Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
ecryptfs [2010/12/20 09:51] – Externe Bearbeitung 127.0.0.1 | ecryptfs [2024/02/29 13:36] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 16: | Zeile 16: | ||
Wieder sperren: | Wieder sperren: | ||
< | < | ||
+ | |||
+ | |||
+ | ====== Files ====== | ||
+ | |||
+ | < | ||
+ | ~/ | ||
+ | ~/.Private - underlying directory containing encrypted data | ||
+ | ~/Private - mountpoint containing decrypted data (when mounted) | ||
+ | ~/ | ||
+ | ~/ | ||
+ | ~/ | ||
+ | ~/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== Recovering Your Mount Passphrase ===== | ||
+ | |||
+ | Quelle((https:// | ||
+ | |||
+ | In the event that you did not write down your mount passphrase, you may be able to recover it by decrypting the file / | ||
+ | |||
+ | * ecryptfs-unwrap-passphrase / | ||
+ | * Type your login passphrase to reveal the mount passphrase | ||
+ | |||
+ | If your login passphrase matches the passphrase used to encrypt the wrapped-passphrase file, your mount passphrase will be written to screen. Record and protect this data accordingly. | ||
+ | |||
+ | If you have lost your wrapped-passphrase file, and you did not record your mount passphrase, it is impossible to access your encrypted data. | ||
+ | |||
+ | ===== Live CD method of opening a encrypted home directory ===== | ||
+ | Quelle((https:// | ||
+ | |||
+ | There are two methods of using the live cd to open a encrypted home directory. The first will be the long way. The long way gives you more functionality in your home directory. It is also easier to do. The second will be the short way. The second way requires you to know about your system and how you partitioned it. It is more difficult to get more functionality, | ||
+ | |||
+ | ==== Long way ==== | ||
+ | |||
+ | The first thing you need to do is mount your linux partitions. Please use nautilus to do this. The guide will make a lot more sense if you do this. Nautilus is the default file manager of gnome. If you are using a kde or xfce live cd the syntax may be different below so please install nautilus if that is the case with this command. | ||
+ | |||
+ | < | ||
+ | |||
+ | If you are confident in your ability to use the mount the command then you can use that, but you will have to manipulate the directory information below for it to work properly. Use this command to to find your Linux partitions. | ||
+ | |||
+ | < | ||
+ | |||
+ | My output | ||
+ | |||
+ | < | ||
+ | |||
+ | Disk /dev/sda: 100.0 GB, 100030242816 bytes | ||
+ | 255 heads, 63 sectors/ | ||
+ | Units = cylinders of 16065 * 512 = 8225280 bytes | ||
+ | Sector size (logical/ | ||
+ | I/O size (minimum/ | ||
+ | Disk identifier: 0x000c8b89 | ||
+ | |||
+ | | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | In this case you would have to to mount /dev/sda1 and /dev/sda6. I am going to assume you know how to do this if you want to manually mount your partitions. | ||
+ | |||
+ | Next you need find your " | ||
+ | |||
+ | < | ||
+ | |||
+ | You should get something similar to this: | ||
+ | |||
+ | < | ||
+ | ~ $ / | ||
+ | |||
+ | In my case I got the first one. | ||
+ | |||
+ | < | ||
+ | / | ||
+ | |||
+ | Next you need to find your keyring keys. This requires that you have your mount passphrase. You recorded when you setup the mount--this passphrase is different from your login passphrase. If you don't have your mount passphrase please read here (Recovering Your Mount Passphrase). Lets move on to getting those keyring keys. Put the sudo command into the terminal that you see below. This will be a interactive prompt. The left side of what you see is what you will see and the right side will give you more information. The second keyring in the square brackets is the important part. | ||
+ | |||
+ | * sudo ecryptfs-add-passphrase --fnek | ||
+ | * Passphrase: | ||
+ | * You should now get two lines looking like this: | ||
+ | * Inserted auth tok with sig [9986ad986f986af7] into the user session keyring | ||
+ | * Inserted auth tok with sig [76a9f69af69a86fa] into the user session keyring | ||
+ | |||
+ | Next you need to mount the appropriate " | ||
+ | |||
+ | < | ||
+ | |||
+ | * sudo, mount, -t, ecryptfs, Just copy and paste those. They stay the same. | ||
+ | * sdtm = source directory to mount | ||
+ | * ldm = location directory to mount at | ||
+ | |||
+ | I recommend mounting at / | ||
+ | |||
+ | < | ||
+ | |||
+ | After you have created the directory that you want to mount at, please use this command that I showed you above. | ||
+ | |||
+ | < | ||
+ | |||
+ | An example of putting all of this together would be: | ||
+ | |||
+ | < | ||
+ | |||
+ | Next you will have a interactive prompt. | ||
+ | |||
+ | * Passphrase: | ||
+ | * Selection: aes (use the aes cipher) | ||
+ | * Selection: 16 (use a 16 byte key) | ||
+ | * Enable plaintext passthrough: | ||
+ | * Enable filename encryption: y (This and the following options only apply if you are using filename encryption) | ||
+ | * Filename Encryption Key (FNEK) Signature: | ||
+ | |||
+ | If everything worked out correctly you should be able to see everything in / | ||
+ | |||
+ | There are several possible things that can go wrong. I will cover them here. | ||
+ | |||
+ | < | ||
+ | Error mounting eCryptfs: [-2] No such file or directory | ||
+ | Check your system logs; visit < | ||
+ | </ | ||
+ | |||
+ | This is a common error that you get if you use a invalid directory when you give the mount command. | ||
+ | |||
+ | It is possible to get the message Mounted eCryptfs and still not be able to see your data. This most likely means that you did not mount " | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | Please check eCryptfs for any other problems. | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | ==== Short advanced way ==== | ||
+ | |||
+ | As I said this method is more difficult. If your home directory is installed on your / root partition it makes life easier. If you have a /home partition then you need to find both your /home partition and / root partition. Use nautilus to mount your linux partitions. Then use these two commands so you can figure out if you have a /home partition or not. | ||
+ | < | ||
+ | ~ $ sudo fdisk -l | ||
+ | ~ $ df -h</ | ||
+ | |||
+ | Note: The linux partitions must be mounted or you will not be able to get the information you need. | ||
+ | |||
+ | Here is my output. | ||
+ | |||
+ | < | ||
+ | |||
+ | Disk /dev/sda: 100.0 GB, 100030242816 bytes | ||
+ | 255 heads, 63 sectors/ | ||
+ | Units = cylinders of 16065 * 512 = 8225280 bytes | ||
+ | Sector size (logical/ | ||
+ | I/O size (minimum/ | ||
+ | Disk identifier: 0x000c8b89 | ||
+ | |||
+ | | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | ~ $ df -h | ||
+ | Filesystem | ||
+ | aufs 1.6G 1.5G 103M 94% / | ||
+ | none 1.6G 280K 1.6G 1% /dev | ||
+ | / | ||
+ | / | ||
+ | none 1.6G 5.3M 1.6G 1% /dev/shm | ||
+ | tmpfs | ||
+ | none 1.6G | ||
+ | none 1.6G | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | In my case I have a /home partition and / root partition. I can tell this by looking at /dev/sda1 and /dev/sda6. If you look at the sudo fdisk -l you can see /dev/sda1 and /dev/sda6 are my linux partitions. If you look at the df -h I can see /dev/sda6 is much bigger than /dev/sda1 so I know /dev/sda6 is my /home partition. | ||
+ | |||
+ | If you have a home directory and / root partition do this. http:// | ||
+ | < | ||
+ | ubuntu@ubuntu$ sudo mount /dev/sda1 /mnt | ||
+ | ubuntu@ubuntu$ sudo mount -o bind /dev /mnt/dev | ||
+ | ubuntu@ubuntu$ sudo mount -o bind /dev/shm / | ||
+ | ubuntu@ubuntu$ sudo mount -o bind /proc /mnt/proc | ||
+ | ubuntu@ubuntu$ sudo mount -o bind /sys /mnt/sys | ||
+ | ubuntu@ubuntu$ sudo chroot /mnt | ||
+ | root@ubuntu$ su - kirkland | ||
+ | kirkland@ubuntu$ ecryptfs-mount-private | ||
+ | Enter your login passphrase: | ||
+ | Warning: Using default salt value (undefined in ~/ | ||
+ | Inserted auth tok with sig [xxx] into the user session keyring | ||
+ | kirkland@ubuntu$ cd $HOME | ||
+ | kirkland@ubuntu$ ls -alF | ||
+ | ... | ||
+ | kirkland@ubuntu$ cat .profile | ||
+ | </ | ||
+ | Here is an example of putting this into action. I attached the thread decribes what is going on. [[http:// | ||
+ | < | ||
+ | # Set up chroot : | ||
+ | # Note my install (both home and /) on sda3 | ||
+ | |||
+ | ubuntu@ubuntu: | ||
+ | ubuntu@ubuntu: | ||
+ | ubuntu@ubuntu: | ||
+ | ubuntu@ubuntu: | ||
+ | ubuntu@ubuntu: | ||
+ | |||
+ | # As you say, there is no " | ||
+ | ubuntu@ubuntu: | ||
+ | id: bodhi: No such user | ||
+ | |||
+ | # But after we chroot ... | ||
+ | ubuntu@ubuntu: | ||
+ | root@ubuntu:/# | ||
+ | uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi), | ||
+ | |||
+ | |||
+ | # su to bodhi | ||
+ | root@ubuntu:/# | ||
+ | keyctl_search: | ||
+ | Perhaps try the interactive ' | ||
+ | To run a command as administrator (user " | ||
+ | See "man sudo_root" | ||
+ | |||
+ | # But home is encrypted ... | ||
+ | |||
+ | bodhi@ubuntu: | ||
+ | Access-Your-Private-Data.desktop README.txt | ||
+ | |||
+ | # Decrypt home | ||
+ | bodhi@ubuntu: | ||
+ | Enter your login passphrase: | ||
+ | Inserted auth tok with sig [b0d08471978769db] into the user session keyring | ||
+ | |||
+ | INFO: Your private directory has been mounted. | ||
+ | INFO: To see this change in your current shell: | ||
+ | cd /home/bodhi | ||
+ | |||
+ | # We will not see the data until we cd into the decrypted home | ||
+ | # read the README.txt =) | ||
+ | bodhi@ubuntu: | ||
+ | Access-Your-Private-Data.desktop README.txt | ||
+ | |||
+ | # so cd ... | ||
+ | bodhi@ubuntu: | ||
+ | |||
+ | # Now we can see the decrypted data ... | ||
+ | bodhi@ubuntu: | ||
+ | bin Desktop Downloads Music Public Videos | ||
+ | bzr Documents examples.desktop Pictures Templates zen | ||
+ | </ | ||
+ | We can access the data, as root, from the live CD (gksu nautilus) at / | ||
+ | |||
+ | If you have a /home partition and / root partition do this. I will now assume you know where /home partition and / root partition. Mount your /root partition like this. Replace the appropriate number for where your /root partition is. | ||
+ | |||
+ | < | ||
+ | |||
+ | Mount your /home partition like this. Replace the appropriate number for where your /home partition is. | ||
+ | |||
+ | < | ||
+ | |||
+ | After that setup you chroot. | ||
+ | |||
+ | < | ||
+ | sudo mount -o bind /dev/shm/ / | ||
+ | sudo mount -o bind /proc /mnt/proc | ||
+ | sudo mount -o bind /sys / | ||
+ | |||
+ | Then chroot | ||
+ | |||
+ | < | ||
+ | |||
+ | su to your username. My username is bob so I will use bob. | ||
+ | |||
+ | < | ||
+ | |||
+ | Then decrypt home. | ||
+ | |||
+ | < | ||
+ | |||
+ | An example of this. | ||
+ | < | ||
+ | mint@mint ~ $ ls / | ||
+ | bob joe lost+found | ||
+ | mint@mint ~ $ ls / | ||
+ | bin | ||
+ | boot initrd.img | ||
+ | dev | ||
+ | etc | ||
+ | mint@mint ~ $ umount / | ||
+ | mint@mint ~ $ umount / | ||
+ | mint@mint ~ $ sudo mount /dev/sda1 /mnt | ||
+ | mint@mint ~ $ sudo mount /dev/sda6 /mnt/home | ||
+ | mint@mint ~ $ sudo mount -o bind /dev /mnt/dev | ||
+ | mint@mint ~ $ sudo mount -o bind /dev/shm/ / | ||
+ | mint@mint ~ $ sudo mount -o bind /proc /mnt/proc | ||
+ | mint@mint ~ $ sudo mount -o bind /sys /mnt/sys | ||
+ | mint@mint ~ $ sudo chroot /mnt /bin/bash | ||
+ | | ||
+ | ( Many changes of mind and mood; do not ) | ||
+ | ( hesitate too long. ) | ||
+ | | ||
+ | o | ||
+ | o | ||
+ | | ||
+ | | ||
+ | ( Y ) | ||
+ | | ||
+ | | ||
+ | mint / # su - u bob | ||
+ | Unknown id: u | ||
+ | mint / # su - bob | ||
+ | keyctl_search: | ||
+ | Perhaps try the interactive ' | ||
+ | | ||
+ | ( "I don't think you have to go through | ||
+ | ( the process of reconfiguring X as I did ) | ||
+ | ( - that was partly because the ) | ||
+ | ( frustration made me brain dead." | ||
+ | ( ) | ||
+ | ( Husse Apr 5 2007 ) | ||
+ | | ||
+ | o | ||
+ | o | ||
+ | | ||
+ | | ||
+ | ( Y ) | ||
+ | | ||
+ | | ||
+ | bob@mint ~ $ ecryptfs-mount-private | ||
+ | Enter your login passphrase: | ||
+ | Error: Unwrapping passphrase and inserting into the user session keyring failed [-5] | ||
+ | Info: Check the system log for more information from libecryptfs | ||
+ | ERROR: Your passphrase is incorrect | ||
+ | Enter your login passphrase: | ||
+ | Error: Unwrapping passphrase and inserting into the user session keyring failed [-5] | ||
+ | Info: Check the system log for more information from libecryptfs | ||
+ | ERROR: Your passphrase is incorrect | ||
+ | Enter your login passphrase: | ||
+ | Inserted auth tok with sig [3bacfa4dde6b90dd] into the user session keyring | ||
+ | |||
+ | INFO: Your private directory has been mounted. | ||
+ | INFO: To see this change in your current shell: | ||
+ | cd /home/bob | ||
+ | |||
+ | bob@mint ~ $ ls -alF | ||
+ | total 32 | ||
+ | drwx------ 5 bob bob 4096 2010-09-03 16:18 ./ | ||
+ | drwxr-xr-x 8 root root 4096 2010-08-21 18:16 ../ | ||
+ | lrwxrwxrwx 1 bob bob 56 2010-05-24 01:55 Access-Your-Private-Data.desktop -> / | ||
+ | -rw------- 1 bob bob 214 2010-09-03 16:18 .bash_history | ||
+ | drwx------ 3 bob bob 4096 2010-07-15 23:29 .cache/ | ||
+ | lrwxrwxrwx 1 bob bob 29 2010-05-24 01:55 .ecryptfs -> / | ||
+ | -rw------- 1 bob bob 16 2010-09-03 16:18 .esd_auth | ||
+ | drwx------ 2 bob bob 4096 2010-11-12 15:00 .gconfd/ | ||
+ | lrwxrwxrwx 1 bob bob 28 2010-05-24 01:55 .Private -> / | ||
+ | drwx------ 2 bob bob 4096 2010-11-29 21:18 .pulse/ | ||
+ | -rw------- 1 bob bob 256 2010-09-03 16:18 .pulse-cookie | ||
+ | lrwxrwxrwx 1 bob bob 52 2010-05-24 01:55 README.txt -> / | ||
+ | bob@mint ~ $ pwd | ||
+ | /home/bob | ||
+ | bob@mint ~ $ cd /home/bob | ||
+ | bob@mint ~ $ ls -alF | ||
+ | total 16672 | ||
+ | drwx------ 92 bob bob 28672 2010-12-09 01:12 ./ | ||
+ | drwxr-xr-x | ||
+ | -rw-r--r-- | ||
+ | -rwxr-xr-x | ||
+ | bob@mint ~ $ pwd | ||
+ | /home/bob | ||
+ | </ | ||
+ | To access the data, do not exit the chroot. Open a new terminal and run nautilus as root. | ||
+ | |||
+ | < | ||
+ | |||
+ | You can not run graphical applications directly from the chroot, you would need to connect to the chroot via a VNC or ssh -X. | ||
+ | |||
+ | |||
+ | ==== How to Remove an Encrypted Private Directory Setup ==== | ||
+ | |||
+ | Perhaps an Encrypted Private Directory is not for you. To remove this setup: | ||
+ | |||
+ | - Ensure that you have moved all relevant data out of your ~/Private directory | ||
+ | - Enmount your encrypted private directory | ||
+ | - Make ~/Private writable again '' | ||
+ | - Remove ~/Private, ~/.Private, ~/.ecryptfs (Note: THIS IS VERY PERMANENT) | ||
+ | '' | ||
+ | - Uninstall the utilities | ||
+ | < | ||
+ | |||
+ | ==== Log in with the folder remaining encrypted ==== | ||
+ | |||
+ | A possible security problem that can crop up, is the event that the user logs in and then immediately leaves the computer physically usable to another person. The Private folder is unlocked as soon as the user logs in, the owner would not have had the chance to lock the folder, and the other person can take control of the computer and access it while the owner is away. | ||
+ | |||
+ | We can stop ecryptfs from unlocking the Private folder on startup, by removing the empty file auto-mount which is located in ~/ | ||
+ | |||
+ | For some reason the script fails to ask for a password, when you simply log out and in. You have to reboot the machine, or you will be able to just click on the mount script and the folder is mounted. | ||
+ | |||
+ | To resolve this problem, it is possible to have the script that unmounts the Private folder to run at login, so it cannot be accessed without the password being put in first. To do this: | ||
+ | - Go to System > Preferences > Startup Applications. | ||
+ | - Click Add. | ||
+ | - You can put anything for the Name field, something like Lock Private Folder | ||
+ | - Click Save and close the Startup Applications window. When you log in, the Private folder will be quickly unmounted before the folder can be accessed. | ||
+ | |||
+ | This is a quick and dirty solution to this problem. If there' | ||
+ | |||
+ | |||