The goal of this post is to enable you to:
- Create and use encrypted folders
- Mount existing ecryptfs folders (such as your Ubuntu encrypted home when plugging your harddrive to another computer, or if it’s on a USB stick)
This should be much, much easier than it is. But unfortunately, the ecryptfs tools are not user friendly at all, so I wrote a Python script to wrap them. It’s here on Github. Download the script, make it executable (chmod +x) and put it in your $PATH to start using it.
Prior to mounting an encrypted directory, the script must import its signatures in ~/.ecryptfs
. This is done by invoking the --import
argument and isn’t necessary if you’ve just created the directory using --create
.
The convention for Ecryptfs directories it to encrypt the file’s encryption keys with a password and put it in /your/encrypted/folder/.ecryptfs/wrapped-passphrase
. The script handles all that for you but you should be aware that deleting this file is equivalent to deleting the entire directory unless you have a backup (or you can crack crypto-problems faster than the NSA).
Other than that, the use of the script is rather self-explanatory (see --help
) and the rest of the post is a reproduction of the “tutorial” that I had already put in the header.
Good luck and feel free to comment with questions.
$ secure-mount.py --create /tmp/secure-test Passphrase wrapper: Again to confirm..: $ ls -aR /tmp/secure-test /tmp/secure-test: . .. .ecryptfs ENCRYPTED_FOLDER .Private /tmp/secure-test/.ecryptfs: . .. Private.sig wrapped-passphrase /tmp/secure-test/.Private: . .. $ cat /tmp/secure-test/.ecryptfs/Private.sig 286b596792caead7 e4e68d680025f8f5 $ ecryptfs-unwrap-passphrase /tmp/secure-test/.ecryptfs/wrapped-passphrase Passphrase: V2gmgepqwDpCh9DROQi3vpK99lkiEkpA0XuVqbTuihCpYlnDfCrRfjB5bpkHdd6y $ secure-mount.py --change-password /tmp/secure-test [Old passphrase wrapper] Passphrase wrapper: [New passphrase wrapper] Passphrase wrapper: Again to confirm..: After you've verified that your directory mounts properly, you should delete /tmp/secure-test/.ecryptfs/wrapped-pass phrase.old $ secure-mount.py --mount /tmp/secure-test Passphrase wrapper: $ ls -aR /tmp/secure-test /tmp/secure-test: . .. $ mkdir /tmp/secure-test/blah $ echo hi > /tmp/secure-test/blah/hello $ ls -aR /tmp/secure-test /tmp/secure-test: . .. blah /tmp/secure-test/blah: . .. hello $ secure-mount.py --umount /tmp/secure-test $ ls -aR /tmp/secure-test /tmp/secure-test: . .. .ecryptfs ENCRYPTED_FOLDER .Private /tmp/secure-test/.ecryptfs: . .. Private.sig wrapped-passphrase wrapped-passphrase.old /tmp/secure-test/.Private: . .. ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkELyDpkXjlLqu0--- /tmp/secure-test/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkELyDpkXjlLqu0---: . .. ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4UzhQ0y9AXpzgfnflC3NstE2sE-- $ rm -v /tmp/secure-test/.ecryptfs/wrapped-passphrase.old removed `/tmp/secure-test/.ecryptfs/wrapped-passphrase.old' $ grep secure-test ~/.ecryptfs/*.conf /home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf:/tmp/secure-test/.Private /tmp/secure-test ecryptfs $ rm -v /home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf /home/u/.ecryptfs/da931dca7 3e4b14c199c378c414fd2ee.sig removed `/home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf' removed `/home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.sig' $ secure-mount.py --mount /tmp/secure-test Passphrase wrapper: Traceback (most recent call last): File "/home/u/bin/secure-mount.py", line 258, in main() File "/home/u/bin/secure-mount.py", line 240, in main mount(os.path.abspath(options.mount)) File "/home/u/bin/secure-mount.py", line 172, in mount run_command(["mount.ecryptfs_private", alias]) File "/home/u/bin/secure-mount.py", line 26, in run_command assert p.returncode == 0, (stdout, stderr) AssertionError: ('', 'Bad file\nError reading configuration file\n') $ secure-mount.py --import /tmp/secure-test $ secure-mount.py --mount /tmp/secure-test Passphrase wrapper: $ ls -aR /tmp/secure-test /tmp/secure-test: . .. blah /tmp/secure-test/blah: . .. hello $ secure-mount.py --umount /tmp/secure-test $ chmod 700 /tmp/secure-test $ rm -rv /tmp/secure-test removed `/tmp/secure-test/ENCRYPTED_FOLDER' removed `/tmp/secure-test/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkELyDpkXjlLqu0 ---/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4UzhQ0y9AXpzgfnflC3NstE2sE--' removed directory: `/tmp/secure-test/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWbYtcpc-0LsxER.CSk2bPs7uVw8A0id4Uzhz64-b-mkEL yDpkXjlLqu0---' removed directory: `/tmp/secure-test/.Private' removed `/tmp/secure-test/.ecryptfs/Private.sig' removed `/tmp/secure-test/.ecryptfs/wrapped-passphrase' removed directory: `/tmp/secure-test/.ecryptfs' removed directory: `/tmp/secure-test' $ secure-mount.py --cleanup Deleting /home/u/.ecryptfs/da931dca73e4b14c199c378c414fd2ee.conf and /home/u/.ecryptfs/da931dca73e4b14c199c3 78c414fd2ee.sig. /tmp/secure-test can be easily reimported with /home/u/bin/secure-mount.py -i /tmp/secure-test
Hi, how use this script in command line ? Specially in Ubuntu? I tried, example from comment documentation in top. But doesn´t work for me. My terminal says something like command not know.
Do you have any solution, or can get good advice? How I run right this script?
Thank you for reply in future!
You simply need to download the script into a file, make it executable (chmod +x secure-mount), and then invoke it (./secure-mount –help).
On Ubuntu you will have to make sure that ecryptfs is installed: sudo apt-get install ecryptfs-utils