1. ecryptfs installation
apt update
apt install ecryptfs-utils2. When using ecryptfs for the first time, you need to create an encrypted folder and encrypt it. During this process, information such as encrypted passwords are set and generated
2.1. Specific operation process:
Use the root account to execute the command #: mount -t ecryptfs encrypted folder and display the folder after decryption .
Note: It can also be understood as: ecryptfs real data storage folder (will be encrypted in the future) Decrypted operable plaintext folder (this is in a virtual state)
2.2. The interaction process of the first encryption operation:
0. Select the password generation method and enter the password/random password 1. First, you will be asked to enter the password; 2. Then select the encryption method, the number of encryption digits, whether to allow plain text, and whether to encrypt the file name; 3. Prompt for your password 4. Determine whether to continue the mounting process (enter yes to complete the first encryption); 5. Choose whether to write the password identifier into the file /root/.ecryptfs/sig-cache.txt (enter yes).
In this way, when we write information in the display folder after decryption , it is equivalent to that ecryptc automatically performs the encryption operation and stores the encrypted data in the real data folder.
Therefore, using mount -t ecryptfs actually establishes a channel between encrypted data and operable data. We read and write in operable data, and ecryptfs automatically performs the encryption and decryption process. When we umount, the channel is actually closed, and the encrypted data is stored on the real hard disk. Operable data is actually on a temporary vfs (virtual file system).
root@NAS2:/home# mount -t ecryptfs .secret/ using/
Select key type to use for newly created files:
1) passphrase
2) tspi
Selection: 1
Passphrase: # 注意,输入密码时不会有任何显示
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 4
Select key bytes:
1) 16
2) 32
Selection [16]: 2
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [0654e4c44517b921]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=0654e4c44517b921
ecryptfs_key_bytes=32
ecryptfs_cipher=twofish
ecryptfs_sig=0654e4c44517b921
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [0654e4c44517b921] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs注:tspi = Trusted Computing Group (TCG) Transport Service Provider Interface (TSPI)
2.3. Close the encryption and decryption channel to protect real data
After umount is decrypted, the folder is displayed
2.4. Open the channel again and repeat the previous operation. Note that the password and selection must be consistent with the first time, otherwise it is equivalent to encrypting the encrypted data again.
3. Quickly mount through a file containing a password
3.0 Show encrypted serial number
cat /root/.ecryptfs/sig-cache.txt
5c116acdf1d0dd89
# 复制下显示的 字符串的内容3.1 Generate a configuration file in the root directory
vim /root/.ecryptfsrc
## 内容如下,保持和手动设置加密方式时的内容一致
ecryptfs_sig=5c116acdf1d0dd89
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=y
3.2 Specify a file with a password when mounting
mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret4. Set to automatically mount after restart to open the encryption and decryption channel
ecryptfs-setup-private configuration tool
Automatically mount encrypted data
The example here is to use a U disk to store the passphrase.
3.1 Mount the U disk first
# mkdir /mnt/usb
# mount /dev/sdb1 /mnt/usb/3.2 View the encrypted password generated by the system
cat /root/.ecryptfs/sig-cache.txt
## 类似的显示如下:
5c116acdf1d0dd893.3 Create a new file in the U disk to store the encrypted initial content of the password
touch /mnt/usb/passwd.txt
echo "Kmima13578" >> /mnt/usb/passwd.txt3.4 Edit the necessary configuration files in the root directory
vim /root/.ecryptfsrc
## 增加如下内容。重点是指定 passwd.txt 文件的位置,指定 sig-cache.txt 文件的内容
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd.txt ecryptfs_sig=5c116acdf1d0dd89 ecryptfs_cipher=aes ecryptfs_key_bytes=16 ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=n3.5 Configure /etc/fstab file
## 添加的内容类似以下:
/dev/sdb1 /mnt/usb ext3 ro 0 0 /home/sk/ecrypted /home/sk/unecrypted ecryptfs defaults 0 0
## 注意! sdb1这个U盘要在加密分区挂在前启动,所以上述内容应当放在加密应用分区的配置内容的前一行。