A little paranoia for online storage
Dropbox appeared long ago. But from the very beginning I didn’t like the idea of storing my files on a server. After all, I wanted to keep things that are well, it is absolutely undesirable to see someone else ...
Now there are dozens of such services, and the people are actively using them. And what to do to us, dear like-minded paranoids :) so much so that the convenience of work does not suffer, and privacy was taken care of? The solution is there, and, as it turned out, it is not new - to store files encrypted with eCryptfs online.
It's about Linux. Mostly about Ubuntu and Ubuntu One ...
')
If in brief - eCryptfs operates with two directories: in one of them are encrypted files (all are encrypted with the same key) with optionally encrypted names, in the other, which becomes available after mounting, the source files themselves are located. For each source file - one is encrypted. It's simple.
Next, you need to share through the online storage directory with encrypted files, and make sure that all computers participating in the synchronization have the same keys for mounting.
When installing, Ubuntu offers the option of encrypting the home directory, when enabled, all user files in encrypted form are located in /home/.ecryptfs, and the contents of the home directories are mounted at login.
At first glance it seems that you can share in Ubuntu One / home /. Ecryptfs and deal with the end. As if not so.
First: the private key is generated by itself (that is, it will be different on all computers).
Secondly: it is unlikely that anyone needs to synchronize all user directories completely.
Thirdly: using this type of encryption is not a good idea. The fact is that when encrypting file names, ecryptfs somewhat increases their length, and some, which are already long, run into the file system limit (256 bytes for ext4fs).
Nevertheless, Ubuntu has another, no less convenient solution: the ecryptfs-setup-private program, which in just 3 questions will create a directory for encrypted ~ / .Private files and a directory for source files ~ / Private, automatically mounted on login.
On the question "Enter your login passphrase" you need to enter a password to log in to the system - this is necessary for automounting
On the question "Enter your mount passphrase", you must enter a password for encryption (the same on all computers involved in synchronization).
Then relogin and share ~ / .Private. And everything, you can sleep peacefully. I use this method when sharing files via Ubuntu One.
Now an alternative way for those who do not have ecryptfs-setup-private, who need customization for their own needs, or who have the ~ / [\. {0,1}] Private directory already taken.
Suppose a new pair of directories is called ~ / .Storage and ~ / Storage.
So:
On all computers participating in synchronization we create the necessary directories:
On one of the computers we do the first mount:
Ask "passphrase" - enter the password for encryption (the same on all computers),
Ask “Filename Encryption Key (FNEK) Signature” - enter the password to encrypt the names (the same on all computers),
It will give something like this:
Remember signatures.
He will say that the disk has not yet been mounted with such a password, and asks for confirmation - say “yes”,
Asks whether to add a signature so as not to ask for confirmation the next time - “yes”.
Now, using the received signatures and the password, we will make a complete command that will be executed without asking anything:
It remains to put it in any file, and run at startup. And of course share ~ / .Storage in your favorite online storage.
Now there are dozens of such services, and the people are actively using them. And what to do to us, dear like-minded paranoids :) so much so that the convenience of work does not suffer, and privacy was taken care of? The solution is there, and, as it turned out, it is not new - to store files encrypted with eCryptfs online.
It's about Linux. Mostly about Ubuntu and Ubuntu One ...
')
If in brief - eCryptfs operates with two directories: in one of them are encrypted files (all are encrypted with the same key) with optionally encrypted names, in the other, which becomes available after mounting, the source files themselves are located. For each source file - one is encrypted. It's simple.
Next, you need to share through the online storage directory with encrypted files, and make sure that all computers participating in the synchronization have the same keys for mounting.
When installing, Ubuntu offers the option of encrypting the home directory, when enabled, all user files in encrypted form are located in /home/.ecryptfs, and the contents of the home directories are mounted at login.
At first glance it seems that you can share in Ubuntu One / home /. Ecryptfs and deal with the end. As if not so.
First: the private key is generated by itself (that is, it will be different on all computers).
Secondly: it is unlikely that anyone needs to synchronize all user directories completely.
Thirdly: using this type of encryption is not a good idea. The fact is that when encrypting file names, ecryptfs somewhat increases their length, and some, which are already long, run into the file system limit (256 bytes for ext4fs).
Nevertheless, Ubuntu has another, no less convenient solution: the ecryptfs-setup-private program, which in just 3 questions will create a directory for encrypted ~ / .Private files and a directory for source files ~ / Private, automatically mounted on login.
$sudo apt-get install ecryptfs-utils $ ecryptfs-setup-private Enter your login passphrase [user]: Enter your mount passphrase [leave blank to generate one]: Enter your mount passphrase (again): On the question "Enter your login passphrase" you need to enter a password to log in to the system - this is necessary for automounting
On the question "Enter your mount passphrase", you must enter a password for encryption (the same on all computers involved in synchronization).
Then relogin and share ~ / .Private. And everything, you can sleep peacefully. I use this method when sharing files via Ubuntu One.
Now an alternative way for those who do not have ecryptfs-setup-private, who need customization for their own needs, or who have the ~ / [\. {0,1}] Private directory already taken.
Suppose a new pair of directories is called ~ / .Storage and ~ / Storage.
So:
On all computers participating in synchronization we create the necessary directories:
mkdir ~/.Storage mkdir ~/Storage On one of the computers we do the first mount:
sudo mount -t ecryptfs /home/user/.Storage/ /home/user/Storage/ -o \ key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16, \ ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=yes Ask "passphrase" - enter the password for encryption (the same on all computers),
Ask “Filename Encryption Key (FNEK) Signature” - enter the password to encrypt the names (the same on all computers),
It will give something like this:
Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=a973e495a25fce46 ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=a973e495a25fce46 Remember signatures.
He will say that the disk has not yet been mounted with such a password, and asks for confirmation - say “yes”,
Asks whether to add a signature so as not to ask for confirmation the next time - “yes”.
Now, using the received signatures and the password, we will make a complete command that will be executed without asking anything:
mount -t ecryptfs /home/user/.Storage/ /home/user/Storage/ -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16, \ ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=yes, \ passphrase_passwd=<my-password>,ecryptfs_sig=a973e495a25fce46, \ ecryptfs_fnek_sig=a973e495a25fce46 It remains to put it in any file, and run at startup. And of course share ~ / .Storage in your favorite online storage.
Source: https://habr.com/ru/post/143327/
All Articles