1. eCryptfs 简介
eCryptfs 是在 Linux kernel 实现的一个加密文件系统,在 Linux kernel 2.6.19 版本收纳入官方 Linux kernel。它采用堆叠式的设计思想,逻辑上位于 VFS 和传统文件系统之间。用户应用程序对传统文件系统的读写操作,经过系统调用通过 VFS 首先被 eCryptfs 截获,eCryptfs 对文件数据进行加解密的操作,再转发给传统文件系统,为应用提供透明、动态、高效的加密功能。
eCryptfs 对每个文件采用不同的文件加密密钥 ( File Encryption Key, FEK ),文件加密算法推荐使用 AES-128。FEK 不能以明文的形式存放,eCryptfs 使用用户提供的口令(Passphrase)、非对称密钥算法(如 RSA 算法)或 TPM(Trusted Platform Module)的公钥来加密保护 FEK。
例如,当使用用户口令的时候,口令先经 hash 函数处理,再做为密钥加密 FEK。口令/公钥称为文件加密密钥加密密钥(File Encryption Key Encryption Key,FEFEK),加密后的 FEK 则称为加密文件密钥(Encrypted File Encryption Key,EFEK )。如果一个文件被多个授权用户访问,则有多份 EFEK。 此外,eCryptfs 还支持文件名的加密。
2. eCryptfs 安装
CentOS6.10
[root@ct11 ~]# yum install ecryptfs-utils
Loaded plugins: fastestmirror, security
Setting up Install Process
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Determining fastest mirrors
* base: mirrors.163.com
* extras: mirror.bit.edu.cn
* updates: mirrors.ustc.edu.cn
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
extras/primary_db | 29 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 9.9 MB 00:03
Resolving Dependencies
--> Running transaction check
---> Package ecryptfs-utils.x86_64 0:82-6.el6_1.3 will be installed
--> Processing Dependency: libtspi.so.1()(64bit) for package: ecryptfs-utils-82-6.el6_1.3.x86_64
--> Running transaction check
---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================================================
Installing:
ecryptfs-utils x86_64 82-6.el6_1.3 base 147 k
Installing for dependencies:
trousers x86_64 0.3.13-2.el6 base 277 k
Transaction Summary
=================================================================================================================================================================================================
Install 2 Package(s)
Total download size: 424 k
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): ecryptfs-utils-82-6.el6_1.3.x86_64.rpm | 147 kB 00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm | 277 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 750 kB/s | 424 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : trousers-0.3.13-2.el6.x86_64 1/2
Installing : ecryptfs-utils-82-6.el6_1.3.x86_64 2/2
Verifying : trousers-0.3.13-2.el6.x86_64 1/2
Verifying : ecryptfs-utils-82-6.el6_1.3.x86_64 2/2
Installed:
ecryptfs-utils.x86_64 0:82-6.el6_1.3
Dependency Installed:
trousers.x86_64 0:0.3.13-2.el6
Complete!
再检查安装状态:
[dc2-user@didiyun ~]$ yum list installed | grep ecryptfs-utils
ecryptfs-utils.x86_64 111-5.el7 @epel
工具已正确安装。
3. eCryptfs 使用
创建挂载口令,首先输入用户的登录口令,然后输入两次挂载口令
[root@ct11 ~]# ecryptfs-setup-private
ERROR: Cannot get ecryptfs version, ecryptfs kernel module not loaded?
如果出现此错误,执行modprobe ecryptfs
[root@ct11 ~]# modprobe ecryptfs
root@ct11 ~]# ecryptfs-setup-private
ERROR: User needs to be a member of ecryptfs group
编辑/etc/group 将root用户加入到ecryptfs组
创建挂载口令,首先输入用户的登录口令,然后输入两次挂载口令:
dc2-user@didiyun:~$ sudo ecryptfs-setup-private
Enter your login passphrase [dc2-user]:
Enter your mount passphrase [leave blank to generate one]:
Enter your mount passphrase (again):
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
创建希望加密的文件夹:
dc2-user@didiyun:~$ mkdir private
设置文件夹权限不允许其他人访问:
dc2-user@didiyun:~$ chmod 700 private
挂载加密文件夹,输入挂载口令:
dc2-user@didiyun:~$ sudo mount -t ecryptfs private private
Passphrase:
然后依次需要选择加密算法,密钥长度,是否允许读写非 eCryptfs 文件,是否文件名加密,可全部直接回车为默认:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=c03eaf5f09f59761
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
键入两个 yes :
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [c03eaf5f09f59761] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
eCryptfs 挂载成功,进入 eCryptfs 目录:
dc2-user@didiyun:~$ cd private
创建一个文件:
dc2-user@didiyun:~/private$ echo "this is a ecryptfs test file" > tes
dc2-user@didiyun:~/private$ cat tes
this is a ecryptfs test file
卸载 eCryptfs 目录:
dc2-user@didiyun:~/private$ cd ..
dc2-user@didiyun:~$ sudo umount private
查看文件,内容显示密文:
dc2-user@didiyun:~$ cat private/tes
m댶ş쫖_CONSOLEᄒ¯_ 梞妾8Ҙ}ɔ,ÆhW䴑[Y©iq龎h=~f°:ⲋᄴ1ࢄYꃵʨ㘐ÿͨ e৫O@8xY»B틠|思¬枾mΩ¥}R{zǩ§(³貮}KᄂKX S渤)$ߢ·©VDµ·>Uڨ붥1b鞺8iX*ҊNVn'ŝ2GzJe
@ÿ¡}`¾$L2ܨ§caАbn<ߨ[ǻ�BѪ©'ڼ?Lh·.x
吖³(ɛVz
重新挂载 eCryptfs,输入相关参数:
dc2-user@didiyun:~$ sudo mount -t ecryptfs private private
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=c03eaf5f09f59761
Mounted eCryptfs
查看文件,显示文件的正确内容:
dc2-user@didiyun:~$ cat private/tes
this is a ecryptfs test file
eCryptfs 详细使用参数:
[dc2-user@didiyun ~]$ man ecryptfs注意,记住mount 时输出的参数以及你手动输入的密码,方便数据迁移和恢复
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=cbd6dc63028e5602
参考:https://blog.csdn.net/java060515/article/details/85000843
https://blog.csdn.net/lzpdz/article/details/50546749
2862
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
