Package: ecryptfs-utils
Version: 64-3
tags 505008 patch
Followup-For: Bug #505008
Unless you wish to use PAM, I see no advantage to use login passphrase
to wrap encryption keys. I think that really beat the purpose of this
kernel module in terms of security of data after PC is stolen.
This can be made more robust by using independent passphrase to wrap
key.
I attach patch here. It works as:
$ ecryptfs-setup-private --wrapping
will use independent passphrase to wrap encryption keys. It asks
passphrase twice to be sure and reminds you to record it.
$ ecryptfs-mount-private
will mount it while asking passphrase.
(If you use this to set up, PAM thing should not work.)
Use ecryptfs-rewrap-passphrase when you wish to change wrapping
passphrase.
For now, this is good for me and I am happy having making followings for
desktop:
$ mkdir -p ~/Private/Desktop
$ ln -sf ../Private/Desktop ~/Desktop/Private
It may be good idea to add nice conditional zenity dialogue in
ecryptfs-mount-private to prompt passphrase in GUI. zenity is gtk
dialogue.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (800, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ecryptfs-utils depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libecryptfs0 64-3.1 ecryptfs cryptographic filesystem
ii libgcrypt11 1.4.1-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libgpgme11 1.1.6-2 GPGME - GnuPG Made Easy
ii libkeyutils1 1.2-9 Linux Key Management Utilities (li
ii libpam0g 1.0.1-4+b1 Pluggable Authentication Modules l
ii libpkcs11-helper1 1.05-1 library that simplifies the intera
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii libtspi1 0.3.1-7 open-source TCG Software Stack (li
ecryptfs-utils recommends no packages.
Versions of packages ecryptfs-utils suggests:
pn auth-client-config <none> (no description available)
ii opencryptoki 2.2.6+dfsg2-1 PKCS#11 implementation for Linux (
-- no debconf information
diff -Nru ecryptfs-utils-64-base/debian/changelog ecryptfs-utils-64/debian/changelog
--- ecryptfs-utils-64-base/debian/changelog 2008-11-09 20:56:48.000000000 +0900
+++ ecryptfs-utils-64/debian/changelog 2008-11-10 22:15:26.000000000 +0900
@@ -1,3 +1,10 @@
+ecryptfs-utils (64-3.1) experimental; urgency=low
+
+ * Non-maintainer upload. (just local patch)
+ * Added --wrapping option to enable independent passphrase
+
+ -- Osamu Aoki <[EMAIL PROTECTED]> Mon, 10 Nov 2008 22:13:47 +0900
+
ecryptfs-utils (64-3) unstable; urgency=low
* Replacing obsolete dh_clean -k with dh_prep.
diff -Nru ecryptfs-utils-64-base/src/utils/ecryptfs-mount-private ecryptfs-utils-64/src/utils/ecryptfs-mount-private
--- ecryptfs-utils-64-base/src/utils/ecryptfs-mount-private 2008-11-05 00:43:55.000000000 +0900
+++ ecryptfs-utils-64/src/utils/ecryptfs-mount-private 2008-11-10 23:49:07.000000000 +0900
@@ -5,17 +5,52 @@
# Extracted to a stand-alone script by Dustin Kirkland <[EMAIL PROTECTED]>
#
# This script:
-# * interactively prompts for a user's login passphrase
-# * checks it for validity
-# * unwraps a users mount passphrase with their supplied login passphrase
+# * interactively prompts for a user's passphrase
+# * checks it for validity when using login passphrase to unwrap
+# * unwraps a users mount passphrase with their supplied passphrase
# * inserts the mount passphrase into the keyring
# * and mounts a user's encrypted private folder
+#
+usage() {
+ echo
+ echo "Usage:"
+ echo "# $0 [-w|--wrapping]"
+ echo
+ echo " -w|--wrapping Use independent passphrase for wrapping"
+ echo " ecrypt passphrases if set"
+ echo
+ exit 1
+}
PRIVATE_DIR="Private"
+WRAPPING_PASS="LOGIN"
+PW_ATTEMPTS=3
+MESSAGE="Enter your login passphrase: "
+
+# when using wrapping with independent passphrase, this file exists
+if [ -f $HOME/.ecryptfs/wrapping-independent ]; then
+ WRAPPING_PASS="INDEPENDENT"
+fi
+
+while [ ! -z "$1" ]; do
+ case "$1" in
+ -w|--wrapping)
+ WRAPPING_PASS="INDEPENDENT"
+ shift 1
+ ;;
+ *)
+ usage
+ ;;
+ esac
+done
+if [ ! $WRAPPING_PASS = "LOGIN" ]; then
+ PW_ATTEMPTS=1
+ MESSAGE="Enter your ecryptfs wrapping passphrase: "
+fi
+
WRAPPED_PASSPHRASE_FILE="$HOME/.ecryptfs/wrapped-passphrase"
MOUNT_PASSPHRASE_SIG_FILE="$HOME/.ecryptfs/$PRIVATE_DIR.sig"
-MESSAGE="Enter your login passphrase: "
-PW_ATTEMPTS=3
+
# First, silently try to perform the mount, which would succeed if the appropriate
# key is available in the keyring
@@ -32,6 +67,9 @@
read -p "$MESSAGE" -r LOGINPASS
stty $stty_orig
echo
+ if [ ! $WRAPPING_PASS = "LOGIN" ]; then
+ break
+ fi
if printf "%s\0" "$LOGINPASS" | /sbin/unix_chkpwd "$USER" nullok; then
break
else
@@ -39,7 +77,7 @@
tries=$(($tries + 1))
fi
done
- if [ $tries -ge $PW_ATTEMPTS ]; then
+ if [ $WRAPPING_PASS = "LOGIN" && $tries -ge $PW_ATTEMPTS ]; then
echo "ERROR: Too many incorrect password attempts, exiting"
exit 1
fi
diff -Nru ecryptfs-utils-64-base/src/utils/ecryptfs-setup-private ecryptfs-utils-64/src/utils/ecryptfs-setup-private
--- ecryptfs-utils-64-base/src/utils/ecryptfs-setup-private 2008-11-05 00:40:19.000000000 +0900
+++ ecryptfs-utils-64/src/utils/ecryptfs-setup-private 2008-11-10 23:31:42.000000000 +0900
@@ -6,9 +6,10 @@
# Ported for use on Ubuntu by Dustin Kirkland <[EMAIL PROTECTED]>
# Copyright (C) 2008 Canonical Ltd.
# Copyright (C) 2007-2008 International Business Machines
-
PRIVATE_DIR="Private"
+WRAPPING_PASS="LOGIN"
PW_ATTEMPTS=3
+MESSAGE="Enter your login passphrase: "
# Zero out user-defined GREP_OPTIONS, such as --line-number
GREP_OPTIONS=
@@ -16,15 +17,17 @@
usage() {
echo
echo "Usage:"
- echo "# $0 [--username USER]"
- echo " [--loginpass LOGINPASS] [--mountpass MOUNTPASS]"
+ echo "# $0 [-u|--username USER] [-w|--wrapping]"
+ echo " [-l|--loginpass LOGINPASS] [-m|--mountpass MOUNTPASS]"
echo
- echo " --username Username for encrypted private mountpoint,"
- echo " defaults to yourself"
- echo " --loginpass System passphrase for USER, used to wrap MOUNTPASS"
- echo " --mountpass Passphrase for mounting the ecryptfs directory,"
- echo " defaults to a randomly generated 16 bytes"
- echo " --force Force overwriting of an existing setup"
+ echo " -u|--username Username for encrypted private mountpoint,"
+ echo " defaults to yourself"
+ echo " -w|--wrapping Use independent passphrase for wrapping"
+ echo " ecrypt passphrases if set"
+ echo " -l|--loginpass Login/Wrapping passphrase for USER, used to wrap MOUNTPASS"
+ echo " -m|--mountpass Passphrase for mounting the ecryptfs directory,"
+ echo " defaults to a randomly generated 16 bytes"
+ echo " -f|--force Force overwriting of an existing setup"
echo
echo " Be sure to properly escape your parameters according to your"
echo " shell's special character nuances, and also surround the"
@@ -59,19 +62,25 @@
while [ ! -z "$1" ]; do
case "$1" in
- --username)
+ -u|--username)
USER="$2"
shift 2
;;
- --loginpass)
+ -l|--loginpass)
LOGINPASS="$2"
shift 2
;;
- --mountpass)
+ -m|--mountpass)
MOUNTPASS="$2"
shift 2
;;
- --force)
+ -w|--wrapping)
+ WRAPPING_PASS="INDEPENDENT"
+MESSAGE="Enter your ecryptfs wrapping passphrase: "
+MESSAGE2="Enter your ecryptfs wrapping passphrase (again): "
+ shift 1
+ ;;
+ -f|--force)
FORCE=1
shift 1
;;
@@ -140,9 +149,21 @@
tries=0
while [ $tries -lt $PW_ATTEMPTS ]; do
stty -echo
- read -p "Enter your login passphrase: " -r LOGINPASS
+ read -p "$MESSAGE" -r LOGINPASS
stty $stty_orig
echo
+ if [ ! $WRAPPING_PASS = "LOGIN" ]; then
+ stty -echo
+ read -p "$MESSAGE2" -r LOGINPASS2
+ stty $stty_orig
+ echo
+ if [ "$LOGINPASS2" = "$LOGINPASS2" ]; then
+ # wrapping password has to match
+ break
+ fi
+ tries=$(($tries + 1))
+ continue
+ fi
if [ -z "$LOGINPASS" ]; then
echo "ERROR: You must provide a login passphrase"
tries=$(($tries + 1))
@@ -166,7 +187,7 @@
tries=0
while [ $tries -lt $PW_ATTEMPTS ]; do
stty -echo
- read -p "Enter your mount passphrase [leave blank to generate one]: " -r MOUNTPASS
+ read -p "Enter your mount passphrase [leave blank to generate one (recommended)]: " -r MOUNTPASS
stty $stty_orig
echo
if [ -z "$MOUNTPASS" ]; then
@@ -206,12 +227,17 @@
#echo "using your login passphrase."
echo
echo "************************************************************************"
+if [ ! $WRAPPING_PASS = "LOGIN" ]; then
+ echo "YOU SHOULD RECORD THIS WRAPPING PASSPHRASE AND STORE IN A SAFE LOCATION:"
+ echo "$LOGINPASS"
+fi
if [ "$RANDOM_MOUNTPASS" = "1" ]; then
echo "YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
echo "$MOUNTPASS"
else
echo "YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
fi
+
echo "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."
echo "************************************************************************"
echo
@@ -229,6 +255,12 @@
mkdir -m 700 $HOME/.ecryptfs 2>/dev/null
touch $HOME/.ecryptfs/auto-mount || error "Could not setup ecryptfs auto-mount"
touch $HOME/.ecryptfs/auto-umount || error "Could not setup ecryptfs auto-umount"
+if [ $WRAPPING_PASS = "LOGIN" ]; then
+ rm -f $HOME/.ecryptfs/wrapping-independent || error "Could not remove ecryptfs wrapping-independent"
+else
+ touch $HOME/.ecryptfs/wrapping-independent || error "Could not setup ecryptfs wrapping-independent"
+fi
+
# Backup any existing wrapped-passphrase or sig files; we DO NOT destroy this
timestamp=`date +%Y%m%d%H%M%S`
