Ubuntu
ecryptfs-utils package

New to ecryptfs, what do I need to backup?

Asked by Matthias Kauer

Hi,
I am a new ecryptfs user and I am wondering what I need to backup if I setup an encrypted folder pair by hand.
For example, I encrypt the /srv directory on top of itself using sudo mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes /srv /srv (see full output below)

I am now interested in what I have to remember. Obviously my passphrase that I entered at first. Do I also need to remember (write down) the FNEK signature?
What about the file /root/.ecryptfs/sig-cache.txt that is mentioned?

I have moved the folder to another VBox and tried it again and it seemed that my passphrase was sufficient. Is the FNEK signature generated from the passphrase + my username or so?

Also: What parts should I not backup online? The Ubuntu tutorials mention a /home/.ecryptfs (when encrypting the home folder = not my case) or similar that needs to be remembered but shouldn't be stored online in order to avoid weakening the encryption. I couldn't find anything similar after running the above command, should I?

I have tried to find this, but the tutorials didn't seem to mention it. I really need to know this before starting backups of my encrypted folder though, obviously.

I hope you understand.
Best,
Matthias

=========================================
matthias@matthias-VirtualBox:~$ sudo mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes /srv /srv
[sudo] password for matthias:
Passphrase:
Filename Encryption Key (FNEK) Signature [3c2034c2f35aab36]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=3c2034c2f35aab36
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=3c2034c2f35aab36
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [3c2034c2f35aab36] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
matthias@matthias-VirtualBox:~$

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu ecryptfs-utils Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Matthias Kauer (i-software) said : 		#1

Further research from me:
Going from this: http://blog.dustinkirkland.com/2009/02/how-encrypted-home-ecryptfs-works.html

Since I am mounting from the command line, I presume there is no wrapped mount passphrase or wrapped filename encryption key. Both of them are just the password that I use which is of course less secure since it isn't exactly 128bit right now.
It could be though, after all 128bit corresponds to 20-30 characters, right?

Anyway, this leads me to believe that remembering my passphrase will be enough. Is that correct?

Revision history for this message
Launchpad Janitor (janitor) said : 		#2

This question was expired because it remained in the 'Open' state without activity for the last 15 days.