How to create ext4 encrypted partition on Ubuntu 15.04 with new 4.1 kernel?

ext4 encryption 15.04

First off a disclaimer: I've not done this with Ubuntu, but on a machine with Debian "Stretch" installed using a custom Linux 4.2.3 kernel that I enabled EXT4_FS_ENCRYPTION on.

The instructions given by kmeaw don't work for me exactly as posted. A few things were left out (command line parameters and steps).

  • Update e2fsprogs as shown above

  • Generate your random salt. I used the following to store it in a "safe place":

    head -c 16 /dev/urandom | xxd -p >~/tmp-salt.txt
echo 0x`cat ~/tmp-salt.txt` >~/.cryptoSalt

  • In order to use ext4 encryption on the file system, the "encrypt" flag must be set in the super-block. This is not the default when the ext4 file system is created. Using the "tune2fs" utility from e2fsprogs 1.43 or later, set the "encrypt" option:

    sudo tune2fs -O encrypt /dev/sda4

  • Mount or remount the file system so the kernel knows about the change (maybe it's automatic, but I have only done this on a separate partition, so I'm not sure.)

  • Create a directory on the file system that is mounted with encryption enabled:

    sudo mkdir -p /secret/home/$USER
sudo chown $USER:$USER /secret/home/$USER

  • Create the key in the keyring and use it to set the policy for the directory to be encrypted (the sudo command is not needed here):

    $ /usr/sbin/e4crypt add_key -S s:`cat ~/.cryptoSalt`
Enter passphrase (echo disabled):
Added key with descriptor [0132fed69f946c86]
$ /usr/bin/e4crypt set_policy 0132fed69f946c86 /secret/home/$USER
Key with descriptor [0132fed69f946c86] applies to /secret/home/theuser.

  • After each reboot, the add_key command can be used set the key for decryption of the directory and its descendants:

    $ /usr/sbin/e4crypt add_key -S s:`cat ~/.cryptoSalt`
Enter passphrase (echo disabled):
Added key with descriptor [0132fed69f946c86]

    Enter the same password used in the previous step, and you don't have to remember the descriptor hex string.

  • You can also use add_key directly. This will use a filesystem specific salt (So all folders under that partition will have the same salt)

    $ /usr/sbin/e4crypt add_key /secret/home/$USER
Added key with descriptor [0132fed69f946c86]
Key with descriptor [0132fed69f946c86] applies to /secret/home/theuser.

Linux 4.1 comes with a new Ext4 feature to encrypt directories of a filesystem. Encryption keys are stored in the keyring. To get started, make sure you have enabled CONFIG_KEYS and CONFIG_EXT4_FS_ENCRYPTION kernel options and you have kernel 4.1 or higher.

First of all, you need to update e2fsprogs to at least version 1.43, which is still WIP at the time of writing so we need to fetch it from the git repository:

$ git clone git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git

e4crypt source has disabled a relevant section in its source code, enable it by editing misc/e4crypt.c and removing these two lines near line 714:

    printf("arg %s\n", argv[optind]);
    exit(0);

Now build and install new e2fsprogs:

$ sudo apt-get install devscripts build-essential gettext texinfo pkg-config debhelper m4
$ debuild
$ sudo dpkg -i e2fsprogs_1.43-WIP_amd64.deb

Check your version now, it should be 1.43-WIP:

# e2fsck -V
e2fsck 1.43-WIP (18-May-2015)
        Using EXT2FS Library version 1.43-WIP, 18-May-2015

To work with keys, we need to install the keyutils package:

$ sudo apt-get install keyutils

Let's make a directory that we will encrypt. Encryption policy can be set only on empty directories:

$ sudo mkdir -p /encrypted/dir

First generate a random salt value and store it in a safe place:

$ head -c 16 /dev/random | xxd -p
877282f53bd0adbbef92142fc4cac459

Now generate and add a new key into your keyring: this step should be repeated every time you flush your keychain (reboot)

$ sudo e4crypt -S 0x877282f53bd0adbbef92142fc4cac459
Enter passphrase (echo disabled): 
Added key with descriptor [f88747555a6115f5]

Now you know a descriptor for your key. Make sure you have added a key into your keychain:

$ keyctl show
Session Keyring
1021618178 --alswrv   1000  1000  keyring: _ses
 176349519 --alsw-v   1000  1000   \_ logon: ext4:f88747555a6115f5

Almost done. Now set an encryption policy for a directory:

$ e4crypt set_policy f88747555a6115f5 /encrypted/dir

That's all. If you try accessing the disk without adding a key into keychain, filenames and their contents will be seen as encrypted gibberish. Be careful running old versions of e2fsck on your filesystem - it will treat encrypted filenames as invalid.

Related

How to create a new system locale
How to highlight current screen (or window)?
Is there software to periodically start and close an application?
How to prevent ps from truncating the process name
Ubuntu stuck asking to remove installation medium on Hyper V install
How to specify additional search domains for resolver in 16.04 GUI network settings when using DHCP?
Mariadb not working just after install on Ubuntu 16.04
How to get rid of 169.254.0.0 route?
Is MacBook Pro 2016 with Touch Bar Compatible with Ubuntu 17.04?
How to install statistics package in Octave(4.0.0) in Ubuntu 16.04?
How can I disable LLMNR in systemd-resolved?
Ubuntu 18.04 LTS release on AWS