Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 4 - ADMINISTRATION
919293949596979899100
Chapter 12.
83
Encrypted File System
Red Hat Enterprise Linux 6 now supports eCryptfs, a "pseudo-file system" which provides data and
filename encryption on a per-file basis. The term "pseudo-file system" refers to the fact that eCryptfs
does not have an on-disk format; rather, it is a file system layer that resides on top of an actual file
system. The eCryptfs layer provides encryption capabilities.
eCryptfs works like a bind mount, as it intercepts file operations that write to the underlying (i.e.
encrypted) file system. The eCryptfs layer adds a header to the metadata of files in the underlying file
system. This metadata describes the encryption for that file, and eCryptfs encrypts file data before it is
passed to the encrypted file system. Optionally, eCryptfs can also encrypt filenames.
eCryptfs is not an on-disk file system; as such, there is no need to create it via tools such as mkfs.
Instead, eCryptfs is initiated by issuing a special mount command. To manage file systems protected
by eCryptfs, the ecryptfs-utils package must be installed first.
12.1. Mounting a File System as Encrypted
The easiest way to encrypt a file system with eCryptfs and mount it is interactively. To start this
process, execute the following command:
mount -t ecryptfs /source /destination
Encrypting a directory heirarchy (i.e. /source) with eCryptfs means mounting it to a mount point
encrypted by eCryptfs (i.e. /destination). All file operations to /destination will be passed
encrypted to the underlying /source file system. In some cases, however, it may be possible for a
file operation to modify /source directly without passing through the eCryptfs layer; this could lead to
inconsistencies.
This is why for most environments, Red Hat recommends that both /source and /destination be
identical. For example:
mount -t ecryptfs /home /home
This effectively means encrypting a file system and mounting it on itself. Doing so helps ensure that all
file operations to /home pass through the eCryptfs layer.
During the interactive encryption/mount process, mount will allow the following settings to be
configured:
Encryption key type; openssl, tspi, or passphrase. When choosing passphrase, mount will
ask for one.
Cipher; aes, blowfish, des3_ede, cast6, or cast5.
Key bytesize; 16, 32, 24
Whether or not plaintext passthrough is enabled
Whether or not filename encryption is enabled
After the last step of an interactive mount, mount will display all the selections made and perform
the mount. This output consists of the command-line option equivalents of each chosen setting. For
example, mounting /home with a key type of passphrase, aes cipher, key bytesize of 16 with both
plaintext passthrough and filename encryption disabled, the output would be:
Attempting to mount with the following options: