LWM-Linux/09 - Linux Security Concepts/Filesystem Security (eCryptFS).md

# Filesystem Security (eCryptFS)

eCryptfs (Enterprise Cryptographic Filesystem) is a POSIX-compliant stacked cryptographic filesystem for Linux. It provides file and directory level encryption, offering an additional layer of security for sensitive data. This guide will cover the key aspects of eCryptfs, its setup, usage, and best practices.

## 1. Introduction to eCryptfs

eCryptfs works by encrypting files on a per-file basis, storing the encrypted contents and metadata in the lower filesystem. It operates between the application and the filesystem, encrypting data before it's written to disk and decrypting it when it's read.

Key features:
- File-based encryption
- Transparent to applications
- Supports extended attributes
- Allows for per-file encryption keys
- Integrates with Linux kernel keyring

## 2. Installation

On most Linux distributions, eCryptfs can be installed using the package manager:

For Ubuntu/Debian:
`sudo apt-get install ecryptfs-utils`

For Fedora:
`sudo dnf install ecryptfs-utils`

For Arch Linux:
`sudo pacman -S ecryptfs-utils`

## 3. Setting up eCryptfs

### - Creating an encrypted directory:

```bash
mkdir ~/encrypted
sudo mount -t ecryptfs ~/encrypted ~/encrypted
```

You'll be prompted to answer several questions:
- Choose a passphrase
- Select the cipher
- Select key bytes
- Enable filename encryption (recommended)
- Select filename encryption algorithm

### - Automounting at login:

To automount the encrypted directory at login, add the following line to your `/etc/fstab` file:

```
/home/user/encrypted /home/user/encrypted ecryptfs defaults 0 0
```

Replace "user" with your username.

## 4. Usage

### - Mounting the encrypted directory:

```bash
mount -t ecryptfs ~/encrypted ~/encrypted
```

### - Unmounting:

`umount ~/encrypted`

### - Checking mount status:

`mount | grep ecryptfs`

## 5. Key Management

eCryptfs uses a passphrase to derive the encryption key. This passphrase is stored in the Linux kernel keyring.

### - Adding a key to the keyring:

`ecryptfs-add-passphrase`

### - Removing a key from the keyring:

`keyctl purge user ecryptfs`

## 6. Advanced Features

### - Non-interactive mounting:

Create a file containing your mount options:

`echo "passphrase_passwd=your_passphrase" > ~/.ecryptfsrc`

Then mount using:

`mount -t ecryptfs -o conf=~/.ecryptfsrc ~/encrypted ~/encrypted`

### - Using different encryption for different directories:

You can mount multiple eCryptfs directories with different encryption settings by specifying different options during the mount process.

## 7. Best Practices

- Use strong passphrases
- Enable filename encryption
- Regularly backup your data (encrypted)
- Keep your system and eCryptfs utilities updated
- Consider using a key file instead of a passphrase for automated scripts
- Use different encryption settings for highly sensitive data

## 8. Troubleshooting

If you can't mount the filesystem, check if the required kernel modules are loaded:

`lsmod | grep ecryptfs`

If not present, load them:

`sudo modprobe ecryptfs`

## !!!If you forget your passphrase, there's no way to recover the data. Always keep secure backups!!!

For performance issues, consider using a faster cipher like AES instead of Blowfish.

## 9. Limitations

- Slightly slower than unencrypted filesystems
- No built-in key rotation mechanism
- Potential for data loss if the encryption metadata is corrupted

## 10. Alternatives

While eCryptfs is powerful, consider these alternatives for different use cases:
- LUKS: For full disk encryption
- VeraCrypt: For cross-platform encrypted containers
- Gocryptfs: A more modern alternative to eCryptfs

## Conclusion:

eCryptfs provides a flexible and robust solution for filesystem-level encryption in Linux. By following this guide and best practices, you can significantly enhance the security of your sensitive data. Remember that filesystem encryption is just one part of a comprehensive security strategy, and should be combined with other security measures for optimal protection.