how can I mount multiple ecryptfs folders on logon?

Asked by Andrei Pozolotin on 2009-11-28

namely, currently in ubuntu 9.10
   /home/.ecryptfs/user1/.ecryptfs
contains
   Private.mnt
   Private.sig
which provide configuration for single folder only;
but how can I mount multiple ecryptfs folders on logon?

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
misiu369
Solved:
2009-12-14
Last query:
2009-12-14
Last reply:
2009-12-03

probably I need to use keyctl, etc; can someone please show an example?

Tyler Hicks (tyhicks) said : #2

Sorry Andrei, there's currently no way to mount multiple directories at login. It is a useful feature and is something that we would take as a contribution if someone gets around to implementing it before we do.

Best misiu369 (misiu369) said : #3

Umm... I just did it...
Sorry, didn't know it was supposed to be impossible... ;P

Basically I used this how-to:
http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt
It didn't exactly work for me (running ubuntu 9.04), I had to remove the "auth required pam_ecryptfs.so unwrap" part, because I couldn't log in with it. Also, .bash_profile doesn't seem to be executed on X login, so I had to take care of that.

Then I've copied the fstab entry over and over again, changing just the folder path.
Also, I've repeated over and over again part of the .bash_profile script (the inner 'if' part).

Now that's all, if all folders are encrypted with the same passphrase (might have different options, though).
I don't know if it's safe or anything, I simply needed to have encrypted folders on different partitions so I found a way... ;)

I didn't try this, but I suppose it could be done with different passphrases as well.
The idea is, the .bash_profile script:
1. mounts ./Private as in the faq mentioned above
2. runs a ./Private/keyringscript, which adds passphrases (which may be additionally wrapped) to the keyring
3. mounts the other folders with appropriate keys (as configured in fstab)
The weak point would be a fairly easy access to the additional passphrases, though it wouldn't be a problem for me as I never leave my laptop running unattended.

misiu369, hello;

thank you for the tip;

works for me on kubuntu 9.10 as well

cheers

Andrei

Thanks misiu369, that solved my question.

Philippe (philippe-rast) said : #6

Hi misiu369,

where exactly did you copy the .bash_profile script - I use ubuntu 9.10 and there's no ~/.bash_profile around. I tried copying the script in /etc/init.d/script_name and then I loaded it into /etc/rcX.d/ with update-rc.d. But it didn't work.

The Idea is, that i first mount a NFS Networkdrive in which one of the subfolders in the NFS drive is supposed to be encrypted. The NFS partition is mounted at startup. If I add the mount command in fstab i can load flawlessly the encrypted folder with "mount -i /media/NFSdrive/encryptedfolder". So, manually, everithing works fine but I would like to load the encrypted file automatically - and on shutdown, the ecrypted file should umount before the nfs does.

Anyone any idea?

Philippe

Philippe (philippe-rast) said : #7

I meant: So, manually, everithing works fine but I would like to load the encrypted FOLDER automatically - and on shutdown, the ecrypted FOLDER should umount before the nfs does.

misiu369 (misiu369) said : #8

I created the .bash_profile in my home dir.
Worked great in text-mode, but when I logged in normally (into gnome) it didn't, so I added .bash_profile to my startup apps in my ubuntu settings (system/prefernces/start programs or something like that).

Don't know how to unmount on logout - you'd have to find a script that's being called on logout. Search (and post if nothing found) on ubuntuforums.

Philippe (philippe-rast) said : #9

tnx misiu
I added the file .bash_profile
I used this tutorial http://ecryptfs.sourceforge.net/README
Interestingly everithing works fine, as long as i mount manually, i.e., i enter all the steps in the terminal. If it mounts automatically at startup the passphrase can't be retrieved somehow - even though the passphrase is in the keyring.

well i'll have to invest some more time and brains...

AlexGenaud (alexgenaud) said : #10

"me too". I'd like /home/me /home/friend /home/shared where either I or my friend can open /home/shared on login.

In the meantime, I wrote two simple scripts for mounting/creating and umounting encrypted directories (you can replace the $1 and $2 with specific directories, if you want them automatically mounted on login, you should probably check that they are not already mounted by testing the existence of some file/dir if ! [ -e ../mount-point/my-directory ]):

emt() {
 if [ $# -ne 2 ]; then echo usage: mnte crypt/ plain/ ;
 elif ! [ -r "$1" ]; then echo failed to read $1 ;
 elif ! [ -r "$2" ]; then echo failed to read $2 ;
 else
   echo sudo mount -t ecryptfs "$1" "$2" -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,no_sig_cache;
   sudo mount -t ecryptfs "$1" "$2" -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,no_sig_cache
 fi;
}
umt() {
 if [ $# -ne 1 ]; then echo usage: umt mountpoint/ ;
 elif ! [ -r "$1" ]; then echo failed to read $1 ;
 else sudo umount "$1";
 fi;
}

Serge Hallyn (serge-hallyn) said : #11

Quoting AlexGenaud (<email address hidden>):
> Question #92089 on eCryptfs changed:
> https://answers.launchpad.net/ecryptfs/+question/92089
>
> AlexGenaud posted a new comment:
> "me too". I'd like /home/me /home/friend /home/shared where either I or
> my friend can open /home/shared on login.
>
> In the meantime, I wrote two simple scripts for mounting/creating and

I've got an 'emount' program I'm hoping Tyler will pull in some
form, which is tailored to easy/quick mounting of copious little
ecryptfs dirs. It looks for ~/.ecryptfs/*.conf files containing
entries in fstab format, so I just do 'emount g' for instance.

> umounting encrypted directories (you can replace the $1 and $2 with
> specific directories, if you want them automatically mounted on login,
> you should probably check that they are not already mounted by testing
> the existence of some file/dir if ! [ -e ../mount-point/my-directory ]):

Right, I tend to not to overlay mounts so that I can do this. For
instance, I fetchmail into an ecryptfs directory. ~/mail/ is a
symlink into ~/gtd/mail, where ~/gtd is an ecryptfs dir mounted from
elsewhere. So my fetchmail scripts refuse to run if ~/mail/serge
does not exist.

-serge

AlexGenaud (alexgenaud) said : #12

My current usage is quite limited because ultimately I would like to share resources between the 'same' user in different environments and between different users in the same environment. But for now, a typical use case is to quickly mount encrypted directories on external devices/partitions (.enc/ and mnt/):

dmt() {
 for ENC in `find /media -maxdepth 2 -type d -name .enc`; do
  MNT=`echo ${ENC}|sed s:.enc:mnt:`
  if ! [ -d $MNT ]; then
    echo $ENC has no matching $MNT
  else
    echo -n emt $ENC $MNT \[Y/n\]:
    read ANS
    if [[ "n" = "$ANS" ]]; then
      echo cancelled
    else
      emt $ENC $MNT
    fi
  fi
 done;
}

All of this fuss could be avoided with a little modification to pam_ecryptfs:pam_sm_authenticate and main.c:ecryptfs_fetch_private_mnt

How it appears to work now:
PAM authentication succeeds and pam_sm_authenticate eventually gets called
pam_sm_authenticate calls ecryptfs_fetch_private_mnt to get the auto-mount mount point
ecryptfs_fetch_private_mnt just opens ~/.ecryptfs/*.mnt and returns the first line
if the mount is already mounted, abort
otherwise load keys, and mount with those keys

How it could work:

PAM authentication succeeds and pam_sm_authenticate eventually gets called
pam_sm_authenticate calls ecryptfs_fetch_private_mnt to get the auto-mount mount points
ecryptfs_fetch_private_mnt just opens ~/.ecryptfs/*.mnt and returns an array of mount points, one for each line
if all of the mounts are mounted, abort
otherwise load keys, and mount all unmounted with those keys

The code change is minimal because only one key is used. The change I described above could be done in fewer then 30 lines.

The risk would be bad interactions with the other tools that touch ~/.ecrytfs/*.mnt not understanding the extra lines. Inside the project only src/utils/ecryptfs-setup-private appears to touch the mnt file. And it does so by replacing it. If ecryptfs_fetch_private_mnt is exposed externally then it might have to be preserved to return the first line.

AlexGenaud (alexgenaud) said : #14

I believe this case has been incorrectly marked as solved... At best, it is a duplicate of bug 615657:

https://bugs.launchpad.net/ecryptfs/+bug/615657

It is not possible to mount more than one encrypted directory
automatically at logon. That's simply not how the feature works.

You can, however, have as many subdirectories as you want, under the
one encrypted directory, and use symlinks to place pointers elsewhere
in your filesystem. Hopefully this helps.

Dustin