eCryptfs in Ubuntu (Lucid)


In OS X I use FileVault, and I also like to create an encrypted disk image—mounted automatically when I log in—which is used as Apache's root directory so that any sensitive files in there (configuration files containing passwords, etc) are protected if anyone gets access to the disk.

The newest version of Ubuntu has a simple option to encrypt a user's home directory using eCryptfs. eCryptfs can also be used to encrypt other directories. This is how to make /var/www (Apache's default root directory) encrypted:

  1. Make sure any existing encrypted folders are backed up, just in case something goes wrong.
  2. Move any files existing files out of /var/www.
  3. Make a hidden directory to hold the encrypted files:
    sudo mkdir /var/.www
  4. Mount the hidden directory as an encrypted filesystem (use the passphrase used to encrypt your home folder*, as this passphrase is added automatically to the keyring by pam_ecryptfs when you log in, so it will be available for pam_mount to use):
    sudo mount -t ecryptfs /var/.www /var/www -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no
  5. Find the entry for the encrypted filesystem in /etc/mtab:
    grep 'ecryptfs' /etc/mtab | grep '/var/www'
  6. Add 'user,noauto' to the mount options, and add it as a new entry in /etc/fstab (replacing the ecryptfs_sig value below):
    /var/.www /var/www ecryptfs rw,user,noauto,ecryptfs_sig=a1b2c3d4e5f6,ecryptfs_unlink_sigs,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 0 0
  7. Unmount the encrypted filesystem:
    sudo umount /var/www
  8. As a test, mount the encrypted filesystem as your user:
    mount -i /var/www
  9. Unmount the encrypted filesystem:
    umount /var/www
  10. Install libpam-mount.
  11. Edit /etc/security/pam_mount.conf.xml: uncomment <luserconf name=".pam_mount.conf.xml" /> and add <lclmount>mount -i %(VOLUME)</lclmount>.
  12. Create ~/.pam_mount.conf.xml and add this:
      <volume noroot="1" fstype="ecryptfs" path="/var/.www"/>
  13. Log out and back in again, or restart: /var/www should now be mounted as an encrypted filesystem (it'll be listed in /etc/mtab, if it's worked).

* The passphrase used to encrypt your home folder can be found by running

ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
and entering your login password. When your home directory was encrypted, eCryptfs took the passphrase and encrypted ("wrapped") it using your login password (when you change your login password, eCryptfs re-wraps the passphrase with it).

Related links