Simple encrypted directories with ecryptfs

The default ecryptfs-private settings aren't quite what I want; they mount automatically on login and invoke some kind of system-magic I don't understand to hide the encrypted files. Turns out that setting up encrypted directories is pretty darn easy, once you dig through enough of the man pages.

Pick a directory

mkdir ~/private chmod 700 ~/private

Add the mount command to sudoers for passwordless mounts

# Cmnd alias specification Cmnd_Alias MOUNTPRIVATE = /bin/mount /path/to/private /path/to/private -t \ ecryptfs -o key\=passphrase\,ecryptfs_cipher\=aes\,ecryptfs_key_bytes\=24\,\ ecryptfs_passthrough\=no\,ecryptfs_enable_filename_crypto\=yes\,\ no_sig_cache\=yes Cmnd_Alias UMOUNTPRIVATE = /bin/umount /path/to/private # Your username goes here, obviously aphyr ALL=(ALL) NOPASSWD:MOUNTPRIVATE, UMOUNTPRIVATE

Set up that mount command in .bash_aliases

alias mount_private="sudo mount ~/private ~/private -t \ ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=24,\ ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,\ no_sig_cache=yes" alias umount_private="sudo umount ~/private"

Then just run mount_private and enter a passphrase of your choice. You can unmount the directory with umount_private. Drop that in your autostart.sh with xenity, unmount it before activating the screensaver, whatever floats your boat.

I'm not sure how to tell ecryptfs to use a sig cache other than the one in root's homedir, or how to allow mounting as the regular user without abusing suid. If anyone has suggestions...

Post a Comment

Please avoid writing anything here unless you are a computer: This is also a trap:

Supports github-flavored markdown for [links](http://foo.com/), *emphasis*, _underline_, `code`, and > blockquotes. Use ```clj on its own line to start a Clojure code block, and ``` to end the block.

Copyright © 2018 Kyle Kingsbury.
Non-commercial re-use with attribution encouraged; all other rights reserved.
Comments are the property of respective posters.