About

mFabrik Blog is about mobile and web software development, open source and Linux. We tell exciting tales where business, technology, web and mobile convergence.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License.

Encrypted folders on Ubuntu Linux using eCryptfs on an external hard drive

Posted on April 15, 2011

This blog post continues my Ubuntu encryption tools testing. Previously there was an example for losetup. However, with the latest Ubuntus eCryptfs is recommended instead.

eCrypfs makes one directory in a file-system crypted. Since it does not work on a partition level, you do not need to worry about extending or shrinking the encrypted partition inside the uncrypted partition. Instead, file system works normally and only the content of the files are encrypted. This should also add some more fault tolerance in the case of disk failure – it is less unlikely to loose the whole encrypted partition.

Here we create an encrypted directory on an external hard drive

  • First format the drive with ext4 file-system (mkfs.ext4)

Prepare a passphrase in a .TXT file (you won’t be asked to type mistyped passphrase again).

Then go to the mounted disk

cd /media/fbf0a2c3-0631-4a00-ad1b-a34e449c8b2a/
mkdir crypted
chmod 700 crypted/
sudo mount -t ecryptfs crypted/ crypted/

Copy-paste in the passphrase and otherwise use the default settings given by ecryptfs.

Voilá. Now your encrypted folder is ready. It is not accessible if you do not mount it with eCryptfs and enter the passphrase.

We can test it with umount and mounting it again. It will ask passphrase and  format options again:

echo "foobar" > test.txt
umount /media/fbf0a2c3-0631-4a00-ad1b-a34e449c8b2a/crypted
cd crypted
cat test.txt

You will see garbled output instead of the file contents. But after you remount it it works again:

mount -t ecryptfs crypted/ crypted/

Just give the passphrase and hit enter to all options (again).

More info

Get developers  Subscribe mFabrik blog in a reader Follow me on Twitter

Perfect dual boot crypted hard disk setup with Truecrypt and LUKS

Posted on July 15, 2008

I have a work laptop used in Symbian and web development. I need to be able to boot both Vista and Linux. Due to client privacy, both operating systems must be crypted for the case of lost laptop. Even if I do not use Windows actively, its web browser data may contain stored password for client systems and it would be catastrophic to leak them accidentally.

Here are instructions how to encrypt your hard disk in safely but performance effective manner with Ubuntu 8.04 Hardy Heron and Windows Vista. These instructions can be applied for any version of Vista, since we use third party open source Truecrypt suite to encrypt the Windows partition. The instructions also give priority for Grub boot loader, so that the computer will boot to Linux if there is no user interaction during the boot.

  1. Install Windows Vista from the factory first boot installer
  2. Download Ubuntu 8.04 alternative install CD. The alternative install CD contains installer menus to encrypt your HD using LVM and LUKS.
  3. For the sake of performance, we only crypt /home directory on Linux partition which contains all user editable files. All other files in Linux, maybe excluding configuration files in /etc, are open source and encrypting them only slows your application start-up times. It is possible to encrypt /home after install, but it is much easier during the install time. Here are instructions how to set up encrypted home partition with alternative install CD.
  4. After this comes the exciting part. You must encrypt the Windows system partition using Truecrypt. Since Truecrypt is going to overwrite Ubuntu’s Grub bootloader on Master Boot Record (MBR), some magic is needed (detailed instructions).
    1. Install Truecrypt and overwrite MBR.
    2. Boot Ubuntu from live CD. Alternative install CD doesn’t work as it does not have grub binary. You could also try to boot from your Linux partition by giving out manual kernel root file system parameters for the CD boot loader.
    3. Back-up Truecrypt’s MBR to a file on /boot partition using dd
    4. Add Truecrypt’s MBR as a chain boot loader in Grub
    5. Rewrite MBR using Grub

For foreigners: You might want to keep the US keymap in hand, since the installer environment has not necessarily keymap set up correctly.

Note: Since my HP Pavilion dv9000 laptop has two 250 GB hds, the actual setup is following: windows system partition, windows data partition, rest is set up for Linux using LVM in stripe RAID containing the root partition and the crypted home. This effectively gives near 100 MB/s read speed from two 5400 RPM hds.