Encrypted Network filesystem

[happybunny]

An encrypted network file system
by happybunny
12/16/2007

This article will discuss how to setup an encrypted filesystem, that is group accessible, specifically to Windows clients, but locally as well.

I have found several articles on setting up simple personal encrypted folders that only hinted that it would be possible to setup a group one, but nothing ever said how to, so I decided to document my experience.

My purpose is to setup a network file server, that, if stolen, would contain only encrypted data. I'm sure the setup I lay out below isn't 100% secure, but any local thief would be very hard pressed to get to my data without spending a lot of money and time un-encrypting it.

Also, this only encrypts data on disk, not while data is traveling on the network.

Tools:

Linux (Debian etch in my case)
encfs
fuse
samba


Since every Linux distribution is different, I wont cover how to install the above.

On Debian however,
# apt-get install encfs fuse-utils samba


On my setup, I created a seperate partition from my OS just for good measure.

fdisk and mke2fs -j as any normal partition, and add it to your fstab:

/dev/hda2 /data ext3 defaults 0 0

or similar, depending on your own disk setup. A seperate partition is not necessary however.

After the install and the fstab additions, a simple reboot to test that the fuse module loads, and that /data is mounted.

Once confirmed, we continue...

In my example, we will be working in the /data directory.

I have created two (2) users, chris and faith, and added them both to the "staff" group (gid=50).

I create two (2) folders and alter permissions as below:

drwxrwx--- 2 root staff 4096 2007-12-16 15:21 shared
drwxrwx--- 2 root staff 4096 2007-12-16 15:39 shared-raw

encfs will use one for our "clear text" data, while the other is all encrypted. Only when you mount them together with a password will the clear text folder be populated.

Once mounted, you do all of your work in the shared folder, using it as any normal filesystem.

This is an area that is lacking on the web...the options to enfcs. Here they are:

Code:

# encfs -H
encfs [options] rootDir mountPoint -- [FUSE Mount Options]
valid FUSE Mount Options follow:

usage: ... mountpoint [options]

general options:
    -o opt,[opt...]        mount options
    -h   --help            print help
    -V   --version         print version

FUSE options:
    -d   -o debug          enable debug output (implies -f)
    -f                     foreground operation
    -s                     disable multi-threaded operation

    -o allow_other         allow access to other users
    -o allow_root          allow access to root
    -o nonempty            allow mounts over non-empty file/dir
    -o default_permissions enable permission checking by kernel
    -o fsname=NAME         set filesystem name
    -o large_read          issue large read requests (2.4 only)
    -o max_read=N          set maximum size of read requests

    -o hard_remove         immediate removal (don't hide files)
    -o use_ino             let filesystem set inode numbers
    -o readdir_ino         try to fill in d_ino in readdir
    -o direct_io           use direct I/O
    -o kernel_cache        cache files in kernel
    -o umask=M             set file permissions (octal)
    -o uid=N               set file owner
    -o gid=N               set file group
    -o entry_timeout=T     cache timeout for names (1.0s)
    -o negative_timeout=T  cache timeout for deleted names (0.0s)
    -o attr_timeout=T      cache timeout for attributes (1.0s)

It is a little confusing, even from this help file.

There are 2 sets of options to use, options for encfs, and options for fuse.

As you see below, I am using -v (verbose), --no-defaults-flags (to deny encfs from applying the default permissions) and --public (which allows_others into our encryption).

We then list where our actual encrypted data is, (/data/shared-raw) and where our user friendly, clear text data is (/data/shared).

You can think of the clear text area as a map, or sym-links to the encrypted data. Once unmounted, the map goes away and you are left with only encrypted data.

After that, we list our fuse options, indicated by the -- (dash dash), then an -o for the options we want.

In our case gid=50 (which is the staff gid) and the umask=007 (this is an octal mask (the system will create anything with 777, so we mask out 007 so the outcome is 770 (777 minus 007))).


# encfs -v --no-default-flags --public /data/shared-raw /data/shared -- -o gid=50 -o umask=007

This action will prompt us for some additional choices of encryption, but hitting return will take the defaults and then prompt for a password, which is used on subsequent mounts.

Once done, a mount command will show you that you have mounted successfully.

# mount
encfs on /data/shared type fuse (rw,nosuid,nodev,allow_other)

and more importantly:
# ls -l
drwxrwx--- 2 root staff 4096 2007-12-16 16:26 shared
drwxrwx--- 2 root staff 4096 2007-12-16 16:26 shared-raw

so anyone in the staff group now has rwx permissions to our encrypted filesystem, and we are not world writable.

Once unmounted (manually or due to a reboot), the data is safely encrypted and not accessable until root re-mounts this using the same password above.


To share this via samba is now quite easy.

Edit /etc/samba/smb.conf to something similar:

Code:

[global]
        log file = /var/log/samba/log.%m
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        encrypt passwords = true
        public = yes
        template shell = /bin/bash
        dns proxy = No
        server string = server
        local master = no
        netbios name = server
        os level = 16
        security = user  
        preferred master = no
        max log size = 50
        hide files = /.*  
	guest ok = no

[shared]
        path = /data/shared
        comment = shared
        browsable = yes
        writable = yes
	group = staff

You must also create samba password for your users in this scenario:

# smbpasswd -a chris

and enter a password.

In this setup, this is a seperate password from a local or ldap password. It is possible to setup samba differently, but I'm not covering that here.

As the users create files on this share via Windows, the permissions should return:

# ls -l
total 4
drwxrwx--- 2 chris staff 4096 2007-12-16 16:34 New Folder

so that other group members also have access to this data.

If you look in the shared-raw directory, you will see the actual encrypted data:

/data/shared-raw# ls -lh
total 12K
drwxr-xr-x 2 chris staff 4.0K 2007-12-16 16:36 2CGeGxF1UhzdC1
drwxr-xr-x 2 chris staff 4.0K 2007-12-16 16:36 dgctOb5m8ZQIK,
drwxr-xr-x 2 chris staff 4.0K 2007-12-16 16:36 TrDQ,gKI00rb0-



To unmount the encrypted file system:

# fusermount -u /data/shared

NOTE: you may have to stop samba to unmount this as users may still be attached.

Once unmounted, you will no longer have a map to the encrypted data:

/data/shared# ls -l
total 0


To mount again, as root simply:
# encfs -v --no-default-flags --public /data/shared-raw /data/shared -- -o gid=50 -o umask=007

and enter the original encfs password.

[saikee]

happybunny,

A well written Howto that does great credit to Justlinux.

[gamblor01]

Excellent how-to!