LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices

Rate this Entry

Slackware-13.37-Hacks-EncFS/Cryptkeeper

Posted 07-11-2011 at 10:37 PM by arniekat

EncFS is a Command-Line application that creates/manages encrypted folders. Cryptkeeper is a GUI that leaves an icon in your system tray so you can create/mount/unmount encrypted folders using EncFS.

You need to compile and install in the following order from SlackBuilds:

1. orbit2-2.14.19
2. gconf-2.32.2
3. rlog-1.4
4. encfs-1.7.4
5. cryptkeeper-0.9.5

To create the encrypted folder, using the Command Line with a username "user1", an encryption algorithm Blowfish, with a key size of 256-Bits. I am doing this the long way just to show what options are available, however, you can always use the pre-configured paranoia mode which is AES 256-Bit. Standard Mode is AES 192-Bit.
The encrypted files will be in the hidden folder /home/user1/.Private with scrambled file names.
When you mount the folder to the mount point /home/user1/Private, the files will be in decrypted form.
NOTE - Be sure to do the following as a regular user, not as the root user!

$ encfs /path/to/encrypted_directory /path/to/mount_point

$ encfs /home/user1/.Private /home/user1/Private
The directory "/home/user1/.Private/" does not exist. Should it be created? (y,n) y <ENTER>
The directory "/home/user1/Private/" does not exist. Should it be created? (y,n) y <ENTER>

Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> x <ENTER>

Manual configuration mode selected.
The following cipher algorithms are available:
1. AES : 16 byte block cipher
-- Supports key lengths of 128 to 256 bits
-- Supports block sizes of 64 to 4096 bytes
2. Blowfish : 8 byte block cipher
-- Supports key lengths of 128 to 256 bits
-- Supports block sizes of 64 to 4096 bytes

Enter the number corresponding to your choice: 2 <ENTER>

Selected algorithm "Blowfish"

Please select a key size in bits. The cipher you have chosen
supports sizes from 128 to 256 bits in increments of 32 bits.
For example:
128, 160, 192, 224, 256
Selected key size: 256 <ENTER>

Using key size of 256 bits

Select a block size in bytes. The cipher you have chosen
supports sizes from 64 to 4096 bytes in increments of 8.
Or just hit enter for the default (1024 bytes)

filesystem block size: <ENTER>

Using filesystem block size of 1024 bytes

The following filename encoding algorithms are available:
1. Block : Block encoding, hides file name size somewhat
2. Null : No encryption of filenames
3. Stream : Stream encoding, keeps filenames as short as possible

Enter the number corresponding to your choice: 1 <ENTER>

Selected algorithm "Block""

Enable filename initialization vector chaining?
This makes filename encoding dependent on the complete path,
rather then encoding each path element individually.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: <ENTER>

Enable per-file initialization vectors?
This adds about 8 bytes per file to the storage requirements.
It should not affect performance except possibly with applications
which rely on block-aligned file io for performance.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: <ENTER>

Enable filename to IV header chaining?
This makes file data encoding dependent on the complete file path.
If a file is renamed, it will not decode sucessfully unless it
was renamed by encfs with the proper key.
If this option is enabled, then hard links will not be supported
in the filesystem.
The default here is No.
Any response that does not begin with 'y' will mean No: <ENTER>

Enable block authentication code headers
on every block in a file? This adds about 12 bytes per block
to the storage requirements for a file, and significantly affects
performance but it also means [almost] any modifications or errors
within a block will be caught and will cause a read error.
The default here is No.
Any response that does not begin with 'y' will mean No: <ENTER>

Add random bytes to each block header?
This adds a performance penalty, but ensures that blocks
have different authentication codes. Note that you can
have the same benefits by enabling per-file initialization
vectors, which does not come with as great of performance
penalty.
Select a number of bytes, from 0 (no random bytes) to 8: <ENTER>

Enable file-hole pass-through?
This avoids writing encrypted blocks when file holes are created.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: <ENTER>

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/blowfish", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password: <EncFS_Password> <ENTER>
Verify Encfs Password: <EncFS_Password> <ENTER>
$

Now, unmount the file system:

$ fusermount -u /home/user1/Private

You can mount the filesystem by:

$ encfs /home/user1/.Private /home/user1/Private
$ Password: <Enter_Password> <ENTER>

CRYPTKEEPER GUI

When you start the CryptKeeper application, you will see a lock in the System Tray area of your desktop. In KDE, it is located under KDE Menu--System--CryptKeeper. When you Left-Click on the keychain, you can either create a New Encrypted Folder or you can Import EncFS Folder. Since I created this folder on the command-line, I will import it. When the Cryptkeeper dialog box appears, you can click the upper left-hand corner of the dialog box to enter the path to the encrypted folder, in this case /home/user1/.Private OR
you can click in the folder navigation window to give it focus, hit CTRL+H to make the hidden folders visible, then select the /home/user1/.Private folder using your mouse. When you have selected the folder, click Forward.

Now you will need to choose the name and location of the mount point, in this case /home/user1/Private

Select the folder and click Forward.

You will now see a confirmation message that your EncFS folder was imported into Cryptkeeper. Click OK.

Left-click the lock in the System Tray and select your Encrypted Folder. Enter your password. Now, when you open the folder with you File Manager, you will see the decrypted contents.

Right-click the lock in the System Tray and select Preferences. You can type your preferred File Manager in the dialog box plus change a few other things regarding how Cryptkeeper behaves.

To unmount the folder, Left-click the lock in the System Tray and select your Encrypted Folder. It will now unmount.

SECURING GNUPG KEYS

If you have an unencrypted /home partition and would like to protect your GnuPG Private Keys, you can use EncFS to help you. Here are the steps:

1. Copy your GnuPG keys to the /home/user1/Private Folder
2. Shred the old GnuPG keys in the /home/user1/.gnupg Folder
3. Create symlinks from the /home/user1/.gnupg folder to the /home/user1/Private Folder where your keys are stored

Whenever you want to use your GnuPG keys, you will need to decrypt your Private Folder so that your GnuPG keys will also be decrypted before you open the Gnu Privacy Assistant or before you encrypt emails with Claws Mail. Here are the commands:

$ cp /home/user1/.gnupg/pubring.gpg /home/user1/Private/pubring.gpg
$ cp /home/user1/.gnupg/secring.gpg /home/user1/Private/secring.gpg
$ shred -u /home/user1/.gnupg/pubring.gpg
$ shred -u /home/user1/.gnupg/pubring.gpg~
$ shred -u /home/user1/.gnupg/secring.gpg
$ cd /home/user1/.gnupg
$ ln -s /home/user1/Private/pubring.gpg ./pubring.gpg
$ ln -s /home/user1/Private/secring.gpg ./secring.gpg

Now open Gnu Privacy Assistant and you should still see your GnuPG keys. If not, then go back through these steps to see where the mistake was made.
Posted in Uncategorized
Views 1704 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 02:42 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration