There are typically two ways to encrypt files on a Linux machine: the first way is to create an encrypted block device which is roughly like a container, the second way is to use a pass through file system encryption, meaning that you have a transparent encryption layer and encrypt file by file on the fly. Both have benefits and downsides, for more information read this comparison.
This howto deals with the second technique using EncFS.
The next step is to integrate encryptinon techniques into the GUIs – and on Linux there are hardly any graphical solutions for any task. Gnome can make a GUI password query when a LUKS device was attached, however KDE is still not there. Also, if you have some directories on your machine encrypted you normally have to input two passwords: one for the normal login, and later or earlier one password into an external script for the encrypted directories.
This howto will address that last part.
The last words before we start: this Howto aims at Fedora Core 6 – if you use other versions or distributions, be a bit more careful. Also, make a backup copy of each file before you modify it. You will do everything at your own risk, and if your system fails, well, there will be the backup files only. I will not help you!
First you need the encfs software. It is part of the Fedora repositories, so get it with
yum install fuse-encfs. The next step is to add your user to the
fuse group – use
system-config-users for example. After that it helps to get at least a bit familiar with EncFS, the homepage has some examples like this one:
$ mkdir ~/tmp/crypt-raw
$ mkdir ~/tmp/crypt
$ encfs ~/tmp/crypt-raw ~/tmp/crypt
Volume key not found, creating new encrypted volume.
Password: [password entered here]
Verify: [password entered here]
After that, drop some files into the new directory and unmount it with
fusermount -u /tmp/crypt. If you are sure that everything works as expected, go on with
#echo "user_allow_other" >> /etc/fuse.conf. You need that for the gdm login.
PAM and EncFS
As already mentioned, we will use PAM to bind the GDM login to the EncFS-encrypted directories. The module needed is called pam_encfs and is unfortunatelly not available as a package for Fedora. Get it from the homepage, unpack it and run
make && make install as root. There is also an example configuration file which we will use. Copy
The next step is to modify exactly that file. The best is to first use some dummy directory to really test all that stuff. It makes sense to use the directories you already created and played around with in the EncFS section. In any case there is one important thing: when you are asked for a password, enter your user password!
Now, open the file (
/etc/security/pam_encfs.conf), comment out the line with
encfs_default --idle=1 and modify the last line according to your needs: change the source and target directories and add your name as a user.
PAM must be configured as well – on Fedora you want to modify the file
/etc/pam.d/system-auth (there might be a better way, please point out if you know one). Add these lines to the appropriate fields:
auth required pam_encfs.so and
session required pam_encfs.so. The second makes sure that you unmount the directory at logout, btw.
That’s it – try to log off and log in again, and check if you have access to the directory.
If something doesn’t work …. well, you are screwed 😉
No, honestly, I’m not a big expert on PAM or fuse or encfs, so don’t bother to ask me. All I can tell you is: check again if you added yourself to the fuse-group, check if the encfs-system is really working, and check if you use the same password for the normal login and for the encrypted directory.
I haven’t tried encrypting the entire home directory, but it is possible. Read the
README file which was in the pam_encfs package, there you will find information about that task. Also, I use the default login manager of Fedora, which is GDM, although I use KDE in the end. The KDE login manager can also be used with the pam module, however there are problems mentioned in the readme file when you encrypt the entire directory.
The main question remaining now is: how secure is it? Well, that depends on your login password (because pam uses that). If it is more a phrase than a password, and if the storage type of the system is a secure one, than you have good cards. For more information, read this interview.
I appreciate every comment on this topic because I’m not sure about the real security of this technique either!
But, in any case, it secures the files against other users on the system as well as against fast attacks. If someone wants to crack the files he definitely needs time and strong hardware.