How to use ecryptfs with a non-home directory

mount encryption ecryptfs

You're only looking at the the super-easy scripts like ecryptsfs-setup-private and ecryptsfs-mount-private, they use the more "generic" tools you seem to be looking for: mount.ecryptfs and ecryptfs-add-passphrase. See their man pages for more info.

And the link Rinzwind posted has all the info you need, further down the page under Manual Setup. They're quite long, but the very very short version would be:

The "Manual Setup" way (archlinux wiki)

First choose an ALIAS as you like. Through this section, ALIAS will be secret. Create the required directories/files:

$ mkdir ~/.secret ~/secret ~/.ecryptfs
$ touch ~/.ecryptfs/secret.conf ~/.ecryptfs/secret.sig

The ~/.secret directory will hold the encrypted data. The ~/secret directory is the mount point where ~/.secret will be mounted as an ecryptfs filesystem.

[Now create the actual mount passphrase (the easy scripts will pick a pseudo-random 32 characters from /dev/urandom), make it a good one]

$ echo "$HOME/.secret $HOME/secret ecryptfs" > ~/.ecryptfs/secret.conf
$ ecryptfs-add-passphrase
Passphrase: 
Inserted auth tok with sig [78c6f0645fe62da0] into the user session keyring

Write the output signature (ecryptfs_sig) from the previous command to ~/.ecryptfs/secret.sig:

$ echo 78c6f0645fe62da0 > ~/.ecryptfs/secret.sig

  • A second passphrase for filename encryption may be used. If you choose so, add it to the keyring:

    $ ecryptfs-add-passphrase
Passphrase: 
Inserted auth tok with sig [326a6d3e2a5d444a] into the user session keyring

    If you run the command above, append its output signature (ecryptfs_fnek_sig) to ~/.ecryptfs/secret.sig:

    $ echo 326a6d3e2a5d444a >> ~/.ecryptfs/secret.sig

Finally, to mount ~/.secret on ~/secret:

$ mount.ecryptfs_private secret

To unmount ~/.secret:

$ umount.ecryptfs_private secret

  • Or you could really get your hands dirty yourself and follow the Without ecryptfs-utils directions.

  • Or if you already looked at the easy scripts ecryptsfs-setup-private & ecryptsfs-mount-private, you might be able to copy those and edit them to point to your preferred directories, with a little bit of skill & patience.

  • Or just store the passphrase(s) yourself somehow (securely preferably) and do like the man ecryptfs page's example (must read the man pages):

    The following command will layover mount eCryptfs on /secret with a passphrase
contained in a file stored on secure media mounted at /mnt/usb/.

mount  -t  ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret

Where file.txt contains the contents "passphrase_passwd=[passphrase]".

Aside about encrypted home folders and an encrypted folder inside home - nested eCryptfs folders

And, an encrypted home folder normally stores files in /home/.ecryptfs/user/, while an encrypted Private folder has files inside your own home folder. You can not use both at the same time, eCryptfs will not do nested encrypted folders. But having an encrypted home, and encrypted folders outside of your home is ok.

  • I just tried creating a new user with an encrypted home sudo adduser --encrypt-home jack

    It created a /home/.ecryptfs/ folder, with:

    • /home/.ecryptfs/jack/.ecryptfs/ - wrapped passphrase & config files to automount jack's home on login

    • /home/.ecryptfs/jack/.Private/ - actual encrypted home files, mounted to /home/jack/ when logged in.

      And also the /home/jack/ folder, but it contained a link that stays there whether logged in or not:

      /home/jack/.ecryptfs/ -> /home/.ecryptfs/jack/.ecryptfs

    • Next I logged in as jack, but the link was still there, so trying to run ecryptfs-setup-private caused it to look in /home/jack/.ecryptfs/ but really see the existing files in /home/.ecryptfs/jack/.ecryptfs so it failed to create another password file & fail with ERROR: wrapped-passphrase file already exists, use --force to overwrite.

      Trying the "ALIAS" steps above, using a .secret folder inside the encrypted home failed, with these errors:
      Mount on filesystem of type eCryptfs explicitly disallowed due to known incompatibilities
      Reading sb failed; rc = [-22]

      "Nesting encrypted directories inside of encrypted directories is not supported with eCryptfs. Sorry." - eCryptfs author & maintainer

    • Changing the ALIAS folder outside of jack's home, trying /tmp/.secret/ & /tmp/secret/ works. BUT if jack log's out the new encrypted folder will stay mounted, so you have to unmount it (umount.ecryptfs_private secret).

Related

Is it possible to install MySQL 5.5 or 5.6 on Ubuntu 16.04?
How can I enable the "Share Desktop" feature in Empathy?
Systemd Mysql won't stop
Extract regression coefficient values
PHP sessions that have already been started [duplicate]
Updating and merging state object using React useState() hook
Inheritance of private and protected methods in Python
dplyr summarise: Equivalent of ".drop=FALSE" to keep groups with zero length in output
How can I access an internal class from an external assembly?
VueJs 2.0 emit event from grand child to his grand parent component
How do you remove a Cookie in a Java Servlet
How to measure the tilt of the phone in XY plane using accelerometer in Android