个人工具

“UbuntuHelp:EncryptedHomeDirectoryHowto”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
(新页面: {{From|https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto}} {{Languages|UbuntuHelp:EncryptedHomeDirectoryHowto}} == Encrypted Home Directory with EncFS, pam_mount, pam_encfs, w...)
 
 
(未显示同一用户的1个中间版本)
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto}}
 
{{From|https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto}}
 
{{Languages|UbuntuHelp:EncryptedHomeDirectoryHowto}}
 
{{Languages|UbuntuHelp:EncryptedHomeDirectoryHowto}}
== Encrypted Home Directory with EncFS, pam_mount, pam_encfs, with working X and Gnome ==
+
== Encrypted Home Directory with EncFS and pam-encfs, with working X and Gnome ==
 +
Should also work for KDE - edit /etc/pam.d/kdm instead of /etc/pam.d/gdm .
 
Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder .
 
Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder .
 
Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1
 
Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1
第8行: 第9行:
 
* I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information.
 
* I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information.
 
* I use EncFS for a long time now and i didn't hit a single problem.
 
* I use EncFS for a long time now and i didn't hit a single problem.
* You should have a root (sudo) account handy to log into a console to fix things up
+
* I use pam-encfs and not pam-mount because pam-mount had problems i don't remember exactly with the FUSE EncFS mount
 +
* You must have a second account (root or sudo) handy to log into a console and fix things up
 
=== Required packages ===
 
=== Required packages ===
 
<ol><li>encfs
 
<ol><li>encfs
</li><li>libpam-mount
+
</li><li>libpam-encfs (DO NOT INSTALL VIA APT (if you are on Hardy) - broken in the Hardy repos - see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )</li></ol>
</li><li>libpam-encfs (broken in the Hardy repos, see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )</li></ol>
+
  
Install packages from the Ubuntu repositories:
+
Install encfs from the Ubuntu repositories:
 
<pre><nowiki>
 
<pre><nowiki>
sudo aptitude install encfs libpam-mount
+
sudo aptitude install encfs
 
</nowiki></pre>
 
</nowiki></pre>
Install libpam-encfs from  
+
Install libpam-encfs from:
 
http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb
 
http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb
 
=== /etc/security/pam_encfs.conf ===
 
=== /etc/security/pam_encfs.conf ===
The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time.  Allow_other is specified in fuse_default, and Allow_root is set in the automatic encfs mount per user.  These two options cannot be specified together!
+
The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time.  Allow_other is specified in fuse_default, and allow_root is set in the automatic encfs mount per user.  These two options cannot be specified together!
It looks like ENCFS Options and FUSE Options cannot be left empty, so i just use -v for ENCFS (just verbose output) and allow_other for FUSE (you need allow_other or allow_root for gdm to work).
+
It looks like EncFS Options and FUSE Options cannot be left empty, so i just use -v for EncFS (just verbose output) and allow_other for FUSE (you need either allow_other or allow_root for gdm to work).
 
This is what it looks like for me, username jakob:
 
This is what it looks like for me, username jakob:
 
<pre><nowiki>
 
<pre><nowiki>
#Note that I dont support spaces in params
 
#So if your for example gonna specify idle time use --idle=X not -i X.
 
 
#If this is specified program will attempt to drop permissions before running encfs. (will not work with --public for example)
 
 
drop_permissions
 
drop_permissions
 
#This specifies default encfs options
 
 
encfs_default
 
encfs_default
 
#Same for fuse, note that allow_root (or allow_other, or --public in encfs) is needed to run gdm/X.
 
 
fuse_default
 
fuse_default
  
#- means match all, put any overrides over it.
+
#USERNAME SOURCE TARGET EncFS Options FUSE Options
#if - is in username it will take source path + "/$USER", and mount to $HOME
+
jakob /home/jakob.encfs /home/jakob -v allow_other
 
+
#USERNAME   SOURCE TARGET PATH      ENCFS Options FUSE Options
+
#user /home/.enc/user /home/user -v,--idle=1,-test,-test2 allow_root
+
#- /home/.enc - -v allow_other
+
 
+
jakob /home/jakob.encfs /home/jakob -v allow_other
+
 
</nowiki></pre>
 
</nowiki></pre>
 
=== /etc/fuse.conf ===
 
=== /etc/fuse.conf ===
Uncomment or add the following line to ''/etc/fuse.conf''.
+
Uncomment or add the following line to ''/etc/fuse.conf'' so that the allow_other option in pam_encfs.conf can take effect.
 
<pre><nowiki>
 
<pre><nowiki>
 
user_allow_other
 
user_allow_other
 
</nowiki></pre>
 
</nowiki></pre>
Make sure the user is in the group "fuse" as well, or else they won't be able to use fuse mounts like encfs.
+
Make sure the user is in the group "fuse" as well, or else he won't be able to use FUSE mounts like EncFS.
 
=== /etc/pam.d/gdm ===
 
=== /etc/pam.d/gdm ===
pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, encfs needs to be mounted before this happens.
+
pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, EncFS needs to be mounted before this happens.
 +
Insert "auth requisite pam_encfs.so" just before "@include common-auth".
 
For me this file looks like this:
 
For me this file looks like this:
 
<pre><nowiki>
 
<pre><nowiki>
第70行: 第58行:
 
</nowiki></pre>
 
</nowiki></pre>
 
=== /etc/pam.d/login ===
 
=== /etc/pam.d/login ===
(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you wan't the encrypted home to work even when logging in through the console.
+
(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you want the encrypted home to work even when logging in through the text mode console.
WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of encfs, as the mountpoint is no more empty. You have to delete this file as root to fix this.
+
WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of EncFS, as the mountpoint is no more empty. You have to delete this file as root to fix this.
 
=== Create encrypted folder ===
 
=== Create encrypted folder ===
*Log out and use CTRL+ALT+F1 to get a console, log in as root
+
* Log out and log in as a different user (sudo-enabled or root)
*Create necessary directories and set permissions (replace "username" with your username)
+
* Create necessary directories and set permissions (replace "jakob" with your username).
 
<pre><nowiki>
 
<pre><nowiki>
mv /home/john /home/john.original
+
sudo -s
mkdir /home/john.encfs /home/john
+
mv /home/jakob /home/jakob.original
chown john.john /home/john /home/john.encfs
+
mkdir /home/jakob.encfs /home/jakob
 +
chown jakob:jakob /home/jakob /home/jakob.encfs
 
</nowiki></pre>
 
</nowiki></pre>
*Create encrypted folder
+
* Create encrypted folder
 
<pre><nowiki>
 
<pre><nowiki>
sudo -u john encfs /home/john.encfs /home/john
+
sudo -u jakob encfs /home/jakob.encfs /home/jakob
 
</nowiki></pre>
 
</nowiki></pre>
*Accept default options, or tinker with the encryption settings.  I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.
+
* Accept default options, or tinker with the encryption settings.  I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.
*'''The Password does not have to be the same as the login password'''
+
* '''The Password does not have to be the same as the login password'''
*Copy your home folder into the encrypted folder
+
* Copy your home folder contents into the encrypted folder
 
<pre><nowiki>
 
<pre><nowiki>
sudo -u john rsync -a --progress /home/john.original/ /home/john/
+
sudo -u jakob rsync -a --progress /home/jakob.original/ /home/jakob/
 
</nowiki></pre>
 
</nowiki></pre>
*reboot and cross your fingers
+
* Reboot
*You will be asked for your Encfs password and then for your login password
+
* You will be asked first for your EncFS password and then for your login password
Your home folder should now be encrypted.  If it works, log in and delete your username.original folder.
+
Your home folder should now be encrypted.  If it works, log in and delete your jakob.original folder.
 
=== Known Issues ===
 
=== Known Issues ===
* The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of problems for me. Most of the time, unmounting won't work anyway because some gnome apps take long to terminate and have files open when the unmount should happen. Another thing i experienced is some gnome app creating a file (saved_state) after (!) encfs is unmounted. Then the mountpoint will be non-empty and subsequent logins will fails.
+
* The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of trouble for me. Most of the time, unmounting won't work anyway because some gnome apps take long to terminate and have files open when the unmount should happen. Another thing i experienced is some gnome app creating a file (saved_state) after encfs is unmounted ( ! ). This file is created in the mountpoint. Then the mountpoint will be non-empty and subsequent logins will fail! You have to empty it again using a root shell to fix this.
 +
* Upgrading to intrepid will break the setup: https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/234818 .
 +
Workaround:
 +
<ol><li>Log in to another (unencrypted) sudo/root account
 +
</li><li>Copy your home directory's contents to another (not encrypted) folder
 +
</li><li>Upgrade to Intrepid
 +
</li><li>Create a new EncFS volume and copy your home dir contents into it - see instructions above</li></ol>
 +
 
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2009年11月17日 (二) 19:03的最新版本

Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto

Geographylogo.png 点击翻译: 

English

请不要直接编辑翻译本页,本页将定期与来源同步。

Encrypted Home Directory with EncFS and pam-encfs, with working X and Gnome

Should also work for KDE - edit /etc/pam.d/kdm instead of /etc/pam.d/gdm . Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder . Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1

Notes

  • This uses pass-through filesystem encryption with EncFS. You don't need an encrypted partition nor do you need to decide how large the encrypted portion should be. See http://www.arg0.net/encfsintro for a detailed explaination.
  • I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information.
  • I use EncFS for a long time now and i didn't hit a single problem.
  • I use pam-encfs and not pam-mount because pam-mount had problems i don't remember exactly with the FUSE EncFS mount
  • You must have a second account (root or sudo) handy to log into a console and fix things up

Required packages

  1. encfs
  2. libpam-encfs (DO NOT INSTALL VIA APT (if you are on Hardy) - broken in the Hardy repos - see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )

Install encfs from the Ubuntu repositories: 

sudo aptitude install encfs

Install libpam-encfs from: http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb

/etc/security/pam_encfs.conf

The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and allow_root is set in the automatic encfs mount per user. These two options cannot be specified together! It looks like EncFS Options and FUSE Options cannot be left empty, so i just use -v for EncFS (just verbose output) and allow_other for FUSE (you need either allow_other or allow_root for gdm to work). This is what it looks like for me, username jakob: 

drop_permissions
encfs_default
fuse_default

#USERNAME	SOURCE			TARGET		EncFS Options		FUSE Options
jakob		/home/jakob.encfs	/home/jakob	-v			allow_other

/etc/fuse.conf

Uncomment or add the following line to /etc/fuse.conf so that the allow_other option in pam_encfs.conf can take effect. 

user_allow_other

Make sure the user is in the group "fuse" as well, or else he won't be able to use FUSE mounts like EncFS.

/etc/pam.d/gdm

pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, EncFS needs to be mounted before this happens. Insert "auth requisite pam_encfs.so" just before "@include common-auth". For me this file looks like this: 

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth	requisite	pam_encfs.so
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session optional        pam_gnome_keyring.so auto_start
@include common-password

/etc/pam.d/login

(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you want the encrypted home to work even when logging in through the text mode console. WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of EncFS, as the mountpoint is no more empty. You have to delete this file as root to fix this.

Create encrypted folder

  • Log out and log in as a different user (sudo-enabled or root)
  • Create necessary directories and set permissions (replace "jakob" with your username).
sudo -s
mv /home/jakob /home/jakob.original
mkdir /home/jakob.encfs /home/jakob
chown jakob:jakob /home/jakob /home/jakob.encfs
  • Create encrypted folder
sudo -u jakob encfs /home/jakob.encfs /home/jakob
  • Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.
  • The Password does not have to be the same as the login password
  • Copy your home folder contents into the encrypted folder
sudo -u jakob rsync -a --progress /home/jakob.original/ /home/jakob/
  • Reboot
  • You will be asked first for your EncFS password and then for your login password

Your home folder should now be encrypted. If it works, log in and delete your jakob.original folder.

Known Issues

  • The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of trouble for me. Most of the time, unmounting won't work anyway because some gnome apps take long to terminate and have files open when the unmount should happen. Another thing i experienced is some gnome app creating a file (saved_state) after encfs is unmounted ( ! ). This file is created in the mountpoint. Then the mountpoint will be non-empty and subsequent logins will fail! You have to empty it again using a root shell to fix this.
  • Upgrading to intrepid will break the setup: https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/234818 .

Workaround:

  1. Log in to another (unencrypted) sudo/root account
  2. Copy your home directory's contents to another (not encrypted) folder
  3. Upgrade to Intrepid
  4. Create a new EncFS volume and copy your home dir contents into it - see instructions above
取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:EncryptedHomeDirectoryHowto&oldid=127434