How to create ext4 encrypted partition on Ubuntu 15.04 with new 4.1 kernel?
First off a disclaimer: I've not done this with Ubuntu, but on a machine with Debian "Stretch" installed using a custom Linux 4.2.3 kernel that I enabled EXT4_FS_ENCRYPTION
on.
The instructions given by kmeaw don't work for me exactly as posted. A few things were left out (command line parameters and steps).
- Update
e2fsprogs
as shown above -
Generate your random salt. I used the following to store it in a "safe place":
head -c 16 /dev/urandom | xxd -p >~/tmp-salt.txt echo 0x`cat ~/tmp-salt.txt` >~/.cryptoSalt
-
In order to use ext4 encryption on the file system, the "encrypt" flag must be set in the super-block. This is not the default when the ext4 file system is created. Using the "tune2fs" utility from e2fsprogs 1.43 or later, set the "encrypt" option:
sudo tune2fs -O encrypt /dev/sda4
Mount or remount the file system so the kernel knows about the change (maybe it's automatic, but I have only done this on a separate partition, so I'm not sure.)
-
Create a directory on the file system that is mounted with encryption enabled:
sudo mkdir -p /secret/home/$USER sudo chown $USER:$USER /secret/home/$USER
-
Create the key in the keyring and use it to set the policy for the directory to be encrypted (the
sudo
command is not needed here):$ /usr/sbin/e4crypt add_key -S s:`cat ~/.cryptoSalt` Enter passphrase (echo disabled): Added key with descriptor [0132fed69f946c86] $ /usr/bin/e4crypt set_policy 0132fed69f946c86 /secret/home/$USER Key with descriptor [0132fed69f946c86] applies to /secret/home/theuser.
-
After each reboot, the
add_key
command can be used set the key for decryption of the directory and its descendants:$ /usr/sbin/e4crypt add_key -S s:`cat ~/.cryptoSalt` Enter passphrase (echo disabled): Added key with descriptor [0132fed69f946c86]
Enter the same password used in the previous step, and you don't have to remember the descriptor hex string.
-
You can also use
add_key
directly. This will use a filesystem specific salt (So all folders under that partition will have the same salt)$ /usr/sbin/e4crypt add_key /secret/home/$USER Added key with descriptor [0132fed69f946c86] Key with descriptor [0132fed69f946c86] applies to /secret/home/theuser.
Linux 4.1 comes with a new Ext4 feature to encrypt directories of a filesystem. Encryption keys are stored in the keyring. To get started, make sure you have enabled CONFIG_KEYS
and CONFIG_EXT4_FS_ENCRYPTION
kernel options and you have kernel 4.1 or higher.
First of all, you need to update e2fsprogs to at least version 1.43, which is still WIP at the time of writing so we need to fetch it from the git repository:
$ git clone git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git
e4crypt source has disabled a relevant section in its source code, enable it by editing misc/e4crypt.c and removing these two lines near line 714:
printf("arg %s\n", argv[optind]);
exit(0);
Now build and install new e2fsprogs:
$ sudo apt-get install devscripts build-essential gettext texinfo pkg-config debhelper m4
$ debuild
$ sudo dpkg -i e2fsprogs_1.43-WIP_amd64.deb
Check your version now, it should be 1.43-WIP:
# e2fsck -V
e2fsck 1.43-WIP (18-May-2015)
Using EXT2FS Library version 1.43-WIP, 18-May-2015
To work with keys, we need to install the keyutils
package:
$ sudo apt-get install keyutils
Let's make a directory that we will encrypt. Encryption policy can be set only on empty directories:
$ sudo mkdir -p /encrypted/dir
First generate a random salt value and store it in a safe place:
$ head -c 16 /dev/random | xxd -p
877282f53bd0adbbef92142fc4cac459
Now generate and add a new key into your keyring: this step should be repeated every time you flush your keychain (reboot)
$ sudo e4crypt -S 0x877282f53bd0adbbef92142fc4cac459
Enter passphrase (echo disabled):
Added key with descriptor [f88747555a6115f5]
Now you know a descriptor for your key. Make sure you have added a key into your keychain:
$ keyctl show
Session Keyring
1021618178 --alswrv 1000 1000 keyring: _ses
176349519 --alsw-v 1000 1000 \_ logon: ext4:f88747555a6115f5
Almost done. Now set an encryption policy for a directory:
$ e4crypt set_policy f88747555a6115f5 /encrypted/dir
That's all. If you try accessing the disk without adding a key into keychain, filenames and their contents will be seen as encrypted gibberish. Be careful running old versions of e2fsck on your filesystem - it will treat encrypted filenames as invalid.