Encfs

From YobiWiki
Jump to navigation Jump to search

Install

apt-get install encfs

You'll also need the fuse module: 

apt-get install fuse-source fuse-utils
cd /usr/src; tar xjf fuse.tar.bz2
cd linux; make-kpkg --us --uc --revision $REVISION --append-to-version $APPEND modules_image

Note that fuse is already present in the last kernel versions (at least 2.6.15)

Test:

  • Under Debian, the user must be member of the fuse group to have the right to use fuse:
adduser phil fuse
  • To load automatically the module fuse:
echo fuse >> /etc/modules
  • To mount:
encfs /home/user/crypt-raw /home/user/crypt%%%First time, choose "p" for paranoia settings
  • To unmount:
fusermount -u /home/user/crypt

Another cool use of fuse is sshfs (apt-get install sshfs)
For other cool stuffs, check here, among others the amazing HTTP-FUSE-KNOPPIX
Note on fusesmb: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE

Encfs homedir

Personal script

My first attempt was a bash script: 

 #!/bin/bash
 
 # This scripts automatically attempts to mount
 # an encrypted home directory at login time
 #
 # Usage: how to setup this for e.g. user <foo>
 # Put this script as shell of the user foo in /etc/passwd instead of /bin/bash
 # Encrypted data will be under /home/.foo and mount point will be /home/foo
 # Don't forget to put user foo in the group "fuse": adduser foo fuse
 #
 # Requirements:
 #   Encfs, module fuse and fuse-utils
 #
 # Copyright:
 #   2005, Philippe Teuwen <phil@teuwen.org>
 #
 # License:
 #   This script is under GPLv3 or later
 #
 # History:
 # v0.02
 #   Change $(whoami) to $(USER)
 # v0.01
 #   Initial version
 #
 # TODO:
 #   Check [xkg]dm login capability
 #   Abs paths
 #   Test presence of progs
 #   Test used only as login
 
 # When using several users with the same UID, only environment
 # variables USER and HOME tell the difference
 # So don't use whoami but USER
 
 echo "Welcome $USER, please type your master key :-)"
 # Mount the home dir
 /usr/bin/encfs /home/.$USER $HOME
 # Check if encrypted fs was mounted properly otherwise exit
 /bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1
 # Required to refresh the home directory
 cd $HOME
 # Finally gives a bash to the user
 /bin/bash
 # Required to exit the home dir to be able to unmount it
 cd /
 # Unmount the home dir
 /usr/bin/fusermount -u $HOME

PAM module

There exists an encfs PAM.
My notes for a Debian installation: 

cp pam_encfs.so /lib/security

/etc/pam.d/common-auth:
#auth    required         pam_unix.so nullok_secure
auth    sufficient      pam_encfs.so
auth    required        pam_unix.so use_first_pass nullok_secure

/etc/pam.d/common-session:
session required        pam_encfs.so
session required        pam_unix.so

/etc/security/pam_encfs.conf:
drop_permissions
encfs_default
fuse_default
- /home/encfs - - -

#To add a user with encfs homedir:
adduser testuser (put him in the fuse group if you have one)
mkdir -p /home/encfs/testuser /home/testuser
chown testuser:testuser /home/encfs/testuser /home/testuser
su testuser
encfs /home/encfs/testuser  /home/testuser
#*use same password as your login atm*
fusermount -u /home/testuser

#To enable encfs homedir on existing user:
sudo mkdir -p /home/encfs/phil /home/encfs/tmp
sudo chmod 777 /home/encfs/tmp
sudo chown phil:phil /home/encfs/phil
#*use your main password on next part*
encfs /home/encfs/phil /home/encfs/tmp
cd /home/phil
find . -xdev | cpio -pamd /home/encfs/tmp
fusermount -u /home/encfs/tmp
cd /
sudo mv /home/phil /home/phil.BAK
sudo mkdir /home/phil
sudo chown phil:phil /home/phil
sudo rmdir /home/encfs/tmp
#*logout*

Problem after fuse upgrade:

  • didn't work anymore.
  • I had to enable "user_allow_other" in /etc/fuse.conf

Problems:

  • --idle=1 is nice but how to avoid unwanted auto umount when still logged? (pam_encfs.so should maybe keep a file/dir open)
  • if drop_permissions disabled, root needs explicit write access to user's home mount point
  • if drop_permissions disabled and --public disabled, HOME env var set by default to / (while it was apparently defined in pam_encfs as mount point path was correctly found)
    • No directory, logging in with HOME=/
    • if drop_permissions disabled and --public enabled, no problem.
    • Don't know how to solve that
  • specific fuse options added only if generic fuse_default declared
    • patch:
 --- pam_encfs.c.orig   :50:29.000000000 +0200
 +++ pam_encfs.c:34:46.000000000 +0200
 @@ -427,11 +427,11 @@
    arg_pos += buildCmd(arg,arg_pos,path);
    arg_pos += buildCmd(arg,arg_pos,targetpath);
 
 -  if (strlen(default_fuse_options) > 0) {
 -    if (strlen(fuse_options) > 0) {
 +  if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) {
        strcat(fuse_options,",");
      }
 -    strcat(fuse_options,default_fuse_options);
 +  strcat(fuse_options,default_fuse_options);
 +  if (strlen(fuse_options) > 0) {
      arg_pos += buildCmd(arg,arg_pos,"--");
      arg_pos += buildCmd(arg,arg_pos,"-o");
      arg_pos += buildCmd(arg,arg_pos,fuse_options);
  • if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse
    • patch:
 @@ -235,13 +235,12 @@
        continue;
      }
      if (strcmp("encfs_default",username) == 0) {
 -
 -      if (!strcmp("-",path) == 0)
 +      if (parsed == 2 && !strcmp("-",path) == 0)
          strcpy(default_encfs_options,path);
        continue;
      }
      if (strcmp("fuse_default",username) == 0) {
 -      if (!strcmp("-",path) == 0)
 +      if (parsed == 2 && !strcmp("-",path) == 0)
          strcpy(default_fuse_options,path);
        continue;
      }
  • multiple options not supported for encfs_default
    • patch:
 @@ -253,6 +252,7 @@
        if (strcmp("-",fuse_options) == 0)
          strcpy(fuse_options,"");
 
 +      searchAndReplace(default_encfs_options);
        searchAndReplace(encfs_options);
 
        if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) {
  • On some circumstances, fusermount fails while it shouldn't:
testphil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
testphil@mercure:~$ logout
fusermount: entry for /home/testphil not found in /etc/mtab
phil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
phil@mercure:~$ sudo su testphil -c "fusermount -u /home/testphil"
* and here it works with exactly the same command*
  • /etc/pam_encfs.conf is not the best place
    • /usr/share/doc/libpam0g/Debian-PAM-~MiniPolicy.gz tells to have /lib/security/encfs.conf which is awful
    • but libpam-modules has e.g. /etc/security/pam_env.conf so we will have /etc/security/pam_encfs.conf
    • I should ask Sam Hartman <hartmans at ...> about this incoherence
    • patch:
 @@ -81,7 +81,7 @@
  #define USERNAME_MAX           127
  #define PATH_MAX               256
  #define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2))
 -#define CONFIGFILE     "/etc/pam_encfs.conf"
 +#define CONFIGFILE     "/etc/security/pam_encfs.conf"
 
  static void _pam_log ( int err, const char *format, ... );
  static char default_encfs_options[USERNAME_MAX];
  • It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount

Problems linked to the absence of locking support:

  • encfs or fuse doesn't allow locking, cf similar problem with samba
    • Not sure which operation fails, flock() or open with O_EXCL flag.
  • with KDE: could not read network connection list /home/.../.DCOPserver_machine__0
    • Indeed dcopserver refuses to start (error in locking .ICEauthority)
    • Solution: add to ~/.bashrc (or ~/.bash_profile if ~/.bash_profile does not include ~/.bashrc)
      • export XAUTHORITY=/tmp/.Xauthority-$USER
      • export ICEAUTHORITY=/tmp/.ICEauthority-$USER
  • with X: creates multiple ~/.serverauth.1234 with locking failures
    • cf bug #469478, hack into startx script
  • with unison: error (error message is not adequate...)
    Fatal error: Warning: the archives are locked.
    If no other instance of unison is running, the locks should be removed.
    Please delete lock files as appropriate and try again.
    • Create a soft link from ~/.unison to an dir out of the encfs
  • with courier-imap: this doesn't work if Maildir is on encfs
    • For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs
    • For read-write, this is not possible

Problems with hard links

When using paranoid mode, the default is External IV Chaining which means it's not possible to have hard links, i.e. having 2 different files (and filenames) pointing to the same data.
This is a problem with e.g. gpgsm which is using link().

Problems with tiger

I get a very similar problem as this guy: I always get the following msg 

--CONFIG-- [con010c] Filesystem 'fuse' used by 'encfs' is not recognised as a local filesystem

and no way to get rid of it via /etc/tiger (except skipping all "system" tests) so I had also to add to /usr/lib/tiger/systems/Linux/2/gen_mounts a line with 

[ "$2" = "encfs" ] && LOCAL=0

but I know next Debian upgrade will silently restore the original (or new) version :-(

Retrieved from "https://wiki.yobi.be/index.php?title=Encfs&oldid=4166"