Today we had a chance to do a Linux hangout on Google+ and talk about the file system encryption feature on CentOS which is new for CentOS 6.
We also posted a schedule for upcoming Linux hangouts. Be sure to join us on Google+ and catch the next hangout live.
Encrypted File System
CentOS 6 now provides eCryptfs which provides the ability to encrypt data and files on a per-file basis instead of the entire disk as in block encryption. The eCryptfs system sits on top of the current file system to provide the encryption layer, that is why it is known as the pseudo-file system. The file operations which are sent to the underlying file system are intercepted by eCryptfs and encrypted.
This package needs to be installed in order to perform the encryption.
yum install -y ecryptfs-utils
Here is the process of mounting a new partition called /data once it has been created and formatted for ext4. The partition that was created with ext4 in the example is /dev/sdc1 and then it is mounted as /data.
mkdir /data
mount /dev/sdc1 /data
In order to limit confusion, mount the directory with ecCyptfs using the underlying partition name. In this case, the directory is /data so it is mounted as data. Remember, eCryptfs is layer which is on top of the existing file system. When you mount the directory you will need to provide several options like passphrase, cipher and key bytes.
mount -t ecryptfs /data /data
Select key type to use for newly created files:
1) passphrase
2) tspi
3) openssl
Selection: 1
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=553de639cb0f6966
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [553de639cb0f6966] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
You can see the layer listed with the df command.
df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup-lv_root
13034208 1737188 10634904 15% /
tmpfs 1035492 0 1035492 0% /dev/shm
/dev/sda1 495844 48897 421347 11% /boot
/dev/sdc1 10325748 154136 9647092 2% /data
/data 10325748 154136 9647092 2% /data
Test the /data directory encryption by unmounting the directory.
umount /data/
Check to see that the /partition is still mounted.
df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup-lv_root
13034208 1737196 10634896 15% /
tmpfs 1035492 0 1035492 0% /dev/shm
/dev/sda1 495844 48897 421347 11% /boot
/dev/sdc1 10325748 154148 9647080 2% /data
Now open a file on that directory and you will see that it is encrypted.
@^@^@^@^@^@^@^UÆV]<85>ú×êp^C^@^@^B^@^@^P^@^@^B<8c>^]^D^G^C^A^@^Q”3DUfw`ɼ$ÖÈ£¹<98>Ã֏Yëw’¹Ã^Vb^H_CONSOLE^@^@^@^@U=æ9Ë^Oif^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Remount the /data directory with:
mount -t ecryptfs /data /data
Enter the same options and passphrase to gain access to the files in the directory. Note: If you change the passphrase you will mount the directory but not have access to the files created previously.