Title: Linux $HOME encryption with ecryptfs | |
Author: Solène | |
Date: 12 March 2023 | |
Tags: linux encryption privacy | |
Description: In this article, you will learn how to encrypt a user home | |
directory, or a single directory using ecryptfs | |
# Introduction | |
In this article, I'd like to share with you about the Linux specific | |
feature ecryptfs, which allows users to have encrypted directories. | |
While disk encryption done with cryptsetup/LUKS is very performant and | |
secure, there are some edge cases in which you may want to use | |
ecryptfs, whether the disk is LUKS encrypted or not. | |
I've been able to identify a few use cases making ecryptfs relevant: | |
* a multi-user system, people want their files to be private (and full | |
disk encryption wouldn't help here) | |
* an encrypted disk on which you want to have an encrypted directory | |
that is only available when needed (preventing a hacked live computer | |
to leak important files) | |
* a non-encrypted disk on which you want to have an encrypted | |
directory/$HOME instead of reinstalling with full disk encryption | |
ecryptfs official website | |
# Full $HOME Encryption | |
In this configuration, you want all the files in the $HOME directory of | |
your user to be encrypted. This works well and especially as it | |
integrates with PAM (the "login manager" in Linux) so it unlocks the | |
files upon login. | |
I tried the following setup on Gentoo Linux, the setup is quite | |
standard for any Linux distribution packaging ecryptfs-utils. | |
## Setup | |
As I don't want to duplicate documentation effort, let me share two | |
links explaining how to set up the home encryption for a user. | |
Gentoo Wiki: Encrypt a home directory with ECryptfs | |
ArchWiki: eCryptfs | |
Both guides are good, they will explain thoroughly how to set up | |
ecryptfs for a user. | |
However, here is a TLDR version: | |
1. install ecryptfs-utils and make sure ecryptfs module is loaded at | |
boot | |
2. modify `/etc/pam.d/system-auth` to add ecryptfs unlocking at login | |
(3 lines are needed, at specific places) | |
3. run `ecryptfs-migrate-home -u $YOUR_USER` as root to convert the | |
user home directory into an encrypted version | |
4. delete the old unencrypted home which should be named after | |
`/home/YOUR_USER.xxxxx` where xxxxx are random characters (make sure | |
you have backups) | |
After those steps, you should be able to log in with your user, `mount` | |
outputs should show a dedicated entry for the home directory. | |
# Private directory encryption | |
In this configuration, you will have ecryptfs encrypting a single | |
directory named `Private` in the home directory. | |
That can be useful if you already have an encrypted disk, but you have | |
very secret files that must be encrypted when you don't need them, this | |
will protect file leak on a compromised running system, except if you | |
unlock the directory while the system is compromised. | |
This can also be used on a thrashable system (like my netbook) that | |
isn't encrypted, but I may want to save a few files there that are | |
private. | |
## Setup | |
That part is really easy: | |
1. install a package named `ecryptfs-utils` (may depend on your | |
distribution) | |
2. run `ecryptfs-setup-private --noautomount` | |
3. Type your login password | |
4. Press enter to use an auto generated mount passphrase (you don't use | |
this one to unlock the directory) | |
5. Done! | |
The mount passphrase is used in addition to the login passphrase to | |
encrypt the files, you may need it if you have to unlock backuped | |
encrypted files, so better save it in your password manager if you make | |
backup of the encrypted files. | |
You can unlock the access to the directory `~/Private` by typing | |
`ecryptfs-mount-private` and type your login password. | |
Congratulations, now you have a local safe for your files! | |
# Performance | |
Ecryptfs was available in older Ubuntu installer releases as an option | |
to encrypt a user home directory without the full disk, it seems it has | |
been abandoned due to performance reasons. | |
I didn't make extensive benchmarks here, but I compared the writing | |
speed of random characters into a file on an unencrypted ext4 | |
partition, and the ecryptfs private directory on the same disk. On the | |
unencrypted directory, it was writing at 535 MB/s while on the ecryptfs | |
it was only writing at 358 MB/s, that's almost 33% slower. However, | |
it's still fast enough for a daily workstation. I didn't measure the | |
time to read or browse many files, but it must be slower. A LUKS | |
encrypted disk should only have a performance penalty of a few percent, | |
so ecryptfs is really not efficient in comparison, but it's still fast | |
enough if you don't do database operation on it. | |
# Security shortcoming | |
There are extra security shortcomings coming with ecryptfs: when using | |
your encrypted files unlocked, they may be copied in swap or in | |
temporary directories, or in cache. | |
If you use the Private encrypted directories, for instance, you should | |
think that most image reader will create a thumbnail in your HOME | |
directory, so pictures in Private may have a local copy that is | |
available outside the encrypted directory. Some text editors may cache | |
a backup file in another directory. | |
If your system is running a bit out of memory, data may be written to | |
the swap file, if it's not encrypted then one may be able to recover | |
files that were opened during that time. There is a command | |
`ecryptfs-setup-swap` from the ecryptfs package which check if the swap | |
files are encrypted, and if not, propose to encrypt them using LUKS. | |
One major source of leakage is the `/tmp/` directory, that may be used | |
by programs to make a temporary copy of an opened file. It may be safe | |
to just use a `tmpfs` filesystem for it. | |
Finally, if you only have a Private directory encrypted, don't forget | |
that if you use a file browser to delete a file, it may end up in a | |
trash directory on the unencrypted filesystem. | |
# Troubleshooting | |
## setreuid: Operation not permitted | |
If you get the error `setreuid: Operation not permitted` when running | |
ecryptfs commands, this mean the ecryptfs binaries aren't using suid | |
bit. On Gentoo, you have to compile `ecryptfs-utils` with the USE | |
suid. | |
# Conclusion | |
Ecryptfs is can be useful in some real life scenarios, and doesn't have | |
much alternative. It's especially user-friendly when used to encrypt | |
the whole home because users don't even have to know about it. | |
Of course, for a private encrypted directory, the most tech-savvy can | |
just create a big raw file and format it in LUKS, and mount it on need, | |
but this mean you will have to manage the disk file as a separate | |
partition with its own size, and scripts to mount/umount the volume, | |
while ecryptfs offers an easy secure alternative with a performance | |
drawback. |