oh god, why’d it break‽

I was reading through my buddy’s security blog, Security Aegis, and realized that my current security setup in Ubuntu is absolutely terrible – I have a Truecrypt container I dump things into from time to time, and that’s really about it. After recently discovering the Ubuntu Pocket Guide and Reference, I took a quick look through there to see what might be available.

The guide mentioned Intrepid has the ability to create an automounting private folder using ecryptfs‐utils with next to no setup. That’s nice, but I’d rather have a bit more control over the folder – having it just pop up on login isn’t very appealing since my system gets used from time to time by other people. A bit of googling around turned this up:

1. How to auto-configure
   
2. How to configure hands on
3. The basic truecrypt way

Ubuntugeek has a nice writeup on the under-the-hood way to use ecryptfs-utils. The reason I’m going with this over Truecrypt is I’d rather have the files encrypt on the fly without needing a set amount of space first (as in a container). I’ll keep the containers on my thumb drives for now.

Started with the Ubuntugeek step by step:

• sudo aptitude install ecryptfs-utils
• mkdir ~/crypt
• chmod 700 ~/crypt
• sudo mount -t ecryptfs ~/crypt ~/crypt
  • chose 4 for passphrase
  • created passphrase<
  • selected aes for cipher
  • 16 for blocksize

After selecting my options:

Attempting to mount with the following options:
 ecryptfs_key_bytes=16
 ecryptfs_cipher=aes
 ecryptfs_sig=1c56a17407ef3160
 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
 it looks like you have never mounted with this key
 before. This could mean that you have typed your
 passphrase wrong.

Would you like to proceed with the mount (yes/no)? yes
 Would you like to append sig [1c56a17407ef3160] to
 [/root/.ecryptfs/sig-cache.txt]
 in order to avoid this warning in the future (yes/no)? yes
 Successfully appended new sig to user sig cache file
 Mounted eCryptfs

Not quite sure what just happened there. I just installed this thing, of course I haven’t mounted with this key before. I wasn’t asked for a plaintext passthrough either. Check to see if it worked anyways.

• cp Firefox_wallpaper.png ~/crypt
• ls ~/crypt
• sudo umount ~/crypt
• ls ~/ | grep crypt

Crypt is still there! Blast.

• ls ~/crypt

It still shows my png file too!

• gnome-open ~/crypt/Firefox_wallpaper.png

“Fatal error reading PNG image file: Not a PNG file”

Alright, so that’s good, it’s probably encrypted then. I’ll remount and see if it’ll open.

• sudo mount -t ecryptfs ~/crypt ~/crypt -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n
• gnome-open ~/crypt/Firefox_wallpaper.png

Yep, opens fine now. Since I was expecting Truecrypt style mount behavior from Windows I was expecting the entire folder to just disapear (even though I specifically created one, duh). Reading through the ecryptfs page and here made a bit more sense. Without pre-allocation there isn’t much of a choice anyways. Time to turn this bulky command into an easy use alias:

• echo "alias mount-crypt='sudo mount -t ecryptfs ~/crypt ~/crypt -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n'" | tee -a ~/.bash_aliases
• source .bashrc

Figuring out the above took a bit longer than those two lines… here’s some insight into my rookie mistakes. (460 through 471 was me playing videos in terminal via ascii, heh.)