2011年4月17日 星期日

Ubuntu/Debian 設定使用加密檔案系統
主要參考文件:

http://www.ubuntugeek.com/how-to-create-a-private-encrypted-folder-on-ubuntu-810-intrepid.html




用這個eCryptfs的好處是,這是Linux檔案系統內建的Kenel module (Linux kernel >= 2.6.19)





eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
for Linux. It provides advanced key management and policy features. eCryptfs stores
cryptographic metadata in the header of each file written, so that encrypted
files can be copied between hosts; the file will be decryptable with the proper
key, and there is no need to keep track of any additional information aside
from what is already in the encrypted file itself. Think of eCryptfs as a sort
of "gnupgfs". eCryptfs is a native Linux filesystem. The kernel module component of eCryptfs is part of the Linux kernel since 2.6.19.


對比之下,EncFS這個套件是執行在 FUSE kernel driver 之下,效能上 eCryptfs 會比EncFS

EncFS integrates file system encryption into the Unix(TM) file system.
Encrypted data is stored within the native file system, thus no
fixed-size loopback image is required.
EncFS uses the FUSE kernel driver and library as a backend.


  1. 安裝完套件( sudo apt-get install ecryptfs-utils),接下來的設定都是透過命令列執行,需要有root權限。
  2. 新增或修改想要加密的資料夾,注意權限設定。例如: chmod 700 yy
  3. sudo mount -t ecryptfs yy yy (將目前目錄中的 zz 資料夾加密,掛載)
  4. 接下來系統會問
Passphrase: (設定加密密碼)
Select cipher: (選擇加密格式)
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: (預設為AES
Select key bytes: (選擇加密金鑰長度)
1) 16
2) 32
3) 24
Selection [16]: 1 (預設為16 byte = 128 bit, 最大可到32 byte = 256 bit
Enable plaintext passthrough (y/n) [n]: (加密資料夾中使否允許無加密的檔案。預設為no
Enable filename encryption (y/n) [n]: y (檔名是否加密。預設為no,我選擇 yes
Filename Encryption Key (FNEK) Signature [13fa0849da92e06]: (檔名加密金鑰。選預設)
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=13fa0849da92e06
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=13fa0849da92e06
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes (是否真的執行選擇掛載檔案系統動作?當然選 yes
Would you like to append sig [13fa0849da92e06] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no (是否要將以上設定資料存下來,以後可以直接套用)
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs


要把加密的資料夾卸載,只要用 sudo umount yy ,資料夾內的檔案就會變成無法讀取的格式了。
基本上這樣就完成了加密資料夾的設定,AES 256 bit 加密的強度已經是目前主流規格,應該夠用了。
加密完別忘了自己密碼。

沒有留言: