“UbuntuHelp:FolderEncryption”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/FolderEncryption}} | {{From|https://help.ubuntu.com/community/FolderEncryption}} | ||
{{Languages|UbuntuHelp:FolderEncryption}} | {{Languages|UbuntuHelp:FolderEncryption}} | ||
| − | |||
| − | |||
== Folder Encryption with encfs and pam-encfs == | == Folder Encryption with encfs and pam-encfs == | ||
| − | |||
(last edited by Roland J can be reached at kf03jaro at student dot chalmers dot se) | (last edited by Roland J can be reached at kf03jaro at student dot chalmers dot se) | ||
| − | |||
Encfs is an application that allows you to create encrypted folders, any file that is placed in such a folder will be encrypted. To open an encrypted folder you need a correct password. | Encfs is an application that allows you to create encrypted folders, any file that is placed in such a folder will be encrypted. To open an encrypted folder you need a correct password. | ||
| − | |||
There is also an add-on to encfs called pam-encfs. This add-on allows automatic decryption/encryption of a user home-directory upon login/logout. | There is also an add-on to encfs called pam-encfs. This add-on allows automatic decryption/encryption of a user home-directory upon login/logout. | ||
| − | |||
Both encfs and pam-encfs must be set up from a terminal so this tutorial might be a bit difficult for linux newcomers. In the first part of the tutorial I will explain how to use encfs and then how to set up pam-encfs. | Both encfs and pam-encfs must be set up from a terminal so this tutorial might be a bit difficult for linux newcomers. In the first part of the tutorial I will explain how to use encfs and then how to set up pam-encfs. | ||
| − | |||
=== Setting up encfs === | === Setting up encfs === | ||
| − | |||
To install encfs you need to have access to the universe-packages of ubuntu. How this can be done is beeing described here: https://wiki.ubuntu.com/MOTU/Packages?action=show&redirect=UniversePackages | To install encfs you need to have access to the universe-packages of ubuntu. How this can be done is beeing described here: https://wiki.ubuntu.com/MOTU/Packages?action=show&redirect=UniversePackages | ||
| − | |||
Now enter a terminal and type: | Now enter a terminal and type: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install encfs | sudo apt-get install encfs | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
This will install encfs and probably also fuse-utils and libfuse2, which are required. | This will install encfs and probably also fuse-utils and libfuse2, which are required. | ||
| − | |||
You need to have the kernel-module named "fuse" loaded in order to use encfs. To load this module simply type: | You need to have the kernel-module named "fuse" loaded in order to use encfs. To load this module simply type: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo modprobe fuse | sudo modprobe fuse | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Remember, this module must be loaded every time you intend to use encfs. If you want to have this module always loaded you must edit the file /etc/modules and add the line fuse to the bottom line. | Remember, this module must be loaded every time you intend to use encfs. If you want to have this module always loaded you must edit the file /etc/modules and add the line fuse to the bottom line. | ||
| − | |||
Now we have to set up permissions to use fuse. This is done in two steps. First add your user to the group fuse by typing: | Now we have to set up permissions to use fuse. This is done in two steps. First add your user to the group fuse by typing: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo adduser <your login username> fuse | sudo adduser <your login username> fuse | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
So for example if your login-name is donald you should type | So for example if your login-name is donald you should type | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo adduser donald fuse | sudo adduser donald fuse | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The second step is to change the permissions of the file fusermount. This is done by typing: | The second step is to change the permissions of the file fusermount. This is done by typing: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo chmod +x /usr/bin/fusermount | sudo chmod +x /usr/bin/fusermount | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Finally you are ready to create the encrypted folder. The application encfs will create one folder which contains the encrypted files and one folder where the files are unlocked and accessible. The syntax for encfs is: | Finally you are ready to create the encrypted folder. The application encfs will create one folder which contains the encrypted files and one folder where the files are unlocked and accessible. The syntax for encfs is: | ||
encfs <path to encrypted folder> <path to visible folder> | encfs <path to encrypted folder> <path to visible folder> | ||
| − | |||
For example, I wish to have a folder in my home-directory called visible and another one called encrypted. Therefore I could write: | For example, I wish to have a folder in my home-directory called visible and another one called encrypted. Therefore I could write: | ||
<pre><nowiki> | <pre><nowiki> | ||
encfs ~/encrypted ~/visible | encfs ~/encrypted ~/visible | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Where the '~' indicates that the folders shall be placed in the home-directory. | Where the '~' indicates that the folders shall be placed in the home-directory. | ||
| − | |||
First encfs will ask you to create the selected folders. Simply type 'y'. Then it asks which degree of encryption that should be used. I prefer to simply press enter to use default encryption-level. At last encfs will ask you for the password that is needed to reach the encrypted information. | First encfs will ask you to create the selected folders. Simply type 'y'. Then it asks which degree of encryption that should be used. I prefer to simply press enter to use default encryption-level. At last encfs will ask you for the password that is needed to reach the encrypted information. | ||
| − | |||
If things work out correctly and you don't recieve an error-message after typing in your password you are now free to use the folder ~/visible to store all kinds of sensitive information:-) | If things work out correctly and you don't recieve an error-message after typing in your password you are now free to use the folder ~/visible to store all kinds of sensitive information:-) | ||
| − | |||
In order to close the ~/visible folder simply type: | In order to close the ~/visible folder simply type: | ||
<pre><nowiki> | <pre><nowiki> | ||
fusermount -u ~/visible | fusermount -u ~/visible | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
As long as the folder is closed all the information in ~/visible will seem to have disappeared. The only way to gain access to this information again is by unlocking it. This can be done in a terminal by typing: | As long as the folder is closed all the information in ~/visible will seem to have disappeared. The only way to gain access to this information again is by unlocking it. This can be done in a terminal by typing: | ||
<pre><nowiki> | <pre><nowiki> | ||
encfs ~/encrypted ~/visible | encfs ~/encrypted ~/visible | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
You will be asked for the proper password to gain access. | You will be asked for the proper password to gain access. | ||
| − | |||
=== Setting up pam-encfs === | === Setting up pam-encfs === | ||
| − | |||
The goal of this part of the tutorial is to create a user which has an encrypted home-directory. It is assumed that you already have encfs installed on your computer. | The goal of this part of the tutorial is to create a user which has an encrypted home-directory. It is assumed that you already have encfs installed on your computer. | ||
| − | |||
Warning! This topic is intented for medium/advanced ubuntu users. Incorrectly configuring pam-encfs could lead to problems logging in. This is why I prefer to have the root login activated. This way, if something goes wrong, I can (almost)always log in with root and correct my misstakes. For info on how to enable root login read: | Warning! This topic is intented for medium/advanced ubuntu users. Incorrectly configuring pam-encfs could lead to problems logging in. This is why I prefer to have the root login activated. This way, if something goes wrong, I can (almost)always log in with root and correct my misstakes. For info on how to enable root login read: | ||
https://wiki.ubuntu.com/RootSudo?action=show&redirect=EnableRootLogin | https://wiki.ubuntu.com/RootSudo?action=show&redirect=EnableRootLogin | ||
| − | |||
'''Edgy users and later(Feisty, Gutsy):''' libpam-encfs is included in the universe repository so you can install simply with: | '''Edgy users and later(Feisty, Gutsy):''' libpam-encfs is included in the universe repository so you can install simply with: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install libpam-encfs | sudo apt-get install libpam-encfs | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The below tutorial for pam-encfs is to some parts obsolete. Feel free to use it, although I recommend following the instructions on this page instead: | The below tutorial for pam-encfs is to some parts obsolete. Feel free to use it, although I recommend following the instructions on this page instead: | ||
http://www.singularity.be/node/6344 | http://www.singularity.be/node/6344 | ||
| − | |||
=== Obsolete information === | === Obsolete information === | ||
| − | |||
Users of some older linux distributions will not find libpam-encfs in the ubuntu repository. In that case, the following steps can be used to install libpam-encfs. | Users of some older linux distributions will not find libpam-encfs in the ubuntu repository. In that case, the following steps can be used to install libpam-encfs. | ||
| − | |||
A search on google for "libpam-encfs ubuntu" got me here: | A search on google for "libpam-encfs ubuntu" got me here: | ||
http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/ | http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/ | ||
| − | |||
Where I simply downloaded http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/libpam-encfs_0.1.2-4_i386.deb | Where I simply downloaded http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/libpam-encfs_0.1.2-4_i386.deb | ||
| − | |||
I then installed the package with | I then installed the package with | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo dpkg -i libpam-encfs_0.1.2-4_i386.deb | sudo dpkg -i libpam-encfs_0.1.2-4_i386.deb | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install libpam-encfs | sudo apt-get install libpam-encfs | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
After this I altered the file /etc/pam.d/common-auth so that it looks like this: | After this I altered the file /etc/pam.d/common-auth so that it looks like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第111行: | 第75行: | ||
auth required pam_unix.so nullok_secure use_first_pass | auth required pam_unix.so nullok_secure use_first_pass | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Obviously you should not need to remove any of the information in this file. Simply add what is missing. | Obviously you should not need to remove any of the information in this file. Simply add what is missing. | ||
| − | |||
For pam-encfs to work in gnome you need to type: | For pam-encfs to work in gnome you need to type: | ||
<pre><nowiki> | <pre><nowiki> | ||
echo "user_allow_other" | sudo tee -a /etc/fuse.conf | echo "user_allow_other" | sudo tee -a /etc/fuse.conf | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
This adds the text user_allow_other to the file fuse.conf | This adds the text user_allow_other to the file fuse.conf | ||
| − | |||
Now edit the file /etc/security/pam_encfs.conf and comment the line: | Now edit the file /etc/security/pam_encfs.conf and comment the line: | ||
"- /home/.enc - -v allow_other" | "- /home/.enc - -v allow_other" | ||
and add the line: | and add the line: | ||
"- /mnt/storage/enc - -v allow_other" | "- /mnt/storage/enc - -v allow_other" | ||
| − | |||
It should look like: | It should look like: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第131行: | 第90行: | ||
- /mnt/storage/enc - -v allow_other | - /mnt/storage/enc - -v allow_other | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
You probably also need to change: | You probably also need to change: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第140行: | 第98行: | ||
"fuse_default allow_other,nonempty" | "fuse_default allow_other,nonempty" | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
If you are not encrypting you home directory, but just a subdirectory in you home, change: | If you are not encrypting you home directory, but just a subdirectory in you home, change: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第150行: | 第107行: | ||
</nowiki></pre> | </nowiki></pre> | ||
(Otherwise it will unmount 60 seconds after you close all references to the directory) | (Otherwise it will unmount 60 seconds after you close all references to the directory) | ||
| − | |||
Now it is time to create the user that will have an encrypted home. In this tutorial I will call this user "testuser". | Now it is time to create the user that will have an encrypted home. In this tutorial I will call this user "testuser". | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo adduser testuser | sudo adduser testuser | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Remember testuser's password as you need it when you create the encfs folders as well. | Remember testuser's password as you need it when you create the encfs folders as well. | ||
| − | |||
Now put this user in the fuse group by typing | Now put this user in the fuse group by typing | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo adduser testuser fuse | sudo adduser testuser fuse | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Create the folder that will contain the encrypted information by typing: | Create the folder that will contain the encrypted information by typing: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkdir -p /mnt/storage/enc/testuser | sudo mkdir -p /mnt/storage/enc/testuser | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Let testuser be the owner of this folder by typing: | Let testuser be the owner of this folder by typing: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo chown testuser:testuser /mnt/storage/enc/testuser | sudo chown testuser:testuser /mnt/storage/enc/testuser | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Become testuser by typing: | Become testuser by typing: | ||
<pre><nowiki> | <pre><nowiki> | ||
su testuser | su testuser | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Create the encfs-encrypted folders: | Create the encfs-encrypted folders: | ||
<pre><nowiki> | <pre><nowiki> | ||
encfs /mnt/storage/enc/testuser /home/testuser | encfs /mnt/storage/enc/testuser /home/testuser | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Make sure that you use the same password here as for testuser's login. | Make sure that you use the same password here as for testuser's login. | ||
| − | |||
Unmount the folder | Unmount the folder | ||
<pre><nowiki> | <pre><nowiki> | ||
fusermount -u /home/testuser | fusermount -u /home/testuser | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Exit testuser | Exit testuser | ||
<pre><nowiki> | <pre><nowiki> | ||
exit | exit | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Now when you login as testuser pam-encfs will mount testuser's homefolder using encfs and all the files saved here will be encrypted. | Now when you login as testuser pam-encfs will mount testuser's homefolder using encfs and all the files saved here will be encrypted. | ||
| − | |||
Note that this is an advanced topic and if things fail you can always lookup the supplied documentation at: | Note that this is an advanced topic and if things fail you can always lookup the supplied documentation at: | ||
/usr/share/doc/libpam-encfs/README | /usr/share/doc/libpam-encfs/README | ||
| − | |||
The supplied documentation also describes how to export your current home-directory to make it encrypted. | The supplied documentation also describes how to export your current home-directory to make it encrypted. | ||
| − | |||
---- | ---- | ||
[[category:CategoryDocumentation]] [[category:CategoryCleanup]] | [[category:CategoryDocumentation]] [[category:CategoryCleanup]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2007年11月30日 (五) 17:17的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Folder Encryption with encfs and pam-encfs
(last edited by Roland J can be reached at kf03jaro at student dot chalmers dot se) Encfs is an application that allows you to create encrypted folders, any file that is placed in such a folder will be encrypted. To open an encrypted folder you need a correct password. There is also an add-on to encfs called pam-encfs. This add-on allows automatic decryption/encryption of a user home-directory upon login/logout. Both encfs and pam-encfs must be set up from a terminal so this tutorial might be a bit difficult for linux newcomers. In the first part of the tutorial I will explain how to use encfs and then how to set up pam-encfs.
Setting up encfs
To install encfs you need to have access to the universe-packages of ubuntu. How this can be done is beeing described here: https://wiki.ubuntu.com/MOTU/Packages?action=show&redirect=UniversePackages Now enter a terminal and type:
sudo apt-get install encfs
This will install encfs and probably also fuse-utils and libfuse2, which are required. You need to have the kernel-module named "fuse" loaded in order to use encfs. To load this module simply type:
sudo modprobe fuse
Remember, this module must be loaded every time you intend to use encfs. If you want to have this module always loaded you must edit the file /etc/modules and add the line fuse to the bottom line. Now we have to set up permissions to use fuse. This is done in two steps. First add your user to the group fuse by typing:
sudo adduser <your login username> fuse
So for example if your login-name is donald you should type
sudo adduser donald fuse
The second step is to change the permissions of the file fusermount. This is done by typing:
sudo chmod +x /usr/bin/fusermount
Finally you are ready to create the encrypted folder. The application encfs will create one folder which contains the encrypted files and one folder where the files are unlocked and accessible. The syntax for encfs is: encfs <path to encrypted folder> <path to visible folder> For example, I wish to have a folder in my home-directory called visible and another one called encrypted. Therefore I could write:
encfs ~/encrypted ~/visible
Where the '~' indicates that the folders shall be placed in the home-directory. First encfs will ask you to create the selected folders. Simply type 'y'. Then it asks which degree of encryption that should be used. I prefer to simply press enter to use default encryption-level. At last encfs will ask you for the password that is needed to reach the encrypted information. If things work out correctly and you don't recieve an error-message after typing in your password you are now free to use the folder ~/visible to store all kinds of sensitive information:-) In order to close the ~/visible folder simply type:
fusermount -u ~/visible
As long as the folder is closed all the information in ~/visible will seem to have disappeared. The only way to gain access to this information again is by unlocking it. This can be done in a terminal by typing:
encfs ~/encrypted ~/visible
You will be asked for the proper password to gain access.
Setting up pam-encfs
The goal of this part of the tutorial is to create a user which has an encrypted home-directory. It is assumed that you already have encfs installed on your computer. Warning! This topic is intented for medium/advanced ubuntu users. Incorrectly configuring pam-encfs could lead to problems logging in. This is why I prefer to have the root login activated. This way, if something goes wrong, I can (almost)always log in with root and correct my misstakes. For info on how to enable root login read: https://wiki.ubuntu.com/RootSudo?action=show&redirect=EnableRootLogin Edgy users and later(Feisty, Gutsy): libpam-encfs is included in the universe repository so you can install simply with:
sudo apt-get install libpam-encfs
The below tutorial for pam-encfs is to some parts obsolete. Feel free to use it, although I recommend following the instructions on this page instead: http://www.singularity.be/node/6344
Obsolete information
Users of some older linux distributions will not find libpam-encfs in the ubuntu repository. In that case, the following steps can be used to install libpam-encfs. A search on google for "libpam-encfs ubuntu" got me here: http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/ Where I simply downloaded http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/libpam-encfs_0.1.2-4_i386.deb I then installed the package with
sudo dpkg -i libpam-encfs_0.1.2-4_i386.deb
sudo apt-get install libpam-encfs
After this I altered the file /etc/pam.d/common-auth so that it looks like this:
auth sufficient pam_encfs.so auth required pam_unix.so nullok_secure use_first_pass
Obviously you should not need to remove any of the information in this file. Simply add what is missing. For pam-encfs to work in gnome you need to type:
echo "user_allow_other" | sudo tee -a /etc/fuse.conf
This adds the text user_allow_other to the file fuse.conf Now edit the file /etc/security/pam_encfs.conf and comment the line: "- /home/.enc - -v allow_other" and add the line: "- /mnt/storage/enc - -v allow_other" It should look like:
#- /home/.enc - -v allow_other - /mnt/storage/enc - -v allow_other
You probably also need to change:
"fuse_default allow_root,nonempty"
To:
"fuse_default allow_other,nonempty"
If you are not encrypting you home directory, but just a subdirectory in you home, change:
encfs_default --idle=1
To:
encfs_default
(Otherwise it will unmount 60 seconds after you close all references to the directory) Now it is time to create the user that will have an encrypted home. In this tutorial I will call this user "testuser".
sudo adduser testuser
Remember testuser's password as you need it when you create the encfs folders as well. Now put this user in the fuse group by typing
sudo adduser testuser fuse
Create the folder that will contain the encrypted information by typing:
sudo mkdir -p /mnt/storage/enc/testuser
Let testuser be the owner of this folder by typing:
sudo chown testuser:testuser /mnt/storage/enc/testuser
Become testuser by typing:
su testuser
Create the encfs-encrypted folders:
encfs /mnt/storage/enc/testuser /home/testuser
Make sure that you use the same password here as for testuser's login. Unmount the folder
fusermount -u /home/testuser
Exit testuser
exit
Now when you login as testuser pam-encfs will mount testuser's homefolder using encfs and all the files saved here will be encrypted. Note that this is an advanced topic and if things fail you can always lookup the supplied documentation at: /usr/share/doc/libpam-encfs/README The supplied documentation also describes how to export your current home-directory to make it encrypted.
