
<command>sudo mount -t ecryptfs /srv /srv</command>
1733
You will then be prompted for some details on how <application>ecryptfs</application> should encrypt the data.
1737
To test that files placed in <filename>/srv</filename> are indeed encrypted copy the <filename>/etc/default</filename>
1738
folder to <filename>/srv</filename>:
1742
<command>sudo cp -r /etc/default /srv</command>
1746
Now unmount <filename>/srv</filename>, and try to view a file:
1750
<command>sudo umount /srv</command>
1751
<command>cat /srv/default/cron</command>
1755
Remounting <filename>/srv</filename> using <application>ecryptfs</application> will make the data viewable once again.
1759
<sect2 id="ecryptfs-automount" status="review">
1760
<title>Automatically Mounting Encrypted Partitions</title>
1763
There are a couple of ways to automatically mount an <application>ecryptfs</application> encrypted filesystem
1764
at boot. This example will use a <filename>/root/.ecryptfsrc</filename> file containing mount options, along with
1765
a passphrase file residing on a USB key.
1769
First, create <filename>/root/.ecryptfsrc</filename> containing:
1773
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
1774
ecryptfs_sig=5826dd62cf81c615
1776
ecryptfs_key_bytes=16
1777
ecryptfs_passthrough=n
1778
ecryptfs_enable_filename_crypto=n
1783
Adjust the <emphasis>ecryptfs_sig</emphasis> to the signature in <filename>/root/.ecryptfs/sig-cache.txt</filename>.
1788
Next, create the <filename>/mnt/usb/passwd_file.txt</filename> passphrase file:
1792
passphrase_passwd=[secrets]
1796
Now add the necessary lines to <filename>/etc/fstab</filename>:
1800
/dev/sdb1 /mnt/usb ext3 ro 0 0
1801
/srv /srv ecryptfs defaults 0 0
1805
Make sure the USB drive is mounted before the encrypted partition.
1809
Finally, reboot and the <filename>/srv</filename> should be mounted using ecryptfs.
1813
<sect2 id="ecryptfs-other-utils" status="review">
1814
<title>Other Utilities</title>
1817
The <application>ecryptfs-utils</application> package includes several other useful utilities:
1823
<emphasis>ecryptfs-setup-private:</emphasis> creates a <filename>~/Private</filename> directory
1824
to contain encrypted information. This utility can be run by unprivileged users to keep
1825
data private from other users on the system.
1830
<emphasis>ecryptfs-mount-private and ecryptfs-umount-private:</emphasis> will mount and unmount
1831
respectively, a users <filename>~/Private</filename> directory.
1836
<emphasis>ecryptfs-add-passphrase:</emphasis> adds a new passphrase to the kernel keyring.
1841
<emphasis>ecryptfs-manager:</emphasis> manages <application>eCryptfs</application> objects such as keys.
1846
<emphasis>ecryptfs-stat:</emphasis> allows you to view the <application>ecryptfs</application> meta information
1853
<sect2 id="ecryptfs-references" status="review">
1854
<title>References</title>
1859
For more information on eCryptfs see the <ulink url="https://launchpad.net/ecryptfs">Launch Pad project page</ulink>
1864
There is also a <ulink url="http://www.linuxjournal.com/article/9400">Linux Journal</ulink> article covering eCryptfs.
1869
Also, for more <application>ecryptfs</application> options see the
1870
<ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man7/ecryptfs.7.html">ecryptfs man page</ulink>.