1. eCryptfs 简介
eCryptfs 是在 Linux kernel 实现的一个加密文件系统,在 Linux kernel 2.6.19 版本收纳入官方 Linux kernel。它采用堆叠式的设计思想,逻辑上位于 VFS 和传统文件系统之间。用户应用程序对传统文件系统的读写操作,经过系统调用通过 VFS 首先被 eCryptfs 截获,eCryptfs 对文件数据进行加解密的操作,再转发给传统文件系统,为应用提供透明、动态、高效的加密功能。
eCryptfs 对每个文件采用不同的文件加密密钥 ( File Encryption Key, FEK ),文件加密算法推荐使用 AES-128。FEK 不能以明文的形式存放,eCryptfs 使用用户提供的口令(Passphrase)、非对称密钥算法(如 RSA 算法)或 TPM(Trusted Platform Module)的公钥来加密保护 FEK。
例如,当使用用户口令的时候,口令先经 hash 函数处理,再做为密钥加密 FEK。口令/公钥称为文件加密密钥加密密钥(File Encryption Key Encryption Key,FEFEK),加密后的 FEK 则称为加密文件密钥(Encrypted File Encryption Key,EFEK )。如果一个文件被多个授权用户访问,则有多份 EFEK。 此外,eCryptfs 还支持文件名的加密。
2. eCryptfs 安装
CentOS
以 CentOS-7.3 的滴滴云的 DC2 云主机为例。
查看 eCryptfs 用户态的工具是否安装:
[dc2-user@didiyun ~]$ yum list installed | grep ecryptfs
如果没有安装,则运行以下命令安装:
[dc2-user@didiyun ~]$ sudo yum install ecryptfs-utils
屏幕输出如下:
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
epel | 3.2 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/2): epel/7/x86_64/updateinfo | 935 kB 00:00:00
(2/2): epel/7/x86_64/primary | 3.6 MB 00:00:00
Determining fastest mirrors
epel 12738/12738
Resolving Dependencies
–> Running transaction check
—> Package ecryptfs-utils.x86_64 0:111-5.el7 will be installed
–> Processing Dependency: cryptsetup-luks for package: ecryptfs-utils-111-5.el7.x86_64
–> Processing Dependency: libpkcs11-helper.so.1()(64bit) for package: ecryptfs-utils-111-5.el7.x86_64
–> Running transaction check
—> Package cryptsetup.x86_64 0:1.7.4-3.el7_4.1 will be installed
–> Processing Dependency: cryptsetup-libs(x86-64) = 1.7.4-3.el7_4.1 for package: cryptsetup-1.7.4-3.el7_4.1.x86_64
—> Package pkcs11-helper.x86_64 0:1.11-3.el7 will be installed
–> Running transaction check
—> Package cryptsetup-libs.x86_64 0:1.7.2-1.el7 will be updated
—> Package cryptsetup-libs.x86_64 0:1.7.4-3.el7_4.1 will be an update
–> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
ecryptfs-utils x86_64 111-5.el7 epel 186 k
Installing for dependencies:
cryptsetup x86_64 1.7.4-3.el7_4.1 updates 128 k
pkcs11-helper x86_64 1.11-3.el7 epel 56 k
Updating for dependencies:
cryptsetup-libs x86_64 1.7.4-3.el7_4.1 updates 223 k
Transaction Summary
=============================================================================================================================================================
Install 1 Package (+2 Dependent packages)
Upgrade ( 1 Dependent package)
Total download size: 592 k
Is this ok [y/d/N]: y
键入’y’回车,屏幕输出如下:
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): cryptsetup-1.7.4-3.el7_4.1.x86_64.rpm | 128 kB 00:00:00
(2/4): pkcs11-helper-1.11-3.el7.x86_64.rpm | 56 kB 00:00:00
(3/4): ecryptfs-utils-111-5.el7.x86_64.rpm | 186 kB 00:00:00
(4/4): cryptsetup-libs-1.7.4-3.el7_4.1.x86_64.rpm | 223 kB 00:00:00
Total 2.6 MB/s | 592 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pkcs11-helper-1.11-3.el7.x86_64 1/5
Updating : cryptsetup-libs-1.7.4-3.el7_4.1.x86_64 2/5
Installing : cryptsetup-1.7.4-3.el7_4.1.x86_64 3/5
Installing : ecryptfs-utils-111-5.el7.x86_64 4/5
Cleanup : cryptsetup-libs-1.7.2-1.el7.x86_64 5/5
Verifying : cryptsetup-libs-1.7.4-3.el7_4.1.x86_64 1/5
Verifying : cryptsetup-1.7.4-3.el7_4.1.x86_64 2/5
Verifying : ecryptfs-utils-111-5.el7.x86_64 3/5
Verifying : pkcs11-helper-1.11-3.el7.x86_64 4/5
Verifying : cryptsetup-libs-1.7.2-1.el7.x86_64 5/5
Installed:
ecryptfs-utils.x86_64 0:111-5.el7
Dependency Installed:
cryptsetup.x86_64 0:1.7.4-3.el7_4.1 pkcs11-helper.x86_64 0:1.11-3.el7
Dependency Updated:
cryptsetup-libs.x86_64 0:1.7.4-3.el7_4.1
Complete!
再检查安装状态:
[dc2-user@didiyun ~]$ yum list installed | grep ecryptfs-utils
ecryptfs-utils.x86_64 111-5.el7 @epel
工具已正确安装。
Ubuntu
以 Ubuntu-16.04 的滴滴云的 DC2 云主机为例。
查看 eCryptfs 用户态的工具是否安装:
dc2-user@didiyun:~$ dpkg –status ecryptfs-utils
dpkg-query: package ‘ecryptfs-utils’ is not installed and no information is available
如果没有安装,则运行以下命令安装:
dc2-user@didiyun:~$ sudo apt-get install ecryptfs-utils
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
keyutils libecryptfs1 libnspr4 libnss3 libnss3-1d libnss3-nssdb
Suggested packages:
zescrow-client
The following NEW packages will be installed:
ecryptfs-utils keyutils libecryptfs1 libnspr4 libnss3 libnss3-1d libnss3-nssdb
0 upgraded, 7 newly installed, 0 to remove and 17 not upgraded.
Need to get 1,475 kB of archives.
After this operation, 5,175 kB of additional disk space will be used.
Do you want to continue? [Y/n]
直接回车即可:
Get:1 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnspr4 amd64 2:4.13.1-0ubuntu0.16.04.1 [112 kB]
Get:2 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnss3-nssdb all 2:3.28.4-0ubuntu0.16.04.3 [10.6 kB]
Get:3 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnss3 amd64 2:3.28.4-0ubuntu0.16.04.3 [1,148 kB]
Get:4 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libnss3-1d amd64 2:3.28.4-0ubuntu0.16.04.3 [9,316 B]
Get:5 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 libecryptfs1 amd64 111-0ubuntu1.1 [45.4 kB]
Get:6 http://mirrors.intra.didiyun.com/ubuntu xenial/main amd64 keyutils amd64 1.5.9-8ubuntu1 [47.1 kB]
Get:7 http://mirrors.intra.didiyun.com/ubuntu xenial-updates/main amd64 ecryptfs-utils amd64 111-0ubuntu1.1 [103 kB]
Fetched 1,475 kB in 0s (20.2 MB/s)
Selecting previously unselected package libnspr4:amd64.
(Reading database … 90601 files and directories currently installed.)
Preparing to unpack …/libnspr4_2%3a4.13.1-0ubuntu0.16.04.1_amd64.deb …
Unpacking libnspr4:amd64 (2:4.13.1-0ubuntu0.16.04.1) …
Selecting previously unselected package libnss3-nssdb.
Preparing to unpack …/libnss3-nssdb_2%3a3.28.4-0ubuntu0.16.04.3_all.deb …
Unpacking libnss3-nssdb (2:3.28.4-0ubuntu0.16.04.3) …
Selecting previously unselected package libnss3:amd64.
Preparing to unpack …/libnss3_2%3a3.28.4-0ubuntu0.16.04.3_amd64.deb …
Unpacking libnss3:amd64 (2:3.28.4-0ubuntu0.16.04.3) …
Selecting previously unselected package libnss3-1d:amd64.
Preparing to unpack …/libnss3-1d_2%3a3.28.4-0ubuntu0.16.04.3_amd64.deb …
Unpacking libnss3-1d:amd64 (2:3.28.4-0ubuntu0.16.04.3) …
Selecting previously unselected package libecryptfs1.
Preparing to unpack …/libecryptfs1_111-0ubuntu1.1_amd64.deb …
Unpacking libecryptfs1 (111-0ubuntu1.1) …
Selecting previously unselected package keyutils.
Preparing to unpack …/keyutils_1.5.9-8ubuntu1_amd64.deb …
Unpacking keyutils (1.5.9-8ubuntu1) …
Selecting previously unselected package ecryptfs-utils.
Preparing to unpack …/ecryptfs-utils_111-0ubuntu1.1_amd64.deb …
Unpacking ecryptfs-utils (111-0ubuntu1.1) …
Processing triggers for libc-bin (2.23-0ubuntu10) …
Processing triggers for man-db (2.7.5-1) …
Setting up libnspr4:amd64 (2:4.13.1-0ubuntu0.16.04.1) …
Setting up keyutils (1.5.9-8ubuntu1) …
Setting up libnss3-nssdb (2:3.28.4-0ubuntu0.16.04.3) …
Setting up libnss3:amd64 (2:3.28.4-0ubuntu0.16.04.3) …
Setting up libnss3-1d:amd64 (2:3.28.4-0ubuntu0.16.04.3) …
Setting up libecryptfs1 (111-0ubuntu1.1) …
Setting up ecryptfs-utils (111-0ubuntu1.1) …
Processing triggers for libc-bin (2.23-0ubuntu10) …
再检查安装状态:
dc2-user@didiyun:~$ dpkg –status ecryptfs-utils
Package: ecryptfs-utils
Status: install ok installed
Priority: optional
Section: misc
Installed-Size: 568
Maintainer: Dustin Kirkland kirkland@ubuntu.com
Architecture: amd64
Version: 111-0ubuntu1.1
Depends: libc6 (>= 2.14), libecryptfs1 (>= 104-0ubuntu1), libkeyutils1 (>= 1.4), libpam0g (>= 0.99.7.1), gettext-base, keyutils, libnss3-1d, libpam-runtime (>= 1.0.1-6)
Recommends: cryptsetup, lsof, rsync
Suggests: zescrow-client
Description: ecryptfs cryptographic filesystem (utilities)
eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
for Linux.
.
It provides advanced key management and policy features. eCryptfs stores
cryptographic metadata in the header of each file written, so that encrypted
files can be copied between hosts; the file will be decryptable with the proper
key, and there is no need to keep track of any additional information aside
from what is already in the encrypted file itself. Think of eCryptfs as a sort
of “gnupgfs”.
.
eCryptfs is a native Linux filesystem. The kernel module component of eCryptfs
is part of the Linux kernel since 2.6.19.
.
This package contains the userland utilities.
工具已正确安装。
3. eCryptfs 使用
创建挂载口令,首先输入用户的登录口令,然后输入两次挂载口令:
dc2-user@didiyun:~$ sudo ecryptfs-setup-private
Enter your login passphrase [dc2-user]:
Enter your mount passphrase [leave blank to generate one]:
Enter your mount passphrase (again):
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
Done configuring.
创建希望加密的文件夹:(也可以在其他的盘里创建文件夹)
dc2-user@didiyun:~$ mkdir private
设置文件夹权限不允许其他人访问:
dc2-user@didiyun:~$ chmod 700 private
挂载加密文件夹,输入挂载口令:
dc2-user@didiyun:~$ sudo mount -t ecryptfs private private
Passphrase:
然后依次需要选择加密算法,密钥长度,是否允许读写非 eCryptfs 文件,是否文件名加密,可全部直接回车为默认:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=c03eaf5f09f59761
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
键入两个 yes :
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [c03eaf5f09f59761] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
eCryptfs 挂载成功,进入 eCryptfs 目录:
dc2-user@didiyun:~$ cd private
创建一个文件:
dc2-user@didiyun:~/private$ echo “this is a ecryptfs test file” > tes
dc2-user@didiyun:~/private$ cat tes
this is a ecryptfs test file
卸载 eCryptfs 目录:
dc2-user@didiyun:~/private$ cd ..
dc2-user@didiyun:~$ sudo umount private
查看文件,内容显示密文:
dc2-user@didiyun:~$ cat private/tes
m댶ş쫖CONSOLEᄒ¯ 梞妾8Ҙ}ɔ,ÆhW䴑[Y©iq龎h=~f°:ⲋᄴ1ࢄYꃵʨ㘐ÿͨ e৫O@8xY»B틠|思¬枾mΩ¥}R{zǩ§(³貮}KᄂKX S渤)$ߢ·©VDµ·>Uڨ붥1b鞺8iX*ҊNVn’ŝ2GzJe
@ÿ¡}`¾$L2ܨ§caАbn<ߨ[ǻ�BѪ©'ڼ?Lh·.x
吖³(ɛVz重新挂载 eCryptfs,输入相关参数:
dc2-user@didiyun:~$ sudo mount -t ecryptfs private private
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=c03eaf5f09f59761
Mounted eCryptfs
查看文件,显示文件的正确内容:
dc2-user@didiyun:~$ cat private/tes
this is a ecryptfs test file
eCryptfs 详细使用参数:
[dc2-user@didiyun ~]$ man ecryptfs
本文作者:汪黎
本文地址:https://blog.didiyun.com/index.php/2018/12/18/ecryptfs/