Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
fscrypt a usb drive?
164 views
Skip to first unread message
Nov 27, 2023, 12:20:06 PM11/27/23
to
I am trying to use fscrypt to encrypt then be able to mount and umount it
Then fscrypt unlock <mountpoint> to access it
I have been unable to do so in that after I mount the drive and setup
fscrypy I then have to create another directory under the mount point.
The USB drive was formatted like this:
mkfs.ext4 -O encrypt /dev/sdd1
Here is what I did, logged in as root:
mount /dev/sdd1 /home/fscrypt
fscrypt setup
fscrypt encrypt /home/fscrypt
[ERROR] fscrypt encrypt: Directory "/home/fscrypt" cannot be encrypted
because it is non-empty.
Ok I get that so.........
rm -r /home/fscrypt/lost+found
Try Again......................
fscrypt encrypt /home/fscrypt
[ERROR] fscrypt encrypt: filesystem /home/fscrypt is not setup for use
with fscrypt
Run "sudo fscrypt setup /home/fscrypt" to use fscrypt on this filesystem.
Alright.........................
fscrypt setup /home/fscrypt/
Allow users other than root to create fscrypt metadata on this
filesystem? (See
https://github.com/google/fscrypt#setting-up-fscrypt-on-a-filesystem)
[y/N] Y
Metadata directories created at "/home/fscrypt/.fscrypt", writable by
everyone.
root@scott:/home/fscrypt# fscrypt encrypt /home/fscrypt
[ERROR] fscrypt encrypt: Directory "/home/fscrypt" cannot be encrypted
because it is non-empty.
Files cannot be encrypted in-place. Instead, encrypt a new directory,
copy the
files into it, and securely delete the original directory. For example:
mkdir "/home/fscrypt.new"
fscrypt encrypt "/home/fscrypt.new"
cp -a -T "/home/fscrypt" "/home/fscrypt.new"
find "/home/fscrypt" -type f -print0 | xargs -0 shred -n1
--remove=unlink
rm -rf "/home/fscrypt"
mv "/home/fscrypt.new" "/home/fscrypt"
Caution: due to the nature of modern storage devices and filesystems, the
original data may still be recoverable from disk. It's much better to
encrypt
your files from the start.
ls -hal /home/fscrypt
total 12K
drwxr-xr-x 3 scott scott 4.0K Nov 27 11:52 .
drwxr-xr-x 4 root root 4.0K Nov 27 11:09 ..
drwxr-xr-x 4 root root 4.0K Nov 27 11:52 .fscrypt
I am missing something here.........
Is there a way to do this so I have a USB drive encrypted using fscrypt
that I can mount the fscrypt unlock it?
Then fscrypt unlock <mountpoint> to access it
I have been unable to do so in that after I mount the drive and setup
fscrypy I then have to create another directory under the mount point.
The USB drive was formatted like this:
mkfs.ext4 -O encrypt /dev/sdd1
Here is what I did, logged in as root:
mount /dev/sdd1 /home/fscrypt
fscrypt setup
fscrypt encrypt /home/fscrypt
[ERROR] fscrypt encrypt: Directory "/home/fscrypt" cannot be encrypted
because it is non-empty.
Ok I get that so.........
rm -r /home/fscrypt/lost+found
Try Again......................
fscrypt encrypt /home/fscrypt
[ERROR] fscrypt encrypt: filesystem /home/fscrypt is not setup for use
with fscrypt
Run "sudo fscrypt setup /home/fscrypt" to use fscrypt on this filesystem.
Alright.........................
fscrypt setup /home/fscrypt/
Allow users other than root to create fscrypt metadata on this
filesystem? (See
https://github.com/google/fscrypt#setting-up-fscrypt-on-a-filesystem)
[y/N] Y
Metadata directories created at "/home/fscrypt/.fscrypt", writable by
everyone.
root@scott:/home/fscrypt# fscrypt encrypt /home/fscrypt
[ERROR] fscrypt encrypt: Directory "/home/fscrypt" cannot be encrypted
because it is non-empty.
Files cannot be encrypted in-place. Instead, encrypt a new directory,
copy the
files into it, and securely delete the original directory. For example:
mkdir "/home/fscrypt.new"
fscrypt encrypt "/home/fscrypt.new"
cp -a -T "/home/fscrypt" "/home/fscrypt.new"
find "/home/fscrypt" -type f -print0 | xargs -0 shred -n1
--remove=unlink
rm -rf "/home/fscrypt"
mv "/home/fscrypt.new" "/home/fscrypt"
Caution: due to the nature of modern storage devices and filesystems, the
original data may still be recoverable from disk. It's much better to
encrypt
your files from the start.
ls -hal /home/fscrypt
total 12K
drwxr-xr-x 3 scott scott 4.0K Nov 27 11:52 .
drwxr-xr-x 4 root root 4.0K Nov 27 11:09 ..
drwxr-xr-x 4 root root 4.0K Nov 27 11:52 .fscrypt
I am missing something here.........
Is there a way to do this so I have a USB drive encrypted using fscrypt
that I can mount the fscrypt unlock it?
Max Nikulin
Nov 28, 2023, 5:30:08 AM11/28/23
to
On 28/11/2023 00:09, Pocket wrote:
> mount /dev/sdd1 /home/fscrypt
>
> fscrypt setup
>
> fscrypt encrypt /home/fscrypt
I am unsure if it is possible to use fscrypt for whole filesystem since
> mount /dev/sdd1 /home/fscrypt
>
> fscrypt setup
>
> fscrypt encrypt /home/fscrypt
it needs .fscrypt unencrypted. ext2 driver might need access to
lost+found even when directories are locked. Encrypting a whole
partition is a LUKS realm.
As a sanity check, does it work for a subdirectory?
mkdir /home/fscrypt/tst
fscrypt encrypt /home/fscrypt/tst
If your are going to create a portable home directory for a specific
user then you may face a number of issues. *Login* protector is stored
in /.fscrypt, not on the mounted partition, see the fscrypt README.md
file. Another problem is locking on logout because pam_fscrypt locks the
directory immediately on logout, but systemd user session is still
running at this moment (UserStopDelaySec=10 in /etc/systemd/logind.conf).
- <https://github.com/google/fscrypt/issues/95>
Implement automatic unlocking though a systemd service
- <https://github.com/systemd/systemd/issues/8598>
systemd-user doesn't properly close its PAM session
systemd-homed has another idea of managing per-user encrypted
directories, but I have not tried it.
https://systemd.io/HOME_DIRECTORY/
Nov 28, 2023, 6:20:06 AM11/28/23
to
On 11/28/23 05:25, Max Nikulin wrote:
> On 28/11/2023 00:09, Pocket wrote:
>> mount /dev/sdd1 /home/fscrypt
>>
>> fscrypt setup
>>
>> fscrypt encrypt /home/fscrypt
>
> I am unsure if it is possible to use fscrypt for whole filesystem
> since it needs .fscrypt unencrypted. ext2 driver might need access to
> lost+found even when directories are locked. Encrypting a whole
> partition is a LUKS realm.
I want to try making the root filesystem mostly read only.
I am looking to be able to encrypt a USB drive and be able to move that
between systems, late last night it seems doable as I was able to
cretae a USB drive encrypt it on an AMD64 system and then mount it on a
raspberry pi 4 system and unlock it.
What seemed to work was the following (using pass phrase):
sudo fscrypt setup <--- this is done only once to setup fscrypt on the
system
sudo mkfs.ext4 -O encrypt /dev/sdd1
sudo mount /dev/sdd1 /home/fscrypt
sudo mkdir /home/fscrypt/Encrypted
sudo fscrypt encrypt /home/fscrypt/Encrypted
sudo chown -R pocket:pocket /home/fscrypt/Encrypted
echo "Hello" > /home/fscrypt/Encrypted/hello.text
cat /home/fscrypt/Encrypted/hello.text
Hello
sudo fscrypt lock /home/fscrypt/Encrypted
ls -hal /home/fscrypt/Encrypted
-rw-r--r-- 1 pocket pocket 220K Nov 27 12:39
-mspK6KZvFhYvGJpSirWjnmUWbXtqlP0D7uaGhDn1NTLcheWzL-tDw
drwx------ 2 pocket pocket 4.0K Nov 27 12:39 .
drwxr-xr-x 5 pocket pocket 4.0K Nov 27 12:33 ..
-rw-r--r-- 1 pocket pocket 37K Nov 27 12:39
GKuta8pYdPh6y4ZbGtLvGO5MZOhbUjuAU3WCdzGUfBAWv0SYIW3-DA
-rw-r--r-- 1 pocket pocket 596K Nov 27 12:39
kJ-GR8llWnN1Tby9TK3eJFH_ihDdYfeSkpqhTkZaZyFdWFR-6Te-Hw
sudo umount /home/fscrypt/Encrypted
sudo fscrypt lock /home/fscrypt/Encrypted
Then on the Raspberry pi that auto mounts USB drives:
sudo fscrypt setup <--- this is done only once to setup fscrypt on the
system
fscrypt status
MOUNTPOINT DEVICE FILESYSTEM
ENCRYPTION FSCRYPT
/ /dev/sda2 ext4 not
enabled Yes
/boot/firmware /dev/sda1 vfat not supported No
/media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78 /dev/sdb1
ext4 supported Yes
/media/scott/SDCARD-BOOT /dev/mmcblk0p1
vfat not supported No
/media/scott/SDCARD-ROOT /dev/mmcblk0p2
ext4 not enabled No
sudo fscrypt unlock
/media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/Encrypted
cat /media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/Encrypted/Hello.text
Hello
sudo fscrypt lock
/media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/Encrypted
sudo umount /media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/
So the issue of the day is to refine that and document it.
I will then try to use fscrypt to encrypt home directories and have it
unlocked upon login with pam as another project.
>
> As a sanity check, does it work for a subdirectory?
>
> mkdir /home/fscrypt/tst
> fscrypt encrypt /home/fscrypt/tst
>
> If your are going to create a portable home directory for a specific
> user then you may face a number of issues. *Login* protector is stored
> in /.fscrypt, not on the mounted partition, see the fscrypt README.md
> file. Another problem is locking on logout because pam_fscrypt locks
> the directory immediately on logout, but systemd user session is still
> running at this moment (UserStopDelaySec=10 in /etc/systemd/logind.conf).
working
>
> - <https://github.com/google/fscrypt/issues/95>
> Implement automatic unlocking though a systemd service
> - <https://github.com/systemd/systemd/issues/8598>
> systemd-user doesn't properly close its PAM session
>
>
> systemd-homed has another idea of managing per-user encrypted
> directories, but I have not tried it.
> https://systemd.io/HOME_DIRECTORY/
--
It's not easy to be me
Max Nikulin
Nov 28, 2023, 6:30:08 AM11/28/23
to
On 28/11/2023 18:12, Pocket wrote:
>
> Not really looking to encrypt the whole file system. As another project
> I want to try making the root filesystem mostly read only.
You may mount a partition encrypted using LUKS2 by providing a
>
> Not really looking to encrypt the whole file system. As another project
> I want to try making the root filesystem mostly read only.
passphrase during initrd stage. It should be more straightforward.
Fscrypt is necessary to allow different secrets to for different
directories, e.g. per user ones.
>> If your are going to create a portable home directory for a specific
>> user then you may face a number of issues. *Login* protector is stored
>> in /.fscrypt, not on the mounted partition, see the fscrypt README.md
>> file.
>
> Not sure if that is entirely the case, as my above method seems to be
> working
*Login* protector used by pam_fscrypt is a different case.
> working
Nov 28, 2023, 7:10:07 AM11/28/23
to
On 11/28/23 06:27, Max Nikulin wrote:
> On 28/11/2023 18:12, Pocket wrote:
>>
>> Not really looking to encrypt the whole file system. As another
>> project I want to try making the root filesystem mostly read only.
>
> You may mount a partition encrypted using LUKS2 by providing a
> passphrase during initrd stage. It should be more straightforward.
> Fscrypt is necessary to allow different secrets to for different
> directories, e.g. per user ones.
to death so I ain't doing that every again
>
>>> If your are going to create a portable home directory for a specific
>>> user then you may face a number of issues. *Login* protector is
>>> stored in /.fscrypt, not on the mounted partition, see the fscrypt
>>> README.md file.
>>
>> Not sure if that is entirely the case, as my above method seems to be
>> working
>
> *Login* protector used by pam_fscrypt is a different case.
>
I have a few ideas that may "fix" that, untested at the present time of
course.
Max Nikulin
Nov 28, 2023, 7:40:06 AM11/28/23
to
> sudo fscrypt encrypt /home/fscrypt/Encrypted
>
> sudo chown -R pocket:pocket /home/fscrypt/Encrypted
With command above you may face an issue during e.g. an attempt to
change passphrase. Files in /home/fscrypt/.fscrypt belong to root, not
to pocket.
Another way suitable for a new user
fscrypt encrypt /home/newhome --user=user
is documented in https://wiki.archlinux.org/title/Fscrypt
Concerning lock on logout, I had an idea to use a systemd unit with a
command executed after user@.service completion. Unfortunately
libpam-fscrypt 0.3.3-1+b6 does not support `unlock_only` option yet, but
`lock_policies` is already default and no-op. So there is no way to
disable lock on logout. Now I am trying to figure out if
systemctl --user exit
may had negative effects. Some running processes may prevent locking of
directories though.
Nov 28, 2023, 9:00:06 AM11/28/23
to
Sent from my iPad
> On Nov 28, 2023, at 7:32 AM, Max Nikulin <mani...@gmail.com> wrote:
I need to investigate whether or not I can place multiple encrypted directories upon the USB drive, all independent of course. Meaning a separate pass phrase for each. Also if they are truly independent.
I will get to your other points after I have finished with this. I haven’t made a big enough mess with this as of now.
0 new messages