Difference between revisions of "Encfs"
m (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen) |
|||
(8 intermediate revisions by 2 users not shown) | |||
Line 23: | Line 23: | ||
Another cool use of fuse is [http://shfs.sourceforge.net/ sshfs] (apt-get install sshfs) |
Another cool use of fuse is [http://shfs.sourceforge.net/ sshfs] (apt-get install sshfs) |
||
<br>For other cool stuffs, check [http://fuse.sourceforge.net/wiki/index.php/FileSystems here], among others the amazing [http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html HTTP-FUSE-KNOPPIX] |
<br>For other cool stuffs, check [http://fuse.sourceforge.net/wiki/index.php/FileSystems here], among others the amazing [http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html HTTP-FUSE-KNOPPIX] |
||
+ | <br>Note on [http://www.ricardis.tudelft.nl/~vincent/fusesmb/ fusesmb]: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE |
||
==Encfs homedir== |
==Encfs homedir== |
||
Line 29: | Line 30: | ||
My first attempt was a bash script: |
My first attempt was a bash script: |
||
+ | <source lang=bash> |
||
+ | #!/bin/bash |
||
+ | # This scripts automatically attempts to mount |
||
− | #!/bin/bash |
||
+ | # an encrypted home directory at login time |
||
− | |||
+ | # |
||
− | # This scripts automatically attempts to mount |
||
+ | # Usage: how to setup this for e.g. user <foo> |
||
− | # an encrypted home directory at login time |
||
+ | # Put this script as shell of the user foo in /etc/passwd instead of /bin/bash |
||
− | # |
||
+ | # Encrypted data will be under /home/.foo and mount point will be /home/foo |
||
− | # Usage: how to setup this for e.g. user <foo> |
||
− | + | # Don't forget to put user foo in the group "fuse": adduser foo fuse |
|
+ | # |
||
− | # Encrypted data will be under /home/.foo and mount point will be /home/foo |
||
+ | # Requirements: |
||
− | # Don't forget to put user foo in the group "fuse": adduser foo fuse |
||
+ | # Encfs, module fuse and fuse-utils |
||
− | # |
||
+ | # |
||
− | # Requirements: |
||
+ | # Copyright: |
||
− | # Encfs, module fuse and fuse-utils |
||
+ | # 2005, Philippe Teuwen <phil@teuwen.org> |
||
− | # |
||
+ | # |
||
− | # Copyright: |
||
+ | # License: |
||
− | # 2005, Philippe Teuwen <phil@teuwen.org> |
||
+ | # This script is under GPLv3 or later |
||
− | # |
||
+ | # |
||
− | # License: |
||
+ | # History: |
||
− | # This script is under GPL |
||
+ | # v0.02 |
||
− | # |
||
+ | # Change $(whoami) to $(USER) |
||
− | # History: |
||
− | + | # v0.01 |
|
+ | # Initial version |
||
− | # Change $(whoami) to $(USER) |
||
+ | # |
||
− | # v0.01 |
||
+ | # TODO: |
||
− | # Initial version |
||
+ | # Check [xkg]dm login capability |
||
− | # |
||
+ | # Abs paths |
||
− | # TODO: |
||
+ | # Test presence of progs |
||
− | # Check [xkg]dm login capability |
||
+ | # Test used only as login |
||
− | # Abs paths |
||
+ | |||
− | # Test presence of progs |
||
+ | # When using several users with the same UID, only environment |
||
− | # Test used only as login |
||
+ | # variables USER and HOME tell the difference |
||
− | |||
+ | # So don't use whoami but USER |
||
− | # When using several users with the same UID, only environment |
||
+ | |||
− | # variables USER and HOME tell the difference |
||
+ | echo "Welcome $USER, please type your master key :-)" |
||
− | # So don't use whoami but USER |
||
+ | # Mount the home dir |
||
− | |||
+ | /usr/bin/encfs /home/.$USER $HOME |
||
− | echo "Welcome $USER, please type your master key :-)" |
||
+ | # Check if encrypted fs was mounted properly otherwise exit |
||
− | # Mount the home dir |
||
− | + | /bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1 |
|
+ | # Required to refresh the home directory |
||
− | # Check if encrypted fs was mounted properly otherwise exit |
||
+ | cd $HOME |
||
− | /bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1 |
||
+ | # Finally gives a bash to the user |
||
− | # Required to refresh the home directory |
||
+ | /bin/bash |
||
− | cd $HOME |
||
+ | # Required to exit the home dir to be able to unmount it |
||
− | # Finally gives a bash to the user |
||
+ | cd / |
||
− | /bin/bash |
||
− | + | # Unmount the home dir |
|
+ | /usr/bin/fusermount -u $HOME |
||
− | cd / |
||
+ | </source> |
||
− | # Unmount the home dir |
||
− | /usr/bin/fusermount -u $HOME |
||
− | |||
===PAM module=== |
===PAM module=== |
||
Line 95: | Line 96: | ||
session required pam_unix.so |
session required pam_unix.so |
||
− | /etc/pam_encfs.conf: |
+ | /etc/security/pam_encfs.conf: |
drop_permissions |
drop_permissions |
||
encfs_default |
encfs_default |
||
Line 125: | Line 126: | ||
sudo rmdir /home/encfs/tmp |
sudo rmdir /home/encfs/tmp |
||
#*logout* |
#*logout* |
||
+ | |||
+ | Problem after fuse upgrade: |
||
+ | * didn't work anymore. |
||
+ | * I had to enable "user_allow_other" in /etc/fuse.conf |
||
Problems: |
Problems: |
||
Line 136: | Line 141: | ||
* specific fuse options added only if generic fuse_default declared |
* specific fuse options added only if generic fuse_default declared |
||
** patch: |
** patch: |
||
+ | <source lang=diff> |
||
− | --- pam_encfs.c.orig :50:29.000000000 +0200 |
||
− | + | --- pam_encfs.c.orig :50:29.000000000 +0200 |
|
+ | +++ pam_encfs.c:34:46.000000000 +0200 |
||
− | @@ -427,11 +427,11 @@ |
||
+ | @@ -427,11 +427,11 @@ |
||
− | arg_pos += buildCmd(arg,arg_pos,path); |
||
− | + | arg_pos += buildCmd(arg,arg_pos,path); |
|
+ | arg_pos += buildCmd(arg,arg_pos,targetpath); |
||
− | |||
+ | |||
− | - if (strlen(default_fuse_options) > 0) { |
||
− | + | - if (strlen(default_fuse_options) > 0) { |
|
− | + | - if (strlen(fuse_options) > 0) { |
|
− | + | + if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) { |
|
+ | strcat(fuse_options,","); |
||
− | } |
||
+ | } |
||
− | - strcat(fuse_options,default_fuse_options); |
||
− | + | - strcat(fuse_options,default_fuse_options); |
|
− | + | + strcat(fuse_options,default_fuse_options); |
|
+ | + if (strlen(fuse_options) > 0) { |
||
− | arg_pos += buildCmd(arg,arg_pos,"--"); |
||
− | + | arg_pos += buildCmd(arg,arg_pos,"--"); |
|
− | + | arg_pos += buildCmd(arg,arg_pos,"-o"); |
|
+ | arg_pos += buildCmd(arg,arg_pos,fuse_options); |
||
+ | </source> |
||
* if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse |
* if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse |
||
** patch: |
** patch: |
||
+ | <source lang=diff> |
||
− | @@ -235,13 +235,12 @@ |
||
+ | @@ -235,13 +235,12 @@ |
||
− | continue; |
||
− | + | continue; |
|
+ | } |
||
− | if (strcmp("encfs_default",username) == 0) { |
||
+ | if (strcmp("encfs_default",username) == 0) { |
||
− | - |
||
+ | - |
||
− | - if (!strcmp("-",path) == 0) |
||
− | + | - if (!strcmp("-",path) == 0) |
|
− | + | + if (parsed == 2 && !strcmp("-",path) == 0) |
|
− | + | strcpy(default_encfs_options,path); |
|
− | + | continue; |
|
+ | } |
||
− | if (strcmp("fuse_default",username) == 0) { |
||
− | + | if (strcmp("fuse_default",username) == 0) { |
|
− | + | - if (!strcmp("-",path) == 0) |
|
− | + | + if (parsed == 2 && !strcmp("-",path) == 0) |
|
− | + | strcpy(default_fuse_options,path); |
|
− | + | continue; |
|
+ | } |
||
+ | </source> |
||
* multiple options not supported for encfs_default |
* multiple options not supported for encfs_default |
||
** patch: |
** patch: |
||
+ | <source lang=diff> |
||
− | @@ -253,6 +252,7 @@ |
||
+ | @@ -253,6 +252,7 @@ |
||
− | if (strcmp("-",fuse_options) == 0) |
||
− | + | if (strcmp("-",fuse_options) == 0) |
|
+ | strcpy(fuse_options,""); |
||
− | |||
+ | |||
− | + searchAndReplace(default_encfs_options); |
||
− | + | + searchAndReplace(default_encfs_options); |
|
+ | searchAndReplace(encfs_options); |
||
− | |||
+ | |||
− | if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) { |
||
+ | if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) { |
||
+ | </source> |
||
* On some circumstances, fusermount fails while it shouldn't: |
* On some circumstances, fusermount fails while it shouldn't: |
||
testphil@mercure:~$ mount |
testphil@mercure:~$ mount |
||
Line 199: | Line 210: | ||
** I should ask Sam Hartman <hartmans at ...> about this incoherence |
** I should ask Sam Hartman <hartmans at ...> about this incoherence |
||
** patch: |
** patch: |
||
+ | <source lang=diff> |
||
− | @@ -81,7 +81,7 @@ |
||
+ | @@ -81,7 +81,7 @@ |
||
− | #define USERNAME_MAX 127 |
||
− | + | #define USERNAME_MAX 127 |
|
− | + | #define PATH_MAX 256 |
|
+ | #define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2)) |
||
− | -#define CONFIGFILE "/etc/pam_encfs.conf" |
||
− | + | -#define CONFIGFILE "/etc/pam_encfs.conf" |
|
+ | +#define CONFIGFILE "/etc/security/pam_encfs.conf" |
||
− | |||
+ | |||
− | static void _pam_log ( int err, const char *format, ... ); |
||
+ | static void _pam_log ( int err, const char *format, ... ); |
||
− | static char default_encfs_options[USERNAME_MAX]; |
||
+ | static char default_encfs_options[USERNAME_MAX]; |
||
+ | </source> |
||
* It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount |
* It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount |
||
Line 219: | Line 232: | ||
*** export XAUTHORITY=/tmp/.Xauthority-$USER |
*** export XAUTHORITY=/tmp/.Xauthority-$USER |
||
*** export ICEAUTHORITY=/tmp/.ICEauthority-$USER |
*** export ICEAUTHORITY=/tmp/.ICEauthority-$USER |
||
+ | * with X: creates multiple ~/.serverauth.1234 with locking failures |
||
+ | ** cf bug [http://bugs.debian.org/469478 #469478], hack into startx script |
||
* with unison: error (error message is not adequate...)<br>Fatal error: Warning: the archives are locked.<br>If no other instance of unison is running, the locks should be removed.<br>Please delete lock files as appropriate and try again. |
* with unison: error (error message is not adequate...)<br>Fatal error: Warning: the archives are locked.<br>If no other instance of unison is running, the locks should be removed.<br>Please delete lock files as appropriate and try again. |
||
** Create a soft link from ~/.unison to an dir out of the encfs |
** Create a soft link from ~/.unison to an dir out of the encfs |
||
Line 224: | Line 239: | ||
** For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs |
** For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs |
||
** For read-write, this is not possible |
** For read-write, this is not possible |
||
+ | |||
+ | ==Problems with hard links== |
||
+ | When using paranoid mode, the default is External IV Chaining which means it's not possible to have hard links, i.e. having 2 different files (and filenames) pointing to the same data. |
||
+ | <br>This is a problem with e.g. gpgsm which is using link(). |
||
+ | |||
==Problems with tiger== |
==Problems with tiger== |
||
I get a very similar problem as [http://www.mail-archive.com/tiger-user@nongnu.org/msg00006.html this guy]: I always get the following msg |
I get a very similar problem as [http://www.mail-archive.com/tiger-user@nongnu.org/msg00006.html this guy]: I always get the following msg |
Latest revision as of 21:32, 24 November 2010
Install
apt-get install encfs
You'll also need the fuse module:
apt-get install fuse-source fuse-utils cd /usr/src; tar xjf fuse.tar.bz2 cd linux; make-kpkg --us --uc --revision $REVISION --append-to-version $APPEND modules_image
Note that fuse is already present in the last kernel versions (at least 2.6.15)
Test:
- Under Debian, the user must be member of the fuse group to have the right to use fuse:
adduser phil fuse
- To load automatically the module fuse:
echo fuse >> /etc/modules
- To mount:
encfs /home/user/crypt-raw /home/user/crypt%%%First time, choose "p" for paranoia settings
- To unmount:
fusermount -u /home/user/crypt
Another cool use of fuse is sshfs (apt-get install sshfs)
For other cool stuffs, check here, among others the amazing HTTP-FUSE-KNOPPIX
Note on fusesmb: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE
Encfs homedir
Personal script
My first attempt was a bash script:
#!/bin/bash
# This scripts automatically attempts to mount
# an encrypted home directory at login time
#
# Usage: how to setup this for e.g. user <foo>
# Put this script as shell of the user foo in /etc/passwd instead of /bin/bash
# Encrypted data will be under /home/.foo and mount point will be /home/foo
# Don't forget to put user foo in the group "fuse": adduser foo fuse
#
# Requirements:
# Encfs, module fuse and fuse-utils
#
# Copyright:
# 2005, Philippe Teuwen <phil@teuwen.org>
#
# License:
# This script is under GPLv3 or later
#
# History:
# v0.02
# Change $(whoami) to $(USER)
# v0.01
# Initial version
#
# TODO:
# Check [xkg]dm login capability
# Abs paths
# Test presence of progs
# Test used only as login
# When using several users with the same UID, only environment
# variables USER and HOME tell the difference
# So don't use whoami but USER
echo "Welcome $USER, please type your master key :-)"
# Mount the home dir
/usr/bin/encfs /home/.$USER $HOME
# Check if encrypted fs was mounted properly otherwise exit
/bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1
# Required to refresh the home directory
cd $HOME
# Finally gives a bash to the user
/bin/bash
# Required to exit the home dir to be able to unmount it
cd /
# Unmount the home dir
/usr/bin/fusermount -u $HOME
PAM module
There exists an encfs PAM.
My notes for a Debian installation:
cp pam_encfs.so /lib/security /etc/pam.d/common-auth: #auth required pam_unix.so nullok_secure auth sufficient pam_encfs.so auth required pam_unix.so use_first_pass nullok_secure /etc/pam.d/common-session: session required pam_encfs.so session required pam_unix.so /etc/security/pam_encfs.conf: drop_permissions encfs_default fuse_default - /home/encfs - - - #To add a user with encfs homedir: adduser testuser (put him in the fuse group if you have one) mkdir -p /home/encfs/testuser /home/testuser chown testuser:testuser /home/encfs/testuser /home/testuser su testuser encfs /home/encfs/testuser /home/testuser #*use same password as your login atm* fusermount -u /home/testuser #To enable encfs homedir on existing user: sudo mkdir -p /home/encfs/phil /home/encfs/tmp sudo chmod 777 /home/encfs/tmp sudo chown phil:phil /home/encfs/phil #*use your main password on next part* encfs /home/encfs/phil /home/encfs/tmp cd /home/phil find . -xdev | cpio -pamd /home/encfs/tmp fusermount -u /home/encfs/tmp cd / sudo mv /home/phil /home/phil.BAK sudo mkdir /home/phil sudo chown phil:phil /home/phil sudo rmdir /home/encfs/tmp #*logout*
Problem after fuse upgrade:
- didn't work anymore.
- I had to enable "user_allow_other" in /etc/fuse.conf
Problems:
- --idle=1 is nice but how to avoid unwanted auto umount when still logged? (pam_encfs.so should maybe keep a file/dir open)
- if drop_permissions disabled, root needs explicit write access to user's home mount point
- if drop_permissions disabled and --public disabled, HOME env var set by default to / (while it was apparently defined in pam_encfs as mount point path was correctly found)
- No directory, logging in with HOME=/
- if drop_permissions disabled and --public enabled, no problem.
- Don't know how to solve that
- specific fuse options added only if generic fuse_default declared
- patch:
--- pam_encfs.c.orig :50:29.000000000 +0200
+++ pam_encfs.c:34:46.000000000 +0200
@@ -427,11 +427,11 @@
arg_pos += buildCmd(arg,arg_pos,path);
arg_pos += buildCmd(arg,arg_pos,targetpath);
- if (strlen(default_fuse_options) > 0) {
- if (strlen(fuse_options) > 0) {
+ if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) {
strcat(fuse_options,",");
}
- strcat(fuse_options,default_fuse_options);
+ strcat(fuse_options,default_fuse_options);
+ if (strlen(fuse_options) > 0) {
arg_pos += buildCmd(arg,arg_pos,"--");
arg_pos += buildCmd(arg,arg_pos,"-o");
arg_pos += buildCmd(arg,arg_pos,fuse_options);
- if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse
- patch:
@@ -235,13 +235,12 @@
continue;
}
if (strcmp("encfs_default",username) == 0) {
-
- if (!strcmp("-",path) == 0)
+ if (parsed == 2 && !strcmp("-",path) == 0)
strcpy(default_encfs_options,path);
continue;
}
if (strcmp("fuse_default",username) == 0) {
- if (!strcmp("-",path) == 0)
+ if (parsed == 2 && !strcmp("-",path) == 0)
strcpy(default_fuse_options,path);
continue;
}
- multiple options not supported for encfs_default
- patch:
@@ -253,6 +252,7 @@
if (strcmp("-",fuse_options) == 0)
strcpy(fuse_options,"");
+ searchAndReplace(default_encfs_options);
searchAndReplace(encfs_options);
if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) {
- On some circumstances, fusermount fails while it shouldn't:
testphil@mercure:~$ mount [...] encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil) encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil) testphil@mercure:~$ logout fusermount: entry for /home/testphil not found in /etc/mtab phil@mercure:~$ mount [...] encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil) encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil) phil@mercure:~$ sudo su testphil -c "fusermount -u /home/testphil" * and here it works with exactly the same command*
- /etc/pam_encfs.conf is not the best place
- /usr/share/doc/libpam0g/Debian-PAM-~MiniPolicy.gz tells to have /lib/security/encfs.conf which is awful
- but libpam-modules has e.g. /etc/security/pam_env.conf so we will have /etc/security/pam_encfs.conf
- I should ask Sam Hartman <hartmans at ...> about this incoherence
- patch:
@@ -81,7 +81,7 @@
#define USERNAME_MAX 127
#define PATH_MAX 256
#define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2))
-#define CONFIGFILE "/etc/pam_encfs.conf"
+#define CONFIGFILE "/etc/security/pam_encfs.conf"
static void _pam_log ( int err, const char *format, ... );
static char default_encfs_options[USERNAME_MAX];
- It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount
Problems linked to the absence of locking support:
- encfs or fuse doesn't allow locking, cf similar problem with samba
- Not sure which operation fails, flock() or open with O_EXCL flag.
- with KDE: could not read network connection list /home/.../.DCOPserver_machine__0
- Indeed dcopserver refuses to start (error in locking .ICEauthority)
- Solution: add to ~/.bashrc (or ~/.bash_profile if ~/.bash_profile does not include ~/.bashrc)
- export XAUTHORITY=/tmp/.Xauthority-$USER
- export ICEAUTHORITY=/tmp/.ICEauthority-$USER
- with X: creates multiple ~/.serverauth.1234 with locking failures
- cf bug #469478, hack into startx script
- with unison: error (error message is not adequate...)
Fatal error: Warning: the archives are locked.
If no other instance of unison is running, the locks should be removed.
Please delete lock files as appropriate and try again.- Create a soft link from ~/.unison to an dir out of the encfs
- with courier-imap: this doesn't work if Maildir is on encfs
- For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs
- For read-write, this is not possible
Problems with hard links
When using paranoid mode, the default is External IV Chaining which means it's not possible to have hard links, i.e. having 2 different files (and filenames) pointing to the same data.
This is a problem with e.g. gpgsm which is using link().
Problems with tiger
I get a very similar problem as this guy: I always get the following msg
--CONFIG-- [con010c] Filesystem 'fuse' used by 'encfs' is not recognised as a local filesystem
and no way to get rid of it via /etc/tiger (except skipping all "system" tests) so I had also to add to /usr/lib/tiger/systems/Linux/2/gen_mounts a line with
[ "$2" = "encfs" ] && LOCAL=0
but I know next Debian upgrade will silently restore the original (or new) version :-(