Skip to content

Latest commit

 

History

History
147 lines (123 loc) · 4.17 KB

README.org

File metadata and controls

147 lines (123 loc) · 4.17 KB
Raw

ebtrfs/efs

Using encryption over btrfs (or any filesystem without snapshot feature)

Selected scheme

This solution uses ecryptfs filesystem over btrfs subvolume:

  • <volname>: ecryptfs mount path
  • .<volname>.ecryptfs: btrfs subvolume (or simple dir)
  • .<volname>.ecryptfs/root: ecryptfs root
  • .<volname>.ecryptfs/sig: key signature
  • /etc/fstab: used to mount home encrypted volumes

Install

wget -q -O ecryptbtrfs_installer.sh https://raw.githubusercontent.com/oszika/ecryptbtrfs/master/installer.sh && chmod u+x ecryptbtrfs_installer.sh && sudo ./ecryptbtrfs_installer.sh; rm ecryptbtrfs_installer.sh

Scripts

  • ebtrfs: ecryptfs over btrfs
  • efs: ecryptfs over any filesystem

With ebtrfs, subvolumes are encrypted. Otherwise, a simple dir is used.

Create encrypted volume

$ ebtrfs create /volumes/voltest
Create subvolume '/volumes/.voltest.ecryptfs'
[debug]	 Subvolume /volumes/.voltest.ecryptfs created
[debug]	 Mount dir /volumes/voltest created
[debug]	 Ecryptfs root /volumes/.voltest.ecryptfs/root created
Passphrase:
Passphrase: (verify)
[debug]	 Ecryptfs configuration written
[debug]	 User rights setted (user)

Mount/Umount encrypted volume

$ ebtrfs mount /volumes/voltest
$ ebtrfs umount /volumes/voltest

Check encrypted volume

$ echo pouet > /volumes/voltest/pouet

$ ls /volumes/voltest/
/volumes/voltest/pouet

$ ls /volumes/.voltest.ecryptfs/root
ECRYPTFS_FNEK_ENCRYPTED.FWaEAm4HEfHTMUQRparKutvJjA2s-IhrvvEwRlFqpRonsgrxKUmz3XSAf---

List encrypted volumes

$ sudo ebtrfs list /
ID 312 gen 4533 parent 5 top level 5 path volumes/voltest

Take snapshot

First snapshot is named as ‘init’. The others are generated with dates.

$ ebtrfs snapshot -r /volumes/voltest
Create a readonly snapshot of '/volumes/.voltest.ecryptfs' in '/volumes/.voltest.snaps/.init.ecryptfs'
$ ebtrfs snapshot -r /volumes/voltest
Create a readonly snapshot of '/volumes/.voltest.ecryptfs' in '/volumes/.voltest.snaps/.2017-06-10-16:05:06.ecryptfs'

Sync snapshots

Sync snapshot between two volumes. Synchronized volume is not really a btrfs volume but a link to latest snapshot.

$ ebtrfs sync /volumes/voltest /media/usb/voltest
Syncing /volumes/.voltest.snaps/init
Syncing /volumes/.voltest.snaps/2017-06-11-09:21:17
Syncing /volumes/.voltest.snaps/2017-06-11-09:21:32
Syncing /volumes/.voltest.snaps/2017-06-11-09:21:44
$ sudo btrfs subvolume list /media/usb/voltest
ID 283 gen 105 top level 5 path volumes/voltest
ID 284 gen 96 top level 283 path volumes/voltest/.init.ecryptfs
ID 285 gen 99 top level 283 path volumes/voltest/.2017-06-11-09:21:17.ecryptfs
ID 286 gen 102 top level 283 path volumes/voltest/.2017-06-11-09:21:32.ecryptfs
ID 287 gen 103 top level 283 path volumes/voltest/.2017-06-11-09:21:44.ecryptfs

Create home encrypted volume

Volume will be created using sudo to write on /home. Owner is reset to current user. Volume will be auto mounted at login. To use it, you need to install pam_mount.

$ ebtrfs home /home/toto
[info]	 Wrapping ecryptfs password
Passphrase to wrap:
Wrapping passphrase:
Setting user pam conf
[debug]	 Fstab updated

Copy ssh public key on remote volume

You need to copy ssh public key on encrypted and unencrypted (at start) volumes. First, copy key on encrypted volume

ssh-copy-id <dest>

Then, remount original home directory

$ ssh <dest>
user@dest> sudo mount --bind / /mnt
user@dest> sudo chmod u+w /mnt/home/<user>
user@dest> mkdir -p /mnt/home/<user>/.ssh
user@dest> sudo mount --bind /mnt/home/<user>/.ssh /home/<user>/.ssh

Copy key on unencrypted original directory

ssh-copy-id <dest>

Don’t forget to unmount remounted directory

user@dest> sudo chmod u-w /mnt/home/<user>
user@dest> sudo umount /home/<user>
user@dest> sudo umount /mnt