Mount Ecryptfs Home at Login

markos · #1 30th August 2012, 09:14 AM

Hello,

I have a new and updated Fedora 17 installation and have successfully encrypted my home with ecryptfs-migrate-home. I can mount my home with ecryptfs-mount-private. However, enrypted home is not automatically mounted at login, gdm or tty. Is there anything else that I need to do to have a working ecryptfs home configuration? As seen in some threads, I tried running authconfig --enableecryptfs --updateall, but that didn't help much. Thanks.

Cheers,
Marko

***Gareth Jones*** · #2 30th August 2012, 07:06 PM

There is a PAM module for that. I don't know the details (I gave up on eCryptfs a long time ago), but search the web for "ecryptfs pam login" – there are several guides on-line, so hopefully some of them are relevant to F17.

Personally, I found eCryptfs far too slow for encryption of whole directory hierarchies. It works better if you have a few files in a particular directory you want to keep encrypted. For serious whole-file-system encryption, running a normal file-system on top of an encrypted volume (e.g. LUKS) is both faster, less error-prone, and more secure.

In either case, remember to encrypt your swap partitions with LUKS or similar.

markos · #3 31st August 2012, 07:43 AM

Further testing showed that if I disable SELinux, login works as expected, so I guess PAM is ok. Though I don't find this trade-off a good solution. Can you give me some clues on where to look for any logs, why SELinux interferes with this?

Performance is the reason I wanted to go with ecryptfs. I am working with a slow first-gen intel atom so I was thinking, it should be faster if /usr /bin and similar are not encrypted and only home is. Though I guess I could split up partitions, but this is something I try to avoid not to waste space. Anyhow, I am now seriously considering encrypting the whole volume.

***Gareth Jones*** · #4 31st August 2012, 01:57 PM

I don't know much about SELinux. Maybe moving the files lost some security contexts? You could try forcing an autorelabel (touch /.autorelabel and reboot).

Yes, it'd be best to avoid encrypting /. The only directories that should really be encrypted are /home, /var and /tmp, and swap.

Your best bet is to have a separate /home partition (and swap of course) – there are several reasons why that's a good idea. If you don't want extra partitions for /var and /tmp, there are several options. I use btrfs with /var and /tmp as subvolumes on the /home partition, but with ext4 that isn't an option. You could symlink them or mount --rbind them though. /tmp can be mounted as a tmpfs instead, which will be default in F18.

benposyudkin · #5 4th November 2012, 06:53 PM

Quote:

Originally Posted by markos

if I disable SELinux, login works as expected, so I guess PAM is ok

1) Yes, it is. Is there a well known way to fix it gracefully?

2) What a good troubleshoot strategy may be implemented in this case?

There are some sources of an info:

Code:

/var/log/messages | grep -i ecryptfs

https://bugzilla.redhat.com/show_bug.cgi?id=712048
http://sysphere.org/~anrxc/j/article...tfs/index.html
https://bugzilla.redhat.com/show_bug.cgi?id=487088

It seems the bug with SELinux must be already fixed - appropriate policies were released as updates for Beefy. But the problem still exist.

markos · #6 5th November 2012, 09:30 AM

I'm sorry I cannot be of more help. Eventually I gave up and started using dm-crypt instead of ecryptfs.

benposyudkin · #7 7th November 2012, 11:04 AM

I'll try to summarise my experience with Fedora 17 Beefy Miracle LXDE Spin. It will not be step by step how-to, but notes about pivot points on one's way to access and auto-mount earlier encrypted home directories. With armed SELinux.

Must be installed:

Code:

sudo yum install ecryptfs-utils cryptsetup

There is default directories structure:

Code:

/home/userName
/home/.ecryptfs/userName/

Let it be as is. If it is not - use "mount ... -o bind...". This successfully will do the trick.

Some system setup:

Code:

sudo authconfig --enableecryptfs --updateall

Set up SELinux objects (as root, or sudo):

Code:

restorecon -R -v /home/userName 
semanage fcontext -a -e /home /home/.ecryptfs
restorecon -R -v /home/.ecrypfs/userName
setsebool -P use_ecryptfs_home_dirs 1
restorecon -R -v /home

This seems to be sufficient for _auto_ mount of encrypted home directories. On my system there is a bug: after first GUI login home directories are mounted, after subsequent logout-login they may be not mounted. After unpredictable login-logout steps they will be auto-mounted again. Forced logout via 'killall -u userName' seems not to affect this.

There are some other ways to achieve auto-mount, or mounting without direct password asking. Via editing of '/etc/pam.d/system-auth', playing with PAM modules and inserting key into keyring at login, inserting some simple mount commands into login shell auto-launch file, editing '/etc/fstab'.

eCryptFS need access to user's keys in keyring. To insert key and mount/unmount, in case of manual mounting, do:

Code:

ecryptfs-insert-wrapped-passphrase-into-keyring /home/userName/.ecryptfs/wrapped-passphrase
ecryptfs-mount-private
ecryptfs-umount-private

Some links to useful papers and discussions are in the posts above.