In our previous article, we learnt how to encrypt files and directories on Ubuntu 18.04 using eCryptfs. The whole process of decrypting the directories is a bit old school and therefore, we bring you the easiest ways to decrypt the eCryptfs encrypted directory.
We will discuss two ways of doing this; Using bash script to automate the whole mount procedure and using a USB with a passphrase key to automount the directory on boot.
Automatically mounting encrypted directory using a bash script
The following is bash script that I made for this task. Feel free to improve on it to best suite your needs.
$ vim mnt_unmnt_mydocs.sh
#!/bin/bash
home=$HOME
secure_dir=$HOME/mydocuments
# Choose whether to mount or unmount your encrypted directory.
read -p "Do you want to mount or unmount the directory?(mount/unmount): " choice
if [[ "$choice" == "mount" ]]; then
# Prompt the user to enter passphrase.
read -sp "Enter the mount passphrase: " mountphrase
echo
echo "passphrase_passwd=${mountphrase}" > $HOME/key.txt
#Insert the Authentication passphrase into the user session keyring
printf "%s" "${mountphrase}" | ecryptfs-add-passphrase - > $HOME/sig_file.txt
#Extract the signature from the tmp.txr file
sig=`cat sig_file.txt | cut -d" " -f6 | tr -d '[]'`
# Remove the file with the signature
rm -f $HOME/sig_file.txt
#Mount the directory
sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=$HOME/key.txt,no_sig_cache,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename=y,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=${sig},ecryptfs_sig=${sig},ecryptfs_unlink_sigs $secure_dir $secure_dir &>/dev/null
echo "Encrypted directory mounted successfully."
# Remove the file containing the passphrase
rm -rf $HOME/key.txt
elif [[ "$choice" == "unmount" ]]; then
sudo umount $secure_dir 2>/dev/null
if [[ $? == 0 ]]; then
echo "Encrypted directory unmounted successfully."
else
echo "$secure_dir: target is busy."
fi
fi
Set the executable permissions on the script.
$ chmod +x mnt_unmnt_mydocs.sh
Mount the encrypted directory using the script.
$ ./mnt_unmnt_mydocs.sh Do you want to mount or unmount the directory?(mount/unmount): mount Enter the mount passphrase: Encrypted directory mounted successfully.
Unmount the encrypted directory
$ ./mnt_unmnt_mydocs.sh Do you want to mount or unmount the directory?(mount/unmount): unmount Encrypted directory unmounted successfully.
You can create an alias for the script.
$ echo "alias mnt_unmnt_mydocs='$HOME/test.sh'" > .bash_aliases $ source .bash_aliases
Automatically Mounting encrypted directory using a USB key
This example will use a /root/.ecryptfsrc file containing mount options, along with a passphrase file residing on a USB key.
Create a Mount point for USB
Create a mount point for mounting the USB drive.
# mkdir /media/username/usb
Mount the USB drive
# mount /dev/sdb1 /media/username/usb
Create a passphrase file in USB mount directory
# vim /media/username/usb/key.txt passphrase_passwd=[secrets] <-- subtitute with your passphrase
Extract a signature ID from the /root/.ecryptfs/sig-cache.txt file
# cat /root/.ecryptfs/sig-cache.txt 96b6fac91e0a01b8
Create /root/.ecryptfsrc file containing:
# vim /root/.ecryptfsrc
key=passphrase:passphrase_passwd_file=/media/username/usb/key.txt ecryptfs_sig=96b6fac91e0a01b8 <-- obtained from /root/.ecryptfs/sig-cache.txt ecryptfs_cipher=aes ecryptfs_key_bytes=16 ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=n
Add the Mount Options to the fstab file.
/dev/sdb1 /media/username/usb ext3 ro 0 0 /home/username/mydocuments /home/username/mydocuments ecryptfs defaults 0 0
Note that USB with passphrase has to be mounted first before the encrypted directory can be mounted.
That is all about automating the mount process for the encrypted directories.
Just want to say, thanks for this!