我想在登入新安裝時安裝舊的加密主分割區。家庭使用 Ubuntu 預設加密 (eCryptFS)。我的舊安裝和新安裝都使用相同的密碼。如何在確保加密安全的同時做到這一點?
PS 舊安裝仍然可以運行,而且我有加密金鑰。
答案1
在 XFCE 上嘗試過這個,但我不確定 Unity/Gnome/KDE/etc 是否對於登入時運行啟動檔案都相同,所以 YMMV。
~/.config/autostart 中的 .desktop 檔案將在登入時執行,告訴它執行安裝加密資料夾的 bash 腳本應該可以運作。由於您的家已經加密,您可以將另一個安裝密碼儲存在 bash 腳本中,雖然安全性不高,但如果您不想每次都輸入的話,仍然會在磁碟上進行加密。例如~/.config/autostart/test.desktop。像這樣一個非常基本的應該工作:
[Desktop Entry]
Type=Application
Exec=/home/user/.config/autostart/runme.sh
或在開始之前等待幾秒鐘(例如,在提示輸入密碼之前給桌面一些時間進行初始化)並以 root 身份運行,請嘗試以下操作:
[Desktop Entry]
Type=Application
Exec=sudo bash -c "sleep 5; /home/user/.config/autostart/runme.sh"
或者,如果需要更多詳細信息,請複製並編輯現有的(如果有的話),或者應該有一種 GUI 方式可以在系統→優先→啟動應用程式,然後按一下添加。或者更多像這樣的行也應該可以工作(無論如何,對於 XFCE,可能會剪切 OnlyShowIn 行):
[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=test.sh
Comment=test.sh
Exec=/home/user/.config/autostart/test.sh
OnlyShowIn=XFCE;
StartupNotify=false
Terminal=true
Hidden=false
它只運行目標文件,並且不起作用Exec=~/.config/autostart/test.sh,因此相應地替換“用戶”。您可能可以使用一長行而不是將其指向 bash 腳本。
我現在正在研究安裝部分,用虛擬電腦測試。由於您已經在使用帶有加密主目錄的 eCryptFS,並且我不久前進行了測試,因此存在一些複雜情況,並且您不能擁有加密主目錄和您家中的另一個加密的“私人”資料夾(帶有encrypted-setup-private& encrypted-mount-private),但只需使用ecryptfs-add-passphrase& 呼叫mount.ecryptfs/mount -t ecryptfs應該可以...
跳到下面的腳本,看看是否有效。這是可行的,但我沒有太多運氣。這兩個腳本都要求您輸入密碼,因此它們並不是不安全的,儘管您可以根據需要對其進行編輯,或者使用xenity輸入密碼而不是在終端中輸入密碼。在這裡,mount 需要以 root 身分運行,因此需要將金鑰插入「sudo」金鑰環。以 root 身分執行整個腳本應該工作...?可能是在這裡吠錯樹了。
#!/bin/bash
# mostly copied from ecryptfs-mount-private
# otherhome should be the path to the folder just outside the actual encrypted home,
# For example, /home/.ecryptfs/[user] and must be readable
otherhome=/otherpartition/home/.ecryptfs/user
decrypted=/media/decrypted
WRAPPED_PASSPHRASE_FILE="$otherhome/.ecryptfs/wrapped-passphrase"
MOUNT_PASSPHRASE_SIG_FILE="$otherhome/.ecryptfs/Private.sig"
PW_ATTEMPTS=3
MESSAGE=`gettext "Enter your login passphrase:"`
if [ ! -d "$decrypted" ]; then
mkdir -p "$decrypted" || { echo "$decrypted does not exist, can not create"; exit 1; }
fi
# interactively prompt for the user's password
if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then
tries=0
stty_orig=`stty -g`
while [ $tries -lt $PW_ATTEMPTS ]; do
echo -n "$MESSAGE"
stty -echo
LOGINPASS=`head -n1`
stty $stty_orig
echo
if [ $(wc -l < "$MOUNT_PASSPHRASE_SIG_FILE") = "1" ]; then
# No filename encryption; only insert fek
if printf "%s\0" "$LOGINPASS" | ecryptfs-unwrap-passphrase "$WRAPPED_PASSPHRASE_FILE" - | ecryptfs-add-passphrase -; then
sig=`head -n1 $otherhome/.ecryptfs/Private.sig`
break
else
echo `gettext "ERROR:"` `gettext "Your passphrase is incorrect"`
tries=$(($tries + 1))
continue
fi
else
if printf "%s\0" "$LOGINPASS" | ecryptfs-insert-wrapped-passphrase-into-keyring "$WRAPPED_PASSPHRASE_FILE" - ; then
sig=`head -n1 $otherhome/.ecryptfs/Private.sig`
fnek_sig=`tail -n1 $otherhome/.ecryptfs/Private.sig`
break
else
echo `gettext "ERROR:"` `gettext "Your passphrase is incorrect"`
tries=$(($tries + 1))
continue
fi
fi
done
if [ $tries -ge $PW_ATTEMPTS ]; then
echo `gettext "ERROR:"` `gettext "Too many incorrect password attempts, exiting"`
exit 1
fi
if [ -v fnek_sig ]; then
# filename encryption enabled, $fnek_sig has been set
mount -i -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig,ecryptfs_fnek_sig=$fnek_sig $otherhome/.Private $decrypted
else
# no filename encryption
mount -i -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig $otherhome/.Private $decrypted
fi
else
echo `gettext "ERROR:"` `gettext "Encrypted private directory is not setup properly"`
exit 1
fi
if grep -qs "$otherhome/.Private $decrypted ecryptfs " /proc/mounts 2>/dev/null; then
echo
echo `gettext "INFO:"` `gettext "Your private directory has been mounted."`
echo
fi
exit 0
這腳本確實有效,
儘管我在加密的家庭中運行任何可執行腳本時遇到了麻煩。必須將其作為bash/ 的參數來調用sh,其中
sudo bash -c ./ecryptfs-mount-single.sh [--rw] [encrypted folder] [mountpoint]
這裡是:
#!/bin/sh -e
#
# ecryptfs-mount-single
# Modified by Xen2050 from:
#
# ecryptfs-recover-private
# Copyright (C) 2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <[email protected]>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
error() {
echo "ERROR: $@" 1>&2
echo "Usage: ecryptfs-mount-single [--rw] [encrypted private dir] [mountpoint]"
echo "\tWill attempt to mount [encrypted private dir (.Private)] to [mountpoint]"
echo "\twith standard options: ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
echo "\n\t--rw\tmount with read-write access (optional)"
echo "\t[mountpoint] will attempt to be created if it does not exist"
exit 1
}
info() {
echo "INFO: $@"
}
# We need root access to do the mount
[ "$(id -u)" = "0" ] || error "This program must be run as root."
# Handle parameters
opts="ro"
if [ "$1" = "--rw" ]; then
opts="rw"
shift
fi
if [ -d "$1" ]; then
# Allow for target directories on the command line
d="$1"
# Only supplying one directory
else
error "No private directory found; it must be supplied."
fi
if [ ! -d "$2" ]; then
mkdir -p "$2" || error "mountpoint $2 does not exist, can not create"
fi
# mount directory on the command line
tmpdir=$2
# Determine if filename encryption is on
ls "$d/ECRYPTFS_FNEK_ENCRYPTED"* >/dev/null 2>&1 && fnek="--fnek" || fnek=
if [ -f "$d/../.ecryptfs/wrapped-passphrase" ]; then
info "Found your wrapped-passphrase"
echo -n "Do you know your LOGIN passphrase? [Y/n] "
lpw=$(head -n1)
case "$lpw" in
y|Y|"")
# Use the wrapped-passphrase, if available
info "Enter your LOGIN passphrase..."
ecryptfs-insert-wrapped-passphrase-into-keyring "$d/../.ecryptfs/wrapped-passphrase"
sigs=$(sed -e "s/[^0-9a-f]//g" "$d/../.ecryptfs/Private.sig")
use_mount_passphrase=0
;;
*)
use_mount_passphrase=1
;;
esac
else
# Fall back to mount passphrase
info "Could not find your wrapped passphrase file."
use_mount_passphrase=1
fi
if [ "$use_mount_passphrase" = "1" ]; then
info "To recover this directory, you MUST have your original MOUNT passphrase."
info "When you first setup your encrypted private directory, you were told to record"
info "your MOUNT passphrase."
info "It should be 32 characters long, consisting of [0-9] and [a-f]."
echo
echo -n "Enter your MOUNT passphrase: "
stty_orig=$(stty -g)
stty -echo
passphrase=$(head -n1)
stty $stty_orig
echo
sigs=$(printf "%s\0" "$passphrase" | ecryptfs-add-passphrase $fnek | grep "^Inserted" | sed -e "s/^.*\[//" -e "s/\].*$//" -e "s/[^0-9a-f]//g")
fi
case $(echo "$sigs" | wc -l) in
1)
mount_sig=$(echo "$sigs" | head -n1)
fnek_sig=
mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
;;
2)
mount_sig=$(echo "$sigs" | head -n1)
fnek_sig=$(echo "$sigs" | tail -n1)
mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
;;
*)
continue
;;
esac
(keyctl list @u | grep -qs "$mount_sig") || error "The key required to access this private data is not available."
(keyctl list @u | grep -qs "$fnek_sig") || error "The key required to access this private data is not available."
if mount -i -t ecryptfs -o "$mount_opts" "$d" "$tmpdir"; then
info "Success! Private data mounted at [$tmpdir]."
else
error "Failed to mount private data at [$tmpdir]."
fi
在登出之前/登出時卸載,也許從核心金鑰環中刪除金鑰(使用keyctl清除或清除,sudo keyctl clear @u清除所有)可能是個好主意。我在加密的主目錄中安裝了第二個資料夾,然後註銷,它顯然卸載了第二個資料夾(不在 /proc/mounts 中),但仍然顯示在mount.