How to Automate eCryptfs Mounting Procedure


In our previous article, we learnt how to encrypt files and directories on Ubuntu 18.04 using eCryptfs.  The whole process of decrypting the directories is a bit old school and therefore, we bring you the easiest ways to decrypt the eCryptfs encrypted directory.

We will discuss two ways of doing this; Using bash script to automate the whole mount procedure and using a USB with a passphrase key to automount the directory on boot.

Automatically mounting encrypted directory using a bash script

The following is bash script that  I made for this task. Feel free to improve on it to best suite your needs.

$ vim
# Choose whether to mount or unmount your encrypted directory.
read -p "Do you want to mount or unmount the directory?(mount/unmount): " choice
if [[ "$choice" == "mount" ]]; then
       # Prompt the user to enter passphrase.
       read -sp "Enter the mount passphrase: " mountphrase
       echo "passphrase_passwd=${mountphrase}" > $HOME/key.txt

       #Insert the Authentication passphrase into the user session keyring
       printf "%s" "${mountphrase}" | ecryptfs-add-passphrase - > $HOME/sig_file.txt

       #Extract the signature from the tmp.txr file
       sig=`cat sig_file.txt | cut -d" " -f6 | tr -d '[]'`
       # Remove the file with the signature
       rm -f $HOME/sig_file.txt

       #Mount the directory
       sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=$HOME/key.txt,no_sig_cache,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_enable_filename=y,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=${sig},ecryptfs_sig=${sig},ecryptfs_unlink_sigs $secure_dir $secure_dir &>/dev/null
       echo "Encrypted directory mounted successfully."
       # Remove the file containing the passphrase
       rm -rf $HOME/key.txt
elif [[ "$choice" == "unmount" ]]; then
        sudo umount $secure_dir 2>/dev/null
        if [[ $? == 0 ]]; then
                echo "Encrypted directory unmounted successfully."
                echo "$secure_dir: target is busy."

Set the executable permissions on the script.

$ chmod +x

Mount the encrypted directory using the script.

$ ./
Do you want to mount or unmount the directory?(mount/unmount): mount
Enter the mount passphrase: 
Encrypted directory mounted successfully.

Unmount the encrypted directory

$ ./
Do you want to mount or unmount the directory?(mount/unmount): unmount
Encrypted directory unmounted successfully.

You can create an alias for the script.

$ echo "alias mnt_unmnt_mydocs='$HOME/'" > .bash_aliases
$ source .bash_aliases

Automatically Mounting encrypted directory using a USB key

This example will use a /root/.ecryptfsrc file containing mount options, along with a passphrase file residing on a USB key.

Create a Mount point for USB

Create a mount point for mounting the USB drive.

# mkdir /media/username/usb

Mount the USB drive

# mount /dev/sdb1 /media/username/usb

Create a passphrase file in USB mount directory

# vim /media/username/usb/key.txt
passphrase_passwd=[secrets]   <-- subtitute with your passphrase

Extract a signature ID from the /root/.ecryptfs/sig-cache.txt file

 # cat /root/.ecryptfs/sig-cache.txt 

Create /root/.ecryptfsrc file containing:

# vim /root/.ecryptfsrc
ecryptfs_sig=96b6fac91e0a01b8   <-- obtained from /root/.ecryptfs/sig-cache.txt

Add the Mount Options to the fstab file.

/dev/sdb1   /media/username/usb    ext3    ro      0 0
/home/username/mydocuments /home/username/mydocuments ecryptfs defaults 0 0

Note that USB with passphrase has to be mounted first before the encrypted directory can be mounted.

That is all about automating the mount process for the encrypted directories.



Please enter your comment!
Please enter your name here