-
Encrypted Network filesystem
An encrypted network file system
by happybunny
12/16/2007
This article will discuss how to setup an encrypted filesystem, that is group accessible, specifically to Windows clients, but locally as well.
I have found several articles on setting up simple personal encrypted folders that only hinted that it would be possible to setup a group one, but nothing ever said how to, so I decided to document my experience.
My purpose is to setup a network file server, that, if stolen, would contain only encrypted data. I'm sure the setup I lay out below isn't 100% secure, but any local thief would be very hard pressed to get to my data without spending a lot of money and time un-encrypting it.
Also, this only encrypts data on disk, not while data is traveling on the network.
Tools:
Linux (Debian etch in my case)
encfs
fuse
samba
Since every Linux distribution is different, I wont cover how to install the above.
On Debian however,
# apt-get install encfs fuse-utils samba
On my setup, I created a seperate partition from my OS just for good measure.
fdisk and mke2fs -j as any normal partition, and add it to your fstab:
/dev/hda2 /data ext3 defaults 0 0
or similar, depending on your own disk setup. A seperate partition is not necessary however.
After the install and the fstab additions, a simple reboot to test that the fuse module loads, and that /data is mounted.
Once confirmed, we continue...
In my example, we will be working in the /data directory.
I have created two (2) users, chris and faith, and added them both to the "staff" group (gid=50).
I create two (2) folders and alter permissions as below:
drwxrwx--- 2 root staff 4096 2007-12-16 15:21 shared
drwxrwx--- 2 root staff 4096 2007-12-16 15:39 shared-raw
encfs will use one for our "clear text" data, while the other is all encrypted. Only when you mount them together with a password will the clear text folder be populated.
Once mounted, you do all of your work in the shared folder, using it as any normal filesystem.
This is an area that is lacking on the web...the options to enfcs. Here they are:
Code:
# encfs -H
encfs [options] rootDir mountPoint -- [FUSE Mount Options]
valid FUSE Mount Options follow:
usage: ... mountpoint [options]
general options:
-o opt,[opt...] mount options
-h --help print help
-V --version print version
FUSE options:
-d -o debug enable debug output (implies -f)
-f foreground operation
-s disable multi-threaded operation
-o allow_other allow access to other users
-o allow_root allow access to root
-o nonempty allow mounts over non-empty file/dir
-o default_permissions enable permission checking by kernel
-o fsname=NAME set filesystem name
-o large_read issue large read requests (2.4 only)
-o max_read=N set maximum size of read requests
-o hard_remove immediate removal (don't hide files)
-o use_ino let filesystem set inode numbers
-o readdir_ino try to fill in d_ino in readdir
-o direct_io use direct I/O
-o kernel_cache cache files in kernel
-o umask=M set file permissions (octal)
-o uid=N set file owner
-o gid=N set file group
-o entry_timeout=T cache timeout for names (1.0s)
-o negative_timeout=T cache timeout for deleted names (0.0s)
-o attr_timeout=T cache timeout for attributes (1.0s)
It is a little confusing, even from this help file.
There are 2 sets of options to use, options for encfs, and options for fuse.
As you see below, I am using -v (verbose), --no-defaults-flags (to deny encfs from applying the default permissions) and --public (which allows_others into our encryption).
We then list where our actual encrypted data is, (/data/shared-raw) and where our user friendly, clear text data is (/data/shared).
You can think of the clear text area as a map, or sym-links to the encrypted data. Once unmounted, the map goes away and you are left with only encrypted data.
After that, we list our fuse options, indicated by the -- (dash dash), then an -o for the options we want.
In our case gid=50 (which is the staff gid) and the umask=007 (this is an octal mask (the system will create anything with 777, so we mask out 007 so the outcome is 770 (777 minus 007))).
# encfs -v --no-default-flags --public /data/shared-raw /data/shared -- -o gid=50 -o umask=007
This action will prompt us for some additional choices of encryption, but hitting return will take the defaults and then prompt for a password, which is used on subsequent mounts.
Once done, a mount command will show you that you have mounted successfully.
# mount
encfs on /data/shared type fuse (rw,nosuid,nodev,allow_other)
and more importantly:
# ls -l
drwxrwx--- 2 root staff 4096 2007-12-16 16:26 shared
drwxrwx--- 2 root staff 4096 2007-12-16 16:26 shared-raw
so anyone in the staff group now has rwx permissions to our encrypted filesystem, and we are not world writable.
Once unmounted (manually or due to a reboot), the data is safely encrypted and not accessable until root re-mounts this using the same password above.
To share this via samba is now quite easy.
Edit /etc/samba/smb.conf to something similar:
Code:
[global]
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = true
public = yes
template shell = /bin/bash
dns proxy = No
server string = server
local master = no
netbios name = server
os level = 16
security = user
preferred master = no
max log size = 50
hide files = /.*
guest ok = no
[shared]
path = /data/shared
comment = shared
browsable = yes
writable = yes
group = staff
You must also create samba password for your users in this scenario:
# smbpasswd -a chris
and enter a password.
In this setup, this is a seperate password from a local or ldap password. It is possible to setup samba differently, but I'm not covering that here.
As the users create files on this share via Windows, the permissions should return:
# ls -l
total 4
drwxrwx--- 2 chris staff 4096 2007-12-16 16:34 New Folder
so that other group members also have access to this data.
If you look in the shared-raw directory, you will see the actual encrypted data:
/data/shared-raw# ls -lh
total 12K
drwxr-xr-x 2 chris staff 4.0K 2007-12-16 16:36 2CGeGxF1UhzdC1
drwxr-xr-x 2 chris staff 4.0K 2007-12-16 16:36 dgctOb5m8ZQIK,
drwxr-xr-x 2 chris staff 4.0K 2007-12-16 16:36 TrDQ,gKI00rb0-
To unmount the encrypted file system:
# fusermount -u /data/shared
NOTE: you may have to stop samba to unmount this as users may still be attached.
Once unmounted, you will no longer have a map to the encrypted data:
/data/shared# ls -l
total 0
To mount again, as root simply:
# encfs -v --no-default-flags --public /data/shared-raw /data/shared -- -o gid=50 -o umask=007
and enter the original encfs password.
Last edited by happybunny; 12-20-2007 at 02:52 PM.
-
happybunny,
A well written Howto that does great credit to Justlinux.
-
"The author of that poem is either Homer or, if not Homer, somebody else of the same name."
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|