Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Need some help setting up encrypted folder - 13.1

  1. #1
    Join Date
    Jun 2008
    Location
    Florida, USA
    Posts
    982

    Default Need some help setting up encrypted folder - 13.1

    Currently running 13.1/KDE 4.12.0

    I would like to set up an encrypted folder at /home/user/crypt_folder for storing important private information.
    I don't want it to automatically mount at boot or user log in, rather have user be forced to manually mount it AND be able to unmount it while still logged in.

    Using a a container file and loop device seems like the way to go, but my attempts so far end up with an auto mounted folder(at boot), owned by root that I cannot figure out how to unmount. Issuing umount path-to-folder as root fails, path-to-folder not mounted. Indeed, I see no entry in /etc/mtab for the folder.
    I used YAST-Partitioner to set up the crypto device.

    Any pointers to How-Tos or well established procedures would be appreciated.
    Thanks
    Desk: Ryzen5 Leap 15.1
    Lap: HPDV7T i7 Leap 15.2

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Need some help setting up encrypted folder - 13.1

    On 2014-01-11 15:16, cmcgrath5035 wrote:

    > Using a a container file and loop device seems like the way to go, but
    > my attempts so far end up with an auto mounted folder(at boot),


    That is controlled by an option. This is my setup:

    Code:
    
    > minas-tirith:~ # cat /etc/crypttab
    >
    >
    > cr_sysdta       /home/_var_data/data.crf        none    noauto
    > minas-tirith:~ # grep cr_sysdta /etc/fstab
    > /dev/mapper/cr_sysdta   /data/cripta    reiserfs        noatime,noauto,nofail,barrier=flush     1 3
    > minas-tirith:~ #
    The "noauto" option in crypttab is the trick. "nouto,nofail" in fstab
    appear to be also necesary.

    > owned by
    > root that I cannot figure out how to unmount. Issuing umount
    > -path-to-folder- as root fails,


    What error? Please post the command and result here.

    It works for me:

    Code:
    minas-tirith:~ # umount /data/cripta
    minas-tirith:~ # mount /data/cripta
    minas-tirith:~ # ls /data/cripta
    cer
    minas-tirith:~ #
    however, notice that "umount" only umounts the device, but the encrypted
    device is still available. To remove that part you need:

    Code:
    cryptsetup remove $CR_NAME

    There is a systemd service that does it all:

    Code:
    minas-tirith:~ # systemctl status /data/cripta
    data-cripta.mount - /data/cripta
    Loaded: loaded (/etc/fstab)
    Active: active (mounted) since Sat 2014-01-11 16:13:23 CET; 3min 54s ago
    Where: /data/cripta
    What: /dev/mapper/cr_sysdta
    
    minas-tirith:~ #

    But I do not use it. Instead, I wrote my own set of scripts.


    But you have to mount it as root. Probably using sudo (properly
    configured) you could do it as user.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  3. #3
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Need some help setting up encrypted folder - 13.1

    Quote Originally Posted by robin_listas View Post
    But you have to mount it as root. Probably using sudo (properly
    configured) you could do it as user.
    A properly configured sudo allows the user to "become root" for that particular occasion. The mount itself is still done by root (a process owned by user 0). Not by the user.
    Henk van Velden

  4. #4
    Join Date
    Jun 2008
    Location
    Florida, USA
    Posts
    982

    Default Re: Need some help setting up encrypted folder - 13.1

    Thanks for the examples - no time right at the moment but I'll tackle it your way later.

    To answer your questions:
    HOW I GOT HERE:
    I used YAST-Partitioner to add a Crypt container, selected the "create loop file" option.
    The loop file is /home/carl/srv2
    I selected that it be mounted to folder /home/carl/srvc

    On boot, the folder /home/carl/srvc is available.
    As root, I created a testfile, then changed the permissions to carl:users

    Code:
    /home/carl # ls -la s*
    -rw-r--r-- 1 root root 4294967296 Jan 11 07:06 srv2
    
    srvc:
    total 20
    drwxr-xr-x   2 root root   4096 Jan 11 07:16 .
    drwxr-xr-x 119 carl users 12288 Jan 11 09:32 ..
    -rw-r--r--   1 carl users    96 Jan 11 07:16 testfile
    Code:
    /home/carl # cat /etc/crypttab
      
    cr_srv2         /home/carl/srv2      none       noauto
    
    /home/carl # grep srv2 /etc/fstab
    /home/carl/srv2      /home/carl/srv2      crypt      loop,user,noauto,acl,user_xattr,nofail 0 0
    
    /home/carl # grep srv2 /etc/mtab
    /home/carl # 
    
    /home/carl # umount /home/carl/srv2
    umount: /home/carl/srv2: not mounted
    I see that Carlos is using device mapper.
    I clearly don't understand loop files, but apparently it is not "mounted" (no entry in /etc/mtab) therefore can't be "umounted".

    I am of the understanding (reading man mount) that the "user" option in /etc/fstab will allow a regular user to mount a designated filesystem
    Desk: Ryzen5 Leap 15.1
    Lap: HPDV7T i7 Leap 15.2

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,678
    Blog Entries
    3

    Default Re: Need some help setting up encrypted folder - 13.1

    Quote Originally Posted by cmcgrath5035 View Post
    Currently running 13.1/KDE 4.12.0

    I would like to set up an encrypted folder at /home/user/crypt_folder for storing important private information.
    I don't want it to automatically mount at boot or user log in, rather have user be forced to manually mount it AND be able to unmount it while still logged in.
    If you are willing for the encrypted folder to be named "/home/user/Private", then the easiest way to do this would be with "ecryptfs".

    First install ecryptfs-utils (from the standard repos).

    In my experience, it helps to then do (at the command line)
    Code:
    sudo modprobe ecryptfs
    Without that I sometimes see errors on the first setup.

    Then, as the user, run the command:
    Code:
    /usr/bin/ecryptfs-setup-private
    It will prompt you for your login password. However, you can lie, and give it a different password if you don't want the folder automatically decrypted at login.

    Thereafter, to make the folder available, use the command
    Code:
    ecryptfs-mount-private
    This will again ask for the login password. Instead, provide the password you used for setup.

    To unmount,

    Code:
    ecryptfs-umount-private
    Except for that initial "modprobe", everything can be done without root access. And no change is needed to "fstab".
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  6. #6
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    16,288

    Default Re: Need some help setting up encrypted folder - 13.1

    NO it allows a user to use the mounted file system r/w but only root can mount a file system

  7. #7
    Join Date
    Jun 2008
    Location
    Kansas City Area, Missouri, USA
    Posts
    7,236

    Default Re: Need some help setting up encrypted folder - 13.1

    On 01/11/2014 12:16 PM, gogalthorp wrote:
    >
    > NO it allows a user to use the mounted file system r/w but only root can
    > mount a file system


    If you use the "user" option in /etc/fstab, then anyone can mount the file system.



  8. #8
    Join Date
    Jun 2008
    Location
    Florida, USA
    Posts
    982

    Default Re: Need some help setting up encrypted folder - 13.1

    Quote Originally Posted by gogalthorp View Post
    NO it allows a user to use the mounted file system r/w but only root can mount a file system
    Here is what I read in man fstab(5)
    Code:
    .......
    The fourth field (fs_mntops).
                  This field describes the mount options associated with the filesystem.
    
                  It is formatted as a comma separated list of options.  It contains at least the type of mount plus any  additional  options
                  appropriate  to  the filesystem type. For documentation on the available mount options, see mount(8).  For documentation on
                  the available swap options, see swapon(8).
    
                  Basic file system independent options are:
    
                  defaults
                         use default options: rw, suid, dev, exec, auto, nouser, and async.
    
                  noauto do not mount when "mount -a" is given (e.g., at boot time)
    
                  user   allow a user to mount
    
                  owner  allow device owner to mount
    
                  comment
                         or x-<name> for use by fstab-maintaining programs
    
                  nofail do not report errors for this device if it does not exist.
    
    
    
    ......
    Similar text in man mount(8)

    Are you sure?

    nrickert:
    Thanks, I had browsed encryptfs, might give that a go as well.
    I was sort of looking for the method that required the fewest "unique" commands once the capability was set up.
    Desk: Ryzen5 Leap 15.1
    Lap: HPDV7T i7 Leap 15.2

  9. #9
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Need some help setting up encrypted folder - 13.1

    It is not very interesting how your process "becomes root". But only a process that runs with ownrr root (uid-0) is able to sucessfuly ask the kernel to do a mount.

    The mount tool:
    Code:
    henk@boven:~> ls -l $(which mount)
    -rwsr-xr-x 1 root root 40112  5 nov  2012 /usr/bin/mount
    henk@boven:~>
    Which shows that this program is owned by root and that the SUID bit is set. That means that, whoever starts it, the process will be run owned by root.

    Now, hopefully, this tool is programmed in such a waty that it does allow only secure and documented things. One of those things is apparently that it looks in /etc/fstab to find an entry that fits with the request. Then, when there is the option "user" in that entry, it will "do the mount". When that option is not there, it will check if the original user (not the process owner) is root. When no, it will not mount.

    But the mount will only be done by the kernel if it is asked for by a root owned process. That is basic security.

    I know we all tend to use these terms like "become root", "be root", "as root", etc. rather loosely, but that habit does not contribute to the understanding of how things work.
    Henk van Velden

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,804

    Default Re: Need some help setting up encrypted folder - 13.1

    And to make things easy for myself, I found a rather good description on how effective and real UIDs tohether with SUID programs work here: http://www.lst.de/~okir/blackhats/node23.html
    Henk van Velden

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •