The goal of this post is to enable you to:
- Create and use encrypted folders
- Mount existing ecryptfs folders (such as your Ubuntu encrypted home when plugging your harddrive to another computer, or if it’s on a USB stick)
This should be much, much easier than it is. But unfortunately, the ecryptfs tools are not user friendly at all, so I wrote a Python script to wrap them. It’s here on Github. Download the script, make it executable (chmod +x) and put it in your $PATH to start using it.
Prior to mounting an encrypted directory, the script must import its signatures in ~/.ecryptfs. This is done by invoking the --import argument and isn’t necessary if you’ve just created the directory using --create.
The convention for Ecryptfs directories it to encrypt the file’s encryption keys with a password and put it in /your/encrypted/folder/.ecryptfs/wrapped-passphrase. The script handles all that for you but you should be aware that deleting this file is equivalent to deleting the entire directory unless you have a backup (or you can crack crypto-problems faster than the NSA).
Other than that, the use of the script is rather self-explanatory (see --help) and the rest of the post is a reproduction of the “tutorial” that I had already put in the header.
Good luck and feel free to comment with questions.
$ secure-mount.py --create /tmp/secure-test
Passphrase wrapper:
Again to confirm..:
$ ls -aR /tmp/secure-test
/tmp/secure-test:
. .. .ecryptfs ENCRYPTED_FOLDER .Private
/tmp/secure-test/.ecryptfs:
. .. Private.sig wrapped-passphrase
/tmp/secure-test/.Private:
. ..
$ cat /tmp/secure-test/.ecryptfs/Private.sig
286b596792caead7
e4e68d680025f8f5
$ ecryptfs-unwrap-passphrase /tmp/secure-test/.ecryptfs/wrapped-passphrase
Passphrase:
V2gmgepqwDpCh9DROQi3vpK99lkiEkpA0XuVqbTuihCpYlnDfCrRfjB5bpkHdd6y
$ secure-mount.py --change-password /tmp/secure-test
[Old passphrase wrapper]
Passphrase wrapper:
[New passphrase wrapper]
Passphrase wrapper:
Again to confirm..:
After you've verified that your directory mounts properly, you should delete /tmp/secure-test/.ecryptfs/wrapped-pass
phrase.old
$ secure-mount.py --mount /tmp/secure-test
Passphrase wrapper:
$ ls -aR /tmp/secure-test
/tmp/secure-test:
. ..
$ mkdir /tmp/secure-test/blah
$ echo hi > /tmp/secure-test/blah/hello
$ ls -aR /tmp/secure-test
/tmp/secure-test:
. .. blah
/tmp/secure-test/blah:
. .. hello
$ secure-mount.py --umount /tmp/secure-test
$ ls -aR /tmp/secure-test
/tmp/secure-test:
. .. .ecryptfs ENCRYPTED_FOLDER .Private
/tmp/secure-test/.ecryptfs:
. .. Private.sig wrapped-passphrase wrapped-passphrase.old
/tmp/secure-test/.Private:
. .. ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkELyDpkXjlLqu0---
/tmp/secure-test/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkELyDpkXjlLqu0---:
. .. ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4UzhQ0y9AXpzgfnflC3NstE2sE--
$ rm -v /tmp/secure-test/.ecryptfs/wrapped-passphrase.old
removed `/tmp/secure-test/.ecryptfs/wrapped-passphrase.old'
$ grep secure-test ~/.ecryptfs/*.conf
/home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf:/tmp/secure-test/.Private /tmp/secure-test ecryptfs
$ rm -v /home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf /home/u/.ecryptfs/da931dca7
3e4b14c199c378c414fd2ee.sig
removed `/home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf'
removed `/home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.sig'
$ secure-mount.py --mount /tmp/secure-test
Passphrase wrapper:
Traceback (most recent call last):
File "/home/u/bin/secure-mount.py", line 258, in
main()
File "/home/u/bin/secure-mount.py", line 240, in main
mount(os.path.abspath(options.mount))
File "/home/u/bin/secure-mount.py", line 172, in mount
run_command(["mount.ecryptfs_private", alias])
File "/home/u/bin/secure-mount.py", line 26, in run_command
assert p.returncode == 0, (stdout, stderr)
AssertionError: ('', 'Bad file\nError reading configuration file\n')
$ secure-mount.py --import /tmp/secure-test
$ secure-mount.py --mount /tmp/secure-test
Passphrase wrapper:
$ ls -aR /tmp/secure-test
/tmp/secure-test:
. .. blah
/tmp/secure-test/blah:
. .. hello
$ secure-mount.py --umount /tmp/secure-test
$ chmod 700 /tmp/secure-test
$ rm -rv /tmp/secure-test
removed `/tmp/secure-test/ENCRYPTED_FOLDER'
removed `/tmp/secure-test/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkELyDpkXjlLqu0
---/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4UzhQ0y9AXpzgfnflC3NstE2sE--'
removed directory: `/tmp/secure-test/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkEL
yDpkXjlLqu0---'
removed directory: `/tmp/secure-test/.Private'
removed `/tmp/secure-test/.ecryptfs/Private.sig'
removed `/tmp/secure-test/.ecryptfs/wrapped-passphrase'
removed directory: `/tmp/secure-test/.ecryptfs'
removed directory: `/tmp/secure-test'
$ secure-mount.py --cleanup
Deleting /home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf and /home/u/.ecryptfs/da931dca73e4b14c199c3
78c414fd2ee.sig. /tmp/secure-test can be easily reimported with /home/u/bin/secure-mount.py -i /tmp/secure-test
memobadz 
Hi, how use this script in command line ? Specially in Ubuntu? I tried, example from comment documentation in top. But doesn´t work for me. My terminal says something like command not know.
Do you have any solution, or can get good advice? How I run right this script?
Thank you for reply in future!
You simply need to download the script into a file, make it executable (chmod +x secure-mount), and then invoke it (./secure-mount –help).
On Ubuntu you will have to make sure that ecryptfs is installed: sudo apt-get install ecryptfs-utils