在IBM的developerWorks中看到一篇讲eCryptfs的文章,然后有点心动,而且刚升级Gentoo后,发现有个新的内核版本可用,那么就来试试。
1.编译内核,保证能时候eCryptfs
General setup --->
[*] Prompt for development and/or incomplete code/drivers
File systems --->
[*]Miscellaneous filesystems --->
<M> eCrypt filesystem layer support (EXPERIMENTAL)
Security options --->
<M> enable access key retention support
Cryptographic API --->
<M> MD5 digest algorithm
<M> AES cipher algorithms
然后编译,安装模块
#make && make modules_install
2.使用新的内核
查看编译好的内核/lib/modules/2.6.30-gentoo-r6/kernel/fs/目录下,应该有ecryptfs目录,里面含有动态模块ecryptfs.ko。
#modprobe ecryptfs
#mount -t ecrypfs real_path ecryptfs_path
mount: wrong fs type, bad option, bad superblock on /home/leisure/eCryptfs,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
为什么会这样呢?有待解决。
3.解决上面的问题
developerWorks上面说的没有特别指明某个系统,所以应该是通用的,但是为什么会出现这种错误呢?上网找了找,发现有人讲解ubuntu下的使用
方法,首先要安装ecryptfs-utils,看来就是这里了,之所以,网上千篇一律的讲解ubuntu上自要安装了ecryptfs-utils就可以使用ecryptfs来加密,
是因为ubuntu的内核是通用的,默认编译支持了eCryptfs功能,而Gentoo是高度自定制的。
#emerge ecryptfs-utils
却发现两个版本都被MASK了,所以
#echo "sys-fs/ecryptfs-utils">>/etc/portage/package.keywords
#emerge ecryptfs-utils
又发现另一个依赖包也被MASK了,所以再添加到/etc/portage/package.keywords中。
安装成功后
#modprobe ecryptfs
#mount -t ecryptfs eCryptfs/ eCryptfs/
下面是交互过程:
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: 2
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=f03a911d92b98f86
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [f03a911d92b98f86] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
注意:eCryptfs推荐使用的挂载点就是原来的真实目录,这样就可以完全对原来的目录加密,而非授权用户就不能对原目录访问了。