UbuntuHelp:FolderEncryption
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
<<Include(Tag/ContentCleanup)>>
- title Folder Encryption with encfs and pam-encfs
(last edited by Roland J can be reached at kf03jaro at student dot chalmers dot se) Encfs is an application that allows you to create encrypted folders, any file that is placed in such a folder will be encrypted. To open an encrypted folder you need a correct password. There is also an add-on to encfs called pam-encfs. This add-on allows automatic decryption/encryption of a user home-directory upon login/logout. Both encfs and pam-encfs must be set up from a terminal so this tutorial might be a bit difficult for linux newcomers. In the first part of the tutorial I will explain how to use encfs and then how to set up pam-encfs.
Setting up encfs
To install encfs you need to have access to the universe-packages of ubuntu. How this can be done is beeing described here: https://wiki.ubuntu.com/MOTU/Packages?action=show&redirect=UniversePackages Now enter a terminal and type:
sudo apt-get install encfs
This will install encfs and probably also fuse-utils and libfuse2, which are required. You need to have the kernel-module named "fuse" loaded in order to use encfs. To load this module simply type:
sudo modprobe fuse
Remember, this module must be loaded every time you intend to use encfs. If you want to have this module always loaded you must edit the file /etc/modules and add the line fuse to the bottom line. Now we have to set up permissions to use fuse. This is done in two steps. First add your user to the group fuse by typing:
sudo adduser <your login username> fuse
So for example if your login-name is donald you should type
sudo adduser donald fuse
(You may need to log out and log in again for the changes to take effect.) The second step is to change the permissions of the file fusermount. This is done by typing:
sudo chmod +x /usr/bin/fusermount
Note: This step is not needed on Intrepid Ibex (8.10). Finally you are ready to create the encrypted folder. The application encfs will create one folder which contains the encrypted files and one folder where the files are unlocked and accessible. The syntax for encfs is: encfs <path to encrypted folder> <path to visible folder> For example, I wish to have a folder in my home-directory called visible and another one called encrypted. Therefore I could write:
encfs ~/encrypted ~/visible
Where the '~' indicates that the folders shall be placed in the home-directory. First encfs will ask you to create the selected folders. Simply type 'y'. Then it asks which degree of encryption that should be used. I prefer to simply press enter to use default encryption-level. At last encfs will ask you for the password that is needed to reach the encrypted information. If things work out correctly and you don't recieve an error-message after typing in your password you are now free to use the folder ~/visible to store all kinds of sensitive information:-) In order to close the ~/visible folder simply type:
fusermount -u ~/visible
As long as the folder is closed all the information in ~/visible will seem to have disappeared. The only way to gain access to this information again is by unlocking it. This can be done in a terminal by typing:
encfs ~/encrypted ~/visible
You will be asked for the proper password to gain access.
Setting up pam-encfs
The goal of this part of the tutorial is to create a user which has an encrypted home-directory. It is assumed that you already have encfs installed on your computer. Warning! This topic is intented for medium/advanced ubuntu users. Incorrectly configuring pam-encfs could lead to problems logging in. This is why I prefer to have the root login activated. This way, if something goes wrong, I can (almost)always log in with root and correct my misstakes. For info on how to enable root login read: https://wiki.ubuntu.com/RootSudo?action=show&redirect=EnableRootLogin Edgy users and later(Feisty, Gutsy): libpam-encfs is included in the universe repository so you can install simply with:
sudo apt-get install libpam-encfs
The below tutorial for pam-encfs is to some parts obsolete. Feel free to use it, although I recommend following the instructions on this page instead: http://www.singularity.be/node/6344
Obsolete information
Users of some older linux distributions will not find libpam-encfs in the ubuntu repository. In that case, the following steps can be used to install libpam-encfs. A search on google for "libpam-encfs ubuntu" got me here: http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/ Where I simply downloaded http://mirror.stanford.edu/yum/pub/ubuntu/pool/universe/libp/libpam-encfs/libpam-encfs_0.1.2-4_i386.deb I then installed the package with
sudo dpkg -i libpam-encfs_0.1.2-4_i386.deb
sudo apt-get install libpam-encfs
After this I altered the file /etc/pam.d/common-auth so that it looks like this:
auth sufficient pam_encfs.so auth required pam_unix.so nullok_secure use_first_pass
Obviously you should not need to remove any of the information in this file. Simply add what is missing. For pam-encfs to work in gnome you need to type:
echo "user_allow_other" | sudo tee -a /etc/fuse.conf
This adds the text user_allow_other to the file fuse.conf Now edit the file /etc/security/pam_encfs.conf and comment the line: "- /home/.enc - -v allow_other" and add the line: "- /mnt/storage/enc - -v allow_other" It should look like:
#- /home/.enc - -v allow_other - /mnt/storage/enc - -v allow_other
You probably also need to change:
"fuse_default allow_root,nonempty"
To:
"fuse_default allow_other,nonempty"
If you are not encrypting you home directory, but just a subdirectory in you home, change:
encfs_default --idle=1
To:
encfs_default
(Otherwise it will unmount 60 seconds after you close all references to the directory) Now it is time to create the user that will have an encrypted home. In this tutorial I will call this user "testuser".
sudo adduser testuser
Remember testuser's password as you need it when you create the encfs folders as well. Now put this user in the fuse group by typing
sudo adduser testuser fuse
Create the folder that will contain the encrypted information by typing:
sudo mkdir -p /mnt/storage/enc/testuser
Let testuser be the owner of this folder by typing:
sudo chown testuser:testuser /mnt/storage/enc/testuser
Become testuser by typing:
su testuser
Create the encfs-encrypted folders:
encfs /mnt/storage/enc/testuser /home/testuser
Make sure that you use the same password here as for testuser's login. Unmount the folder
fusermount -u /home/testuser
Exit testuser
exit
Now when you login as testuser pam-encfs will mount testuser's homefolder using encfs and all the files saved here will be encrypted. Note that this is an advanced topic and if things fail you can always lookup the supplied documentation at: /usr/share/doc/libpam-encfs/README The supplied documentation also describes how to export your current home-directory to make it encrypted.
