个人工具

UbuntuHelp:EncryptedPrivateDirectory

来自Ubuntu中文

跳转至: 导航, 搜索
Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/EncryptedPrivateDirectory

Geographylogo.png 点击翻译: 

English

请不要直接编辑翻译本页,本页将定期与来源同步。

Ubuntu Intrepid Ibex brings an interesting new security feature to both desktop and server users: the Encrypted ~/Private Directory.

Setup Your Encrypted Private Directory

  1. Install ecryptfs-utils

sudo apt-get install ecryptfs-utils

  1. Setup your private directory

ecryptfs-setup-private

  1. Enter your login password, and either choose a mount pass phrase or generate one.
  • Record both pass phrases in a safe location!!! They will be required if you ever have to recover your data manually.
  1. Logout, and Log back in to establish the mount

Use Your Encrypted Private Directory

After logging back in, all content of any files or folders you write in ~/Private will be encrypted when written to the disk, in the hidden directory ~/.Private.

Storing Your Keys, Email and other Data in ~/Private

It can be a good idea to move the content of your .evolution/, .ssh/ and .gnupg/ in ~/Private and replacing them with a symlink.

  1. Make sure that the application whose data you want to protect (e.g. Firefox or Evolution) is not running

ps -ef | grep evolution

  1. Move the application's data directory (e.g. ~/.mozilla or ~/.evolution) into your ~/Private directory

mv ~/.evolution ~/Private

  1. Establish a symbolic link from the old location to new location

ln -s ~/Private/.evolution ~/.evolution

Using in conjunction with Auto-login

Automatic, password-less desktop logins will yield an un-mounted ~/Private directory. This is quite deliberately by design, ensuring that you must enter a password to access the encrypted data in the ~/Private directory. If you use the ecryptfs-setup-private from ecryptfs-utils version 53-1ubuntu13 or beyond, if you open your ~/Private folder in Nautilus or Konqueror, you should see two files, README.txt, and "Access Your Private Data". If you click on "Access...", you will be prompted for your login password and your private data will be accessible. If you created your ~/Private directory with an older version of ecryptfs-utils, you will need to manually establish a symlink for the "Access Your Private Data" icon. Here's how:

  1. Update to the latest ecryptfs-utils package
  • $ sudo apt-get update && sudo apt-get upgrade
  1. Ensure that ~/Private is not mounted
  • $ ecryptfs-umount-private
  1. Establish the links in your unmounted ~/Private
  • cd ~/Private && sudo ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt README.txt && sudo ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop Access-Your-Private-Data.desktop

Recovering Your Data Manually

These steps should only be required in unusual, or emergency circumstances, when you must manually mount your encrypted ~/Private directory to recover your data. You can use this to mount your data if it's backed up on a different system, or using a LiveCD, as long as it is running at least the Linux 2.6.26 kernel.

  1. If you use encrypted filenames (standard in Ubuntu >= 9.04) you have to do the following first:
  • sudo ecryptfs-add-passphrase --fnek
  • Passphrase: (Enter the mount passphrase you recorded when you setup the mount--this passphrase is different from your login passphrase.)
  • You should now get two lines looking like this:
  • Inserted auth tok with sig [9986ad986f986af7] into the user session keyring
  • Inserted auth tok with sig [76a9f69af69a86fa] into the user session keyring (write down the second value in the square brackets)
  1. Mount using sudo:
  • sudo mount -t ecryptfs /home/username/.Private /home/username/Private
  • Selection: 3 (use a passphrase key type)
  • Passphrase: (Enter the mount passphrase you recorded when you setup the mount--this passphrase is different from your login passphrase.)
  • Selection: aes (use the aes cipher)
  • Selection: 16 (use a 16 byte key)
  • Enable plaintext passthrough: n
  • Enable filename encryption: y (This and the following options only apply if you are using filename encryption)
  • Filename Encryption Key (FNEK) Signature: (the value you wrote down from the second line above)

Assuming you entered your passphrase correctly, you should be able to temporarily access your data at /home/username/Private . Since you are using superuser privileges instead of your regular user account, you may get a warning that you might have entered the passphrase wrong, even if you didn't: 

WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

It is safe to ignore this warning.

Recovering Your Mount Passphrase

In the event that you did not write down your mount passphrase, you may be able to recover it by decrypting the file ~/.ecryptfs/wrapped-passphrase using your login passphrase.

  • ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase "login passphrase"
  • It's a good idea to clear your shell history at this point to erase your login passphrase
  • history -c

If your login passphrase matches the passphrase used to encrypt the wrapped-passphrase file, your mount passphrase will be written to screen. Record and protect this data accordingly. If you have lost your wrapped-passphrase file, and you did not record your mount passphrase, it is impossible to access your encrypted data.

How to Remove an Encrypted Private Directory Setup

Perhaps an Encrypted Private Directory is not for you. To remove this setup:

  1. Ensure that you have moved all relevant data out of your ~/Private directory
  2. Unmount your encrypted private directory
  • $ ecryptfs-umount-private
  1. Make ~/Private writable again
  • $ chmod 700 ~/Private
  1. Remove ~/Private, ~/.Private, ~/.ecryptfs (Note: THIS IS VERY PERMANENT)
  • $ rm -rf ~/Private ~/.Private ~/.ecryptfs
  1. Uninstall the utilities
  • $ sudo apt-get remove ecryptfs-utils libecryptfs0

Log in with the folder remaining encrypted

A possible security problem that can crop up, is the event that the user logs in and then immediately leaves the computer physically usable to another person. The Private folder is unlocked as soon as the user logs in, the owner would not of had the chance to lock the folder, and the other person can take control of the computer and access it while the owner is away. We can stop ecryptfs from unlocking the Private folder on startup, by removing the empty file auto-mount which is located in ~/.ecryptfs/, where you also can remove the auto-umount file, if you would like ecryptsfs to stop unmounting the private folder upon shutdown and logout. For some reason the script fails to ask for a password, when you simply log out and in. You have to reboot the machine, or you will be able to just click on the mount script and the folder is mounted. To resolve this problem, it is possible to have the script that unmounts the Private folder to run at login, so it cannot be accessed without the password being put in first. To do this:

  1. Go to System > Preferences > Startup Applications.
  2. Click Add.
  3. You can put anything for the Name field, something like Lock Private Folder for example. In the Command field, type /usr/bin/ecryptfs-umount-private and the Comment field can can be left blank.
  4. Click Save and close the Startup Applications window. When you log in, the Private folder will be quickly unmounted before the folder can be accessed.

This is a quick and dirty solution to this problem. If there's a better way, please replace this with it.

Caveats

  • Before Ubuntu 9.04, filenames and directory names were not encrypted. This has been fixed in Ubuntu 9.04, however. (Bug #264977).
  • Network mounting (NFS, CIFS, Samba) of /home will not work properly with an encrypted ~/Private (bugs #277578 & #289747).
  • By design, data is not kept private to privileged users while the user is logged in. One consequence of this is if ~/Private is mounted, a backup solution may backup your decrypted files unless the backup software is configured to exclude files in ~/Private.
  • If you put all of .ssh in ~/Private, you won't be able to ssh into the system using public key authentication. In this case, you might want to only put your private key in ~/Private, and leave the rest (or at least the public keys saved in "authorized_keys" file) in the clear.
  • If you choose to store application data in the ~/Private directory, those applications will not operate as expected if the ~/Private directory is unmounted.
  • If you enable "automatic login" ~/Private will NOT be mounted (decrypted) automatically.
  • Linux filenames are limited to 256 characters in length. When using eCryptfs encrypted filenames, filenames are padded with metadata necessary for decryption. Cleartext filenames which are already very long (> ~200 characters) will not work in eCryptfs.

Not covered in this tutorial

  • How the automatic mounting of the encrypted directory works and what files need to be edited to stop the automatic mounting.
取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:EncryptedPrivateDirectory&oldid=138807