This is a basic guide to creating an encrypted file system. In my case I encrypt all sensitive information and the backups of the whole system. My system is a file server running Ubuntu 10.10 and a desktop machine / storage server running Kubuntu 11.10. On the file server I have an encrypted samba share that contains all my customer critical data. The encryption code is held on a USB device secured to the server room bricks and mortar. For the storage server the encryption code is held on the file-server in the encrypted area. Therefore if the server is stollen the encryption key will not be available and if the storage server is stolen the encryption key will not be available. If both systems are stolen the enrytion key(s) will not be available. Therefore a conciderably more secure solution than a vanilla installation.
Requirements
The ecrypts file system need to be installed.
sudo apt-get install ecryptfs-utils
A usb pen drive if you wish to store your key on a usb drive.
A backup of your passphrases or all will be lost !
Server Setup
For this example I'm going to encypt a directory called /ToBeEncrypted and mount it as /Encrypted
sudo mount -t ecryptfs /ToBeEncrypted /Encrypted
- You will be prompted for a passphrase. This should be a secure password. I use this generator Password Generator. There appears to be an issue with using ( or ) in the password. You will get spurios errors if you do so.
- I accept the defaults aes, 32, Plain Text Passthrough (N), Filename Encrytion I set to (Y), Accept the FNEK
- As this is the first time you have mounted this mount you will be asked if you want to proceed (yes)
- Would you like to append sig (yes)
- Keep a record of all the options you have selected.
key=passphrase:passphrase_passwd_file=/media/usb/passwd_file.txt
ecryptfs_unlink_sigs
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=cbea2d2b4cda6971
ecryptfs_fnek_sig=cbea2d2b4cda6971
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=y
Then chmod 600 .ecrptfsrc
You now need to create the passwd_file.txt. Which looks like this:
passphrase_passwd=PASSPHRASEGENERATEDABOVE
If you are using a USB drive to store the passwd_file.txt then remember to mount it in fstab as needs to be availabe during boot.
Modify the fstab to have the following line:
/ToBeEncryted /Encrypted ecryptfs user,_netdev 0 0
Now the share should auto mount at reboot.
Mount as a Samba Share
In samba you can now share the /Encryted Directory
Setting up the Storage Server
Repeat the process above using a different passphrase and using the directory for your backups. The only changes are:
- In the .ecryptsrc file the key=passphrase line needs to point to the mounted secure share on the server
key=passphrase:passphrase_passwd_file=/media/server/secureshare/passwd_file.txt