Protecting your data has become more important than ever. Let's look at some options for encrypting Linux file systems.
Everyone has either a laptop or a netbook or a desktop that carries, in many cases, some personal information – credit card numbers to buy those important system upgrades, Facebook logins, account numbers, incriminating photos of our high school days, etc. They are all stored on our systems in various forms, including cookies. Never mind that hackers are breaking into systems at an unprecedented rate (OK, most of them are Windows systems) requiring a defensive response from users. All of this has pointed out the need for encrypting our file systems for our protection.
Encryption, for those that aren’t familiar with it, is the process of taking information (data) and applying an encryption algorithm (sometimes called a cipher) to hide the information (i.e. not able to read it) from all who do not posses the knowledge of how to decrypt it (usually involves some sort of key). The whole concept of cryptology (hiding information or encrypting and decrypting it) is very ancient concept. There has been a battle over a long period of time to send data or information securely to those who are intended to read it versus people who access to that information even thought they are not the intended recipients. There are literally hundreds of books on the subject and it is under constant research (if you’ve got a good idea there are people who want to talk to you and possibly fund your research). While not an authoritative source of information, one possible place to start your readings is wikipedia. There is a brief overview of cryptology and an ever briefer article on encryption. Otherwise, Google is your friend in looking for information to help your explorations.
If you want to look at encryption a little more, there is a reasonable introduction that talks at a very high level about how encryption works. For a very simple introduction it shows how to do what is called a substitution cipher. The classic example for people reading this article and who remember usenet is called rot13. This is a really simple example of encryption (but it is not strong encryption).
Working with Encryption and Linux
There are basically three options when talking about encrypting your data on a Linux system. The options are: (1) encrypting a single file, (2) encrypting a directory (with or without a virtual disk), or (3) encrypting a physical block device. Encrypting files is fairly straightforward and there are various tools for doing this. For example, there is bcrypt, ncrypt, and Pad which is a one-time pad encryption tool. The most popular tool is probably Gnupg. It comes with just about every Linux distribution. However, the point of this article is about encrypted file systems for Linux so it will focus on the other two options.
There are several options for encrypted file systems or encrypted partitions. This article isn’t intended to be an exhaustive listing of options or a HOWTO on the various options. Rather it’s intended to wet your appetite so you can explore the details of the various options yourself.
While wikipedia is perhaps not the most authoritative source of information about cryptography or encrypted file systems, there is a simple list of file systems. It’s definitely not complete but it at least lists options as a starting point.
The point of this article is to point out some good options for encrypting your Linux file systems. It is not intended to be an exhaustive examination of each solution. Rather, it is just a quick glance so you can see how easy or hard it is to encrypt file systems. As with all new topics around data and storage, be sure to backup your data prior to trying something new. To get moving, let’s start with the approach of encrypting a directory or file system.
Encrypting Directories or File Systems
As previous mentioned one approach to encryption is to actually encrypt a directory tree or to encrypt a file system. This approach does not focus on the block device itself, but instead focuses on the file system or even a directory such as a user’s home directory. This allows you to encrypt just user data or project data which is likely to be more important than the OS.
One of the scenario’s that this protects against is the theft of a laptop. If the laptop isn’t running (i.e. you haven’t entered the pass phrase) when someone tries to login and access your data, they may be able to see the files, but the data is encrypted and accessible.
This article is going to consider two approaches to directory or file system encryption. The first first is ecryptfs and the second is EncFS.
One of the most known Linux file system encryption solutions is called ecryptfs (Enterprise Cryptographic Filesystem). It has been in the kernel since version 2.6.19 and is fully configured in some distributions. It is still undergoing development so be careful with any data you use with ecryptfs. However, there are a large number of reports of people successfully using it, particularly with Ubuntu.
Ecryptfs is a what is called a “stackable” file system that “stacks” on top of other file systems (called the lower file system) such ext2/3, jfs, xfs, etc. (any file system that has extended attributes). It encrypts and decrypts the files as they are being written to or read from the lower file system. It operates on the files one at a time instead of at a block device or partition level. The metadata associated with the file is stored with the file itself on the lower file system. This can make the encrypted files a little larger than the decrypted version but there are some clear advantages to this approach:
- It allows files from different users to use different encryption keys, controlling access to the data
- You can move or copy the files to a different location and they can be decrypted with the correct key (encryption of whole partitions or devices requires a different process before the files can be accessed).
- You can give the file to other users and they can decrypt it as long as the correct key is given to them as well.
- You can use typical backup processes that use incremental processes because they can easily detect differences in files in the lower file system. This is almost impossible with encrypted partitions or block devices.
A few quick disadvantages:
- It takes CPU cycles to perform the encryption and the requirements are not small
- Since there is some time involved to encrypt the file system, the speed (performance) of the file system is definitely less than the lower file system. In fact, it can be quite a bit less in some cases. So don’t use an encrypted file system if performance is a key consideration or unless security (encryption) is an extremely important requirement.
As you might expect there is a kernel component and a userspace component to ecryptfs. The kernel component is fairly easy and has been in the kernel since 2.6.19. It is included with some distributions such as Ubuntu. If you build your own kernel or to need to modify an existing kernel then be sure that you have the following options enabled:
- The “MD5 digest” and “AES cipher algorithms” options should be enabled (look under the Crypotgraphic API section)
- The “Enable access key retention support” option should be enabled in the Security options section.
- The “eCrypt filesystem layer support (EXPERIMENTAL)” option should be enabled in the Filesystems/Miscellaneous filesystems section/subsection.
For these options, the “Prompt for development and/or incomplete code/drivers” option must be enabled in the main section. See this article for details on kernel options. Also note that by default ecryptfs uses the AES cipher but other options can be specified.
The userspace tools for ecryptfs can be obtained from the ecryptfs site. Follow the directions from the website that explain how to build and install the tools.
Assuming that ecryptfs is active, either in the kernel or as a module, then you can proceed to configure your account to use ecryptfs. A simple way to get started is to just mount an ecryptfs file system in your account (i.e. a single directory).
mount -t ecryptfs /home/laytonjb/private /home/laytonjb/private
The first path is the lower directory (the lower file system where the data is actually stored). In this cases the full path is used. The second path is the ecryptfs mount point. In this example, they are the same, but they don’t have to be. But for this particular example, the lower file system and the mount point are the same to help ensure that ecryptfs has access to the files in the lower file system. Any file that is written to /home/laytonjb/private is encrypted and written to /home/laytonjb/private on the lower file system. So effectively, it looks like the directory, /home/laytonjb/private, is encrypted.
Ecryptfs uses a configuration file,
.ecryptfsrc, when mounting a file system. The file is located in the user’s home directory and contains various options. The mount first reads this file but if all of the information is not there, it will prompt you for more information. The most important option is typically a pass phrase or a cipher (encryption process) but the configuration file also allows you to specify encryption ciphers.
To decrypt a file in this example, just copy it from the mount point to an non-encrypted directory. For example,
$ cp /home/laytonjb/private/file1.txt /home/laytonjb/public/file1.txt
Ecryptfs will decrypt the file, file1.txt, and it will be put in the directory, /home/laytonjb/public which is not an encrypted file system.
This quick example shows how to create an encrypted directory in your /home account. It is also possible to encrypt a user’s entire /home. This can be done by root or by the user (as long as they have permission for the mount point – which they should).
Recently there was a security issue found in ecryptfs that allows the pass phrase associated with a mount to be written into the logs on an Ubuntu installation. Even though the log was only readable by root, it does mean the the ecryptfs passphrase is on the system in decrypted form.
Finally, there are some blogs and tutorials that describe the intricate details of how to use ecryptfs.
There is another option for encrypted file systems – EncFS. The interesting aspect of this file system is that is based on FUSE. For those not familiar with FUSE, it is a kernel module that allows access to the VFS in the kernel. Consequently you can create a file system entirely in user-space using the FUSE API.
EncFS is somewhat similar to ecryptfs in that it does require a new file system. Rather EncFS encrypts the file and stores it in a specific directory (a lower file system using the terminology of ecryptfs). The EncFS introduction states that encfs is defined as a “Pass-through filesystem vs encrypted block device”. While a bit complicated this description is very accurate – EncFS is stackable file system in the same vein as ecryptfs.
Building and installing EncFS is fairly easy to install. The first thing to check is if your kernel is FUSE capable. Many distributions have FUSE capable kernels so be sure to check your distribution. If not, you can download FUSE from the website and install it.
Next, you download the latest copy of EncFS from the website. The current version as of this article is 1.5-2 date September 7, 2008. It has a few dependencies:
- FUSE version 2.6 or newer
- rlog – C++ logging library
- OpenSSL versions 0.9.6 through 0.9.8 (other version are untested)
- boost – a C++ utility library – version 1.34 or later
Be sure these dependencies are installed prior to building EncFS
Once everything is installed then mounting an EncFS file system is fairly easy.
$ encfs /home/laytonjb/private /home/laytonjb/private
The syntax is fairly similar to ecryptfs – the first path is the lower file system path (the directory that stores the encrypted data). The second path is the mount point for the file system. Notice that you can mount it just like you did ecryptfs so the lower file system is the same as the mount point.
To umount a file system is a little different since it uses FUSE. In this case, you have to use a FUSE command:
$ fusermount -u /home/laytonjb/private
There are lots of tips on using EncFS floating around. Here is a quick sample:
- This link is a good (and detailed) description of a user’s experience using EncFS.
- This is a good blog that talks about EncFS and has a couple of good tips for practical user
- There is also a good presentation of how to use EncFS with Debian
- There is a nice blog that talks about using EncFS in three easy steps
- There is another HOWTO on using EncFS (a simple but effective one)
There are also some nifty tools and scripts floating around the web for using EncFS. Perhaps the best one is pam-encfs. PAM stands for Pluggable Authentication Module and they can be used for a variety of things including activating processes or scripts upon login. Pam-encfs mounts any EncFS file system when you log in.