How to Automate eCryptfs Mounting Procedure

1
4876

In our previous article, we learnt how to encrypt files and directories on Ubuntu 18.04 using eCryptfs.  The whole process of decrypting the directories is a bit old school and therefore, we bring you the easiest ways to decrypt the eCryptfs encrypted directory.

We will discuss two ways of doing this; Using bash script to automate the whole mount procedure and using a USB with a passphrase key to automount the directory on boot.

Automatically mounting encrypted directory using a bash script

The following is bash script that  I made for this task. Feel free to improve on it to best suite your needs.

$ vim mnt_unmnt_mydocs.sh
#!/bin/bash
home=$HOME
secure_dir=$HOME/mydocuments
# Choose whether to mount or unmount your encrypted directory.
read -p "Do you want to mount or unmount the directory?(mount/unmount): " choice
if [[ "$choice" == "mount" ]]; then
       # Prompt the user to enter passphrase.
       read -sp "Enter the mount passphrase: " mountphrase
       echo
       echo "passphrase_passwd=${mountphrase}" > $HOME/key.txt

       #Insert the Authentication passphrase into the user session keyring
       printf "%s" "${mountphrase}" | ecryptfs-add-passphrase - > $HOME/sig_file.txt

       #Extract the signature from the tmp.txr file
       sig=`cat sig_file.txt | cut -d" " -f6 | tr -d '[]'`
       # Remove the file with the signature
       rm -f $HOME/sig_file.txt

       #Mount the directory
       sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=$HOME/key.txt,no_sig_cache,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename=y,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=${sig},ecryptfs_sig=${sig},ecryptfs_unlink_sigs $secure_dir $secure_dir &>/dev/null
       echo "Encrypted directory mounted successfully."
       # Remove the file containing the passphrase
       rm -rf $HOME/key.txt
elif [[ "$choice" == "unmount" ]]; then
        sudo umount $secure_dir 2>/dev/null
        if [[ $? == 0 ]]; then
                echo "Encrypted directory unmounted successfully."
        else
                echo "$secure_dir: target is busy."
        fi
fi

Set the executable permissions on the script.

$ chmod +x mnt_unmnt_mydocs.sh

Mount the encrypted directory using the script.

$ ./mnt_unmnt_mydocs.sh
Do you want to mount or unmount the directory?(mount/unmount): mount
Enter the mount passphrase: 
Encrypted directory mounted successfully.

Unmount the encrypted directory

$ ./mnt_unmnt_mydocs.sh
Do you want to mount or unmount the directory?(mount/unmount): unmount
Encrypted directory unmounted successfully.

You can create an alias for the script.

$ echo "alias mnt_unmnt_mydocs='$HOME/test.sh'" > .bash_aliases
$ source .bash_aliases

Automatically Mounting encrypted directory using a USB key

This example will use a /root/.ecryptfsrc file containing mount options, along with a passphrase file residing on a USB key.

Create a Mount point for USB

Create a mount point for mounting the USB drive.

# mkdir /media/username/usb

Mount the USB drive

# mount /dev/sdb1 /media/username/usb

Create a passphrase file in USB mount directory

# vim /media/username/usb/key.txt
passphrase_passwd=[secrets]   <-- subtitute with your passphrase

Extract a signature ID from the /root/.ecryptfs/sig-cache.txt file

 # cat /root/.ecryptfs/sig-cache.txt 
96b6fac91e0a01b8

Create /root/.ecryptfsrc file containing:

# vim /root/.ecryptfsrc
key=passphrase:passphrase_passwd_file=/media/username/usb/key.txt
ecryptfs_sig=96b6fac91e0a01b8   <-- obtained from /root/.ecryptfs/sig-cache.txt
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

Add the Mount Options to the fstab file.

/dev/sdb1   /media/username/usb    ext3    ro      0 0
/home/username/mydocuments /home/username/mydocuments ecryptfs defaults 0 0

Note that USB with passphrase has to be mounted first before the encrypted directory can be mounted.

That is all about automating the mount process for the encrypted directories.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here