1

I have a number of user directories that I'd like to have encrypted and authenticated via eCryptfs.

I am attempting to create a new filesystem like so:

gpg2 --decrypt key.gpg | \
  sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_fd=0 \
    /home/naftuli/.private/Documents/Secure \
    /home/naftuli/Documents/Secure

The goal is that I can have multiple encrypted filesystems, opening only the ones that I actually need and closing them when done, being able to make backups of $HOME/.private which will be the encrypted and authenticated filesystem entries for the given filesystems, and being able to sync these filesystems using something like Syncthing without ever knowing what's actually inside.

What is the process for creating an eCryptfs mount point? I have not been successful so far, receiving kernel errors:

Error attempting to evaluate mount options: [-22] Invalid argument
Check your system logs for details on why this happened.
Try updating your ecryptfs-utils package, and/or
submit a bug report on https://bugs.launchpad.net/ecryptfs

I'm on Ubuntu 16.04, kernel 4.4.0.

The tutorials I have found seem to suggest that what I'm trying above should work, but it obviously does not.

Naftuli Kay
  • 39,676

1 Answers1

1
  • Option 1: use named pipes and passphrase_passwd_file instead of fd. Managing stdin/out and reading/writing from pipes at the same time could be some challenge (cf. https://gist.github.com/korc/15886e50999af9701bad967534e84770).
  • Option 2: do a bit preparation and use /sbin/mount.ecryptfs_private with alias argument (here: xxx). Adding keys and mounting is actually 2 separate procedures, linked through keys in kernel keyring (cf. keyctl command)
    1. add encryption keys to kernel keyring with ecryptfs-add-passphrase. keyctl show is also quite useful. If you use pam_ecryptfs, some keys might already be there (if you have done ecryptfs-setup-private). Looking inside /usr/bin/ecryptfs-mount-private could give some hints, too.
    2. create $HOME/.ecryptfs/xxx.conf and xxx.sig, cf. man mount.ecryptfs_private for reference. In short, .conf file is fstab-like description of mountpoints and .sig contains key signatures (should match keyctl output).
    3. Use /sbin/mount.ecryptfs_private xxx to mount, /sbin/umount.ecryptfs_private xxx to unmount.
korc
  • 131