Search:  
Gentoo Wiki

HOWTO_Encrypt_Your_Home_Directory_Using_CFS

This article is part of the Security series.

Contents

Introduction

One of the big complaints always leveled at Windows is how personal information gets spread all over the operating system. Thus entire software applications have been devised to attempt to sanitize your PC.

In Linux and BSD we are fortunate that all personal information (cookies, www caches, emails, etc) goes into a home directory. Thus it is very compelling to use a home directory which is encrypted. Some of the advantages of an encrypted home directory are as follows:

  1. No need to worry about a stolen computer revealing all of your secrets.
  2. Old *nix computers can be donated to Goodwill or similar organizations without worry.
  3. Its fun to use encryption- amaze your hacker friends.
  4. Individuals in oppressive countries might use it in case the authorities confiscate their computer (of course they could use means to get the password from you).
  5. In the US and EU and other democratic countries, there is currently a tendancy to form surveillance/police states, with law enforcement receiving unprecedented powers to operate without warrants. In that case you have nothing to worry about. A simple mistake of viewing the "wrong" website isn't going to put you in jail.
  6. (This entry is optional, I need some common sense opinion about it as it is a personal favorite) The ability to use Freenet http://www.freenetproject.org with the data store completely contained in the encrypted directory. See their site for the details about this novel p2p network. I will give some instructions below on how to use it with cfs.

Also as of October 8, 2005 cfs is masked as unstable on x86 and ppc. It is missing keywords for all other architectures. However, the author was able to emerge cfs on an amd64.

For Windows Users

If you have Windows already on your computer or have been dual booting it with Linux, and have been using it for email, www browsing, Microsoft Word, etc. you are advised to obtain a program which can wipe clean your hard drive. You want to use the "government" type wipe, which alternately writes ones, then zeros, then random numbers to your hard drive while erasing files. Then reformat the drive when reinstalling Windows. Then you will have some comfort in knowing your Windows OS isn't going to be a liability. From that point on, just be very careful how you use Windows, opting for the Linux partition for any activity which by its nature requires personal information or other activities that you would not want anyone to know about. For example, if you are a hacker, and even if you wear a white hat, most people still consider any hacker to be dangerous. You have the option of booting from any GNU/Linux LiveCD and typing shred /dev/hdx into the console, which will wipe that disk 25 times with random bytes, completely and securely destroying everything on the disk.

Introduction to CFS

The Cryptographic File System from this point forward will be referred to simply as CFS. CFS works in conjunction with the Network File System or NFS.

CFS was invented by Matt Blaze at ATT in the 1992 to 1995 period. Since then I do not think that any huge improvements have been made, although the rev number was bumped up sometime since then. The documents provided in /usr/share/doc/cfs... contain a description from Matt about CFS, but no detailed information on how exactly it works, except that it uses NFS. Anyone with a more detailed explanation about the inner workings of CFS, add it here. In Gentoo, the package is masked. I am not sure why. Perhaps it has been just too hard for many people to get results, although I had no trouble, as Gentoo does provide a README.Gentoo file. As I am no NFS expert I can only describe a step-by-step procedure that has worked for me in Gentoo Linux and in FreeBSD. FreeBSD does alter the installation somewhat as it uses different mount points, but in the end, it operates the same as in Gentoo.

Initial Steps

I will use a fictional person named John for the instructions.

  1. Print out and read the documents in /usr/share/doc/cfs...
  2. Emerge CFS. You can use the command emerge cfs
  3. In order to use CFS, NFS has to be activated- compiled in the kernel, or as modules. I opted for compiling NFS support in the kernel, being of BSD background. I didn't want to have to fool with modules as that adds one more variable into the equation, and I do not have experience using NFS as modules. Using make menuconfig, look for File Systems -> Network File Systems -and then select(using *) NFS file system support, NFS server support, and NFS over TCP support (may not be needed) Recompile, install your new kernel, and reboot.
  4. Using rc-update, put nfs and nfsmount into the boot stage. For example, the command rc-update add nfs boot adds nfs to the boot stage.
  5. Using rc-update, put cfsd into the default stage. (rc-update add cfsd default) That way, nfs is up and running before CFS. cfsd is the daemon that encrypts and decrypts files on the fly.
  6. Now, follow the README.Gentoo document. I will leave it to that document to explain the following actions. First, Gentoo adds during the ebuild the directory /var/lib/cfs/.cfsfs with null permissions, (i.e. like chmod 0 .cfsfs) You have to then add the following line to /etc/exports:/var/lib/cfs/.cfsfs localhost(rw,sync)
  7. Next, put into /etc/conf.d/local.start the following lines: exportfs -rv and mount -oport=3049,intr,nfsvers=2 localhost:/var/lib/cfs/.cfsfs /var/cfs Note- you have the option of using /etc/fstab to mount the .cfsfs directory, but since I have never done it that way, I will stick to what I know best.
  8. Now you have a working cfs system, so go ahead and reboot.
  9. Using the command netstat -a make certain that nfs, sunrpc, rpc.statd, rpc.mountd, and localhost:3049 all show up. nfs and sunrpc should be listed twice. You can also use rpcinfo -p on many common systems.
  10. Next, using the command ps -waux make certain that portmap, nfsd, rpc.statd, rpc.mountd, and cfsd all show up. If so, you have successfully installed CFS!
  11. Next, add the following lines to /etc/conf.d/local.stop. Next add umount -f /var/cfs and export -ua That will make for a clean shutdown. THIS DOESN'T WORK EITHER- ARGHHH.
  12. Now you can create your encrypted directory. Print out the man pages for the following commands: cattach, cdetach, and cmkdir. Using cmkdir create the encrypted directory. For example, the command cmkdir -b /home/johncrypt creates a blowfish encrypted directory /home/johncrypt right next to /home/john. The program prompts you for a password. The password has to be pretty long in order for cmkdir to accept it.
  13. Now use the cattach command to associate the encrypted directory with a plaintext directory that cfsd creates under /var/cfs. For example, the command cattach /home/johncrypt john creates the virtual plaintext directory /var/cfs/john. You will be prompted for the password. Check to see if your encrypted directory shows up. Now put any old file into /var/cfs/john. Check to see if a gibberish looking filename shows up at /home/johncrypt. If so, congratulations- you now have learned the basics of creating encrypted directories and using them under CFS. The cdetach command switches off the plaintext directory. You can much later put a file in /home/john called .bash_logout that contains the line "cdetach john" Then when you log out, the encrypted virtual directory will be detached. Read the manual.
  14. Now you can start to experiment with the commands put into .bash_profile that will automatically prompt you for the secret password upon startup and create the plaintext cfs directory. Put the following line into .bash_profile: cattach /home/johncrypt/ john. Log out and then log back in. You will first be prompted for your regular account password. Then after entering that, you will be prompted for your secret cfs password. After doing this again check that /var/cfs/john shows up.
  15. Now you can begin to see how you might generate an encrypted home directory. Add another line to .bash_profile cd /var/cfs/john. Now when you log in you will be in your empty encrypted directory, instead of your regular directory.
  16. Now the fun starts. Go to /home and make a tarball out of your /home/john directory. For example tar -cpzf john.tgz john
  17. Now copy the tarball to /var/cfs/john. Untar it, for example tar -xzpf john.tgz You will have a directory called john in your newly created cfs directory. Move all the files in /var/cfs/john/john up to /var/cfs/john. For example mv .* ../ and mv * ../.
  18. Now log out and log back in. You will be in your newly made directory that contains all of your home files.
  19. Add to /home/john/.bash_profile export HOME="/var/cfs/john" Then edit /var/cfs/john/.bash_profile and remove the newly created lines. Now most of your applications will think that your home is now the cfs generated directory.
  20. Execute the command source /home/john/.bash_profile in order to activate the previous commands.
  21. Now you will have to reconfigure many of your programs, as they may have hardcoded /home/john as the home directory. For example, Mozilla will have to be reconfigured, unless you can go into its configuration file and replace all of the /home/john entries with ~/.
  22. After doing the last step, and finding your programs working normally, you can go back to your unencrypted /home/john and delete most of the files and directories, keeping .bash_profile. I have found that .ssh is required to be in the original home directory. Also qmail will still look there, but you can add a .qmail directory and command to forward your mail to /var/cfs/john. There may be other config files which need to stay in /home/john.
  23. Delete the /var/cfs/john/john directory.
  24. Finally, firewall issues: if you have a default block on your source and destination to the internet, you should be OK. If not, make certain to block ports 3049, 2049, and 111. NFS is notorious for being insecure.

Freenet installation. Install in /home/john directory, but put /home/john/freenet/store into /var/cfs/john/store. Then make a symbolic link from /home/john/freenet/store to /var/cfs/john/store. Now all your Freenet datastore is in the encrypted directory.

Concerns or Compliments? Please use the Discussion section.

External links

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Encrypt_Your_Home_Directory_Using_CFS"

Last modified: Mon, 22 Sep 2008 03:50:00 +0000 Hits: 27,300