Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
21222324252627282930
Chapter 3. Encrypted File System
Red Hat Enterprise Linux 6 provides a technology preview of eCryptfs, a "pseudo-file system" which
provides data and filename encryption on a per-file basis. The term "pseudo-file system" refers to the
fact that eCryptfs does not have an on-disk format; rather, it is a file system layer that resides on top
of an actual file system. The eCryptfs layer provides encryption capabilities.
eCryptfs works like a bind mount by intercepting file operations that write to the underlying (that is,
encrypted) file system. The eCryptfs layer adds a header to the metadata of files in the underlying file
system. This metadata describes the encryption for that file, and eCryptfs encrypts file data before it is
passed to the encrypted file system. Optionally, eCryptfs can also encrypt filenames.
eCryptfs is not an on-disk file system; as such, there is no need to create it via tools such as mkfs.
Instead, eCryptfs is initiated by issuing a special mount command. To manage file systems protected
by eCryptfs, the ecryptfs-uti ls package must be installed first.
3.1. Mount ing a File Syst em as Encrypt ed
To encrypt a file system with eCryptfs, execute the following command:
# mo unt -t ecryptfs /source /destination
Encrypting a directory hierarchy (/source in the above example) with eCryptfs means mounting it to
a mount point encrypted by eCryptfs (/destination in the example above). All file operations to
/destination will be passed encrypted to the underlying /source file system. In some cases,
however, it may be possible for a file operation to modify /source directly without passing through
the eCryptfs layer; this could lead to inconsistencies.
This is why for most environments, Red Hat recommends that the names of both /source and
/destination be identical. For example:
# mo unt -t ecryptfs /ho me /ho me
This effectively means encrypting a file system and mounting it on itself. Doing so helps ensure that all
file operations to /ho me pass through the eCryptfs layer.
During the mount and encryption process, mo unt will allow the following settings to be configured:
En cryp t io n key t yp e
o penssl , tspi , or passphrase. When choosing passphrase, mo unt will ask for one.
Cip h er
aes, bl o wfi sh, d es3_ed e, cast6 , or cast5.
Key b ytesiz e
16 , 32, or 24 .
pl ai ntext passthro ug h
Enabled or disabled.
fi l ename encrypti o n
Enabled or disabled.
Chapt er 3. Encrypt ed File Syst em
25