Encfs: Difference between revisions

Install

apt-get install encfs

You'll also need the fuse module:

apt-get install fuse-source fuse-utils
cd /usr/src; tar xjf fuse.tar.bz2
cd linux; make-kpkg --us --uc --revision $REVISION --append-to-version $APPEND modules_image

Note that fuse is already present in the last kernel versions (at least 2.6.15)

Test:

• Under Debian, the user must be member of the fuse group to have the right to use fuse:

adduser phil fuse

• To load automatically the module fuse:

echo fuse >> /etc/modules

• To mount:

encfs /home/user/crypt-raw /home/user/crypt%%%First time, choose "p" for paranoia settings

• To unmount:

fusermount -u /home/user/crypt

Another cool use of fuse is sshfs (apt-get install sshfs)
For other cool stuffs, check here, among others the amazing HTTP-FUSE-KNOPPIX
Note on fusesmb: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE

Encfs homedir

Personal script

My first attempt was a bash script:

#!/bin/bash

# This scripts automatically attempts to mount
# an encrypted home directory at login time
#
# Usage: how to setup this for e.g. user <foo>
# Put this script as shell of the user foo in /etc/passwd instead of /bin/bash
# Encrypted data will be under /home/.foo and mount point will be /home/foo
# Don't forget to put user foo in the group "fuse": adduser foo fuse
#
# Requirements:
#   Encfs, module fuse and fuse-utils
#
# Copyright:
#   2005, Philippe Teuwen <phil@teuwen.org>
#
# License:
#   This script is under GPLv3 or later
#
# History:
# v0.02
#   Change $(whoami) to $(USER)
# v0.01
#   Initial version
#
# TODO:
#   Check [xkg]dm login capability
#   Abs paths
#   Test presence of progs
#   Test used only as login

# When using several users with the same UID, only environment
# variables USER and HOME tell the difference
# So don't use whoami but USER

echo "Welcome $USER, please type your master key :-)"
# Mount the home dir
/usr/bin/encfs /home/.$USER $HOME
# Check if encrypted fs was mounted properly otherwise exit
/bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1
# Required to refresh the home directory
cd $HOME
# Finally gives a bash to the user
/bin/bash
# Required to exit the home dir to be able to unmount it
cd /
# Unmount the home dir
/usr/bin/fusermount -u $HOME

PAM module

There exists an encfs PAM.
My notes for a Debian installation:

cp pam_encfs.so /lib/security

/etc/pam.d/common-auth:
#auth    required         pam_unix.so nullok_secure
auth    sufficient      pam_encfs.so
auth    required        pam_unix.so use_first_pass nullok_secure

/etc/pam.d/common-session:
session required        pam_encfs.so
session required        pam_unix.so

/etc/security/pam_encfs.conf:
drop_permissions
encfs_default
fuse_default
- /home/encfs - - -

#To add a user with encfs homedir:
adduser testuser (put him in the fuse group if you have one)
mkdir -p /home/encfs/testuser /home/testuser
chown testuser:testuser /home/encfs/testuser /home/testuser
su testuser
encfs /home/encfs/testuser  /home/testuser
#*use same password as your login atm*
fusermount -u /home/testuser

#To enable encfs homedir on existing user:
sudo mkdir -p /home/encfs/phil /home/encfs/tmp
sudo chmod 777 /home/encfs/tmp
sudo chown phil:phil /home/encfs/phil
#*use your main password on next part*
encfs /home/encfs/phil /home/encfs/tmp
cd /home/phil
find . -xdev | cpio -pamd /home/encfs/tmp
fusermount -u /home/encfs/tmp
cd /
sudo mv /home/phil /home/phil.BAK
sudo mkdir /home/phil
sudo chown phil:phil /home/phil
sudo rmdir /home/encfs/tmp
#*logout*

Problem after fuse upgrade:

• didn't work anymore.
• I had to enable "user_allow_other" in /etc/fuse.conf

Problems:

• --idle=1 is nice but how to avoid unwanted auto umount when still logged? (pam_encfs.so should maybe keep a file/dir open)
• if drop_permissions disabled, root needs explicit write access to user's home mount point
• if drop_permissions disabled and --public disabled, HOME env var set by default to / (while it was apparently defined in pam_encfs as mount point path was correctly found)
  • No directory, logging in with HOME=/
  • if drop_permissions disabled and --public enabled, no problem.
  • Don't know how to solve that
• specific fuse options added only if generic fuse_default declared
  • patch:

--- pam_encfs.c.orig   :50:29.000000000 +0200
+++ pam_encfs.c:34:46.000000000 +0200
@@ -427,11 +427,11 @@
   arg_pos += buildCmd(arg,arg_pos,path);
   arg_pos += buildCmd(arg,arg_pos,targetpath);

-  if (strlen(default_fuse_options) > 0) {
-    if (strlen(fuse_options) > 0) {
+  if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) {
       strcat(fuse_options,",");
     }
-    strcat(fuse_options,default_fuse_options);
+  strcat(fuse_options,default_fuse_options);
+  if (strlen(fuse_options) > 0) {
     arg_pos += buildCmd(arg,arg_pos,"--");
     arg_pos += buildCmd(arg,arg_pos,"-o");
     arg_pos += buildCmd(arg,arg_pos,fuse_options);

• if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse
  • patch:

@@ -235,13 +235,12 @@
       continue;
     }
     if (strcmp("encfs_default",username) == 0) {
-
-      if (!strcmp("-",path) == 0)
+      if (parsed == 2 && !strcmp("-",path) == 0)
         strcpy(default_encfs_options,path);
       continue;
     }
     if (strcmp("fuse_default",username) == 0) {
-      if (!strcmp("-",path) == 0)
+      if (parsed == 2 && !strcmp("-",path) == 0)
         strcpy(default_fuse_options,path);
       continue;
     }

• multiple options not supported for encfs_default
  • patch:

@@ -253,6 +252,7 @@
       if (strcmp("-",fuse_options) == 0)
         strcpy(fuse_options,"");

+      searchAndReplace(default_encfs_options);
       searchAndReplace(encfs_options);

       if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) {

• On some circumstances, fusermount fails while it shouldn't:

testphil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
testphil@mercure:~$ logout
fusermount: entry for /home/testphil not found in /etc/mtab
phil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
phil@mercure:~$ sudo su testphil -c "fusermount -u /home/testphil"
* and here it works with exactly the same command*

• /etc/pam_encfs.conf is not the best place
  • /usr/share/doc/libpam0g/Debian-PAM-~MiniPolicy.gz tells to have /lib/security/encfs.conf which is awful
  • but libpam-modules has e.g. /etc/security/pam_env.conf so we will have /etc/security/pam_encfs.conf
  • I should ask Sam Hartman <hartmans at ...> about this incoherence
  • patch:

@@ -81,7 +81,7 @@
 #define USERNAME_MAX           127
 #define PATH_MAX               256
 #define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2))
-#define CONFIGFILE     "/etc/pam_encfs.conf"
+#define CONFIGFILE     "/etc/security/pam_encfs.conf"

 static void _pam_log ( int err, const char *format, ... );
 static char default_encfs_options[USERNAME_MAX];

• It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount

Problems linked to the absence of locking support:

• encfs or fuse doesn't allow locking, cf similar problem with samba
  • Not sure which operation fails, flock() or open with O_EXCL flag.
• with KDE: could not read network connection list /home/.../.DCOPserver_machine__0
  • Indeed dcopserver refuses to start (error in locking .ICEauthority)
  • Solution: add to ~/.bashrc (or ~/.bash_profile if ~/.bash_profile does not include ~/.bashrc)
    • export XAUTHORITY=/tmp/.Xauthority-$USER
    • export ICEAUTHORITY=/tmp/.ICEauthority-$USER
• with X: creates multiple ~/.serverauth.1234 with locking failures
  • cf bug #469478, hack into startx script
• with unison: error (error message is not adequate...)
  Fatal error: Warning: the archives are locked.
  If no other instance of unison is running, the locks should be removed.
  Please delete lock files as appropriate and try again.
  • Create a soft link from ~/.unison to an dir out of the encfs
• with courier-imap: this doesn't work if Maildir is on encfs
  • For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs
  • For read-write, this is not possible

Problems with hard links

When using paranoid mode, the default is External IV Chaining which means it's not possible to have hard links, i.e. having 2 different files (and filenames) pointing to the same data.
This is a problem with e.g. gpgsm which is using link().

Problems with tiger

I get a very similar problem as this guy: I always get the following msg

--CONFIG-- [con010c] Filesystem 'fuse' used by 'encfs' is not recognised as a local filesystem

and no way to get rid of it via /etc/tiger (except skipping all "system" tests) so I had also to add to /usr/lib/tiger/systems/Linux/2/gen_mounts a line with

[ "$2" = "encfs" ] && LOCAL=0

but I know next Debian upgrade will silently restore the original (or new) version :-(