On 11/28/23 05:25, Max Nikulin wrote:
On 28/11/2023 00:09, Pocket wrote:
mount /dev/sdd1 /home/fscrypt
fscrypt setup
fscrypt encrypt /home/fscrypt
I am unsure if it is possible to use fscrypt for whole filesystem
since it needs .fscrypt unencrypted. ext2 driver might need access to
lost+found even when directories are locked. Encrypting a whole
partition is a LUKS realm.
Not really looking to encrypt the whole file system. As another project
I want to try making the root filesystem mostly read only.
I am looking to be able to encrypt a USB drive and be able to move that
between systems, late last night it seems doable as I was able to
cretae a USB drive encrypt it on an AMD64 system and then mount it on a
raspberry pi 4 system and unlock it.
What seemed to work was the following (using pass phrase):
sudo fscrypt setup <--- this is done only once to setup fscrypt on the
system
sudo mkfs.ext4 -O encrypt /dev/sdd1
sudo mount /dev/sdd1 /home/fscrypt
sudo mkdir /home/fscrypt/Encrypted
sudo fscrypt encrypt /home/fscrypt/Encrypted
sudo chown -R pocket:pocket /home/fscrypt/Encrypted
echo "Hello" > /home/fscrypt/Encrypted/hello.text
cat /home/fscrypt/Encrypted/hello.text
Hello
sudo fscrypt lock /home/fscrypt/Encrypted
ls -hal /home/fscrypt/Encrypted
-rw-r--r-- 1 pocket pocket 220K Nov 27 12:39
-mspK6KZvFhYvGJpSirWjnmUWbXtqlP0D7uaGhDn1NTLcheWzL-tDw
drwx------ 2 pocket pocket 4.0K Nov 27 12:39 .
drwxr-xr-x 5 pocket pocket 4.0K Nov 27 12:33 ..
-rw-r--r-- 1 pocket pocket 37K Nov 27 12:39
GKuta8pYdPh6y4ZbGtLvGO5MZOhbUjuAU3WCdzGUfBAWv0SYIW3-DA
-rw-r--r-- 1 pocket pocket 596K Nov 27 12:39
kJ-GR8llWnN1Tby9TK3eJFH_ihDdYfeSkpqhTkZaZyFdWFR-6Te-Hw
sudo umount /home/fscrypt/Encrypted
sudo fscrypt lock /home/fscrypt/Encrypted
Then on the Raspberry pi that auto mounts USB drives:
sudo fscrypt setup <--- this is done only once to setup fscrypt on the
system
fscrypt status
MOUNTPOINT DEVICE FILESYSTEM
ENCRYPTION FSCRYPT
/ /dev/sda2 ext4 not
enabled Yes
/boot/firmware /dev/sda1 vfat not supported No
/media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78 /dev/sdb1
ext4 supported Yes
/media/scott/SDCARD-BOOT /dev/mmcblk0p1
vfat not supported No
/media/scott/SDCARD-ROOT /dev/mmcblk0p2
ext4 not enabled No
sudo fscrypt unlock
/media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/Encrypted
cat /media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/Encrypted/Hello.text
Hello
sudo fscrypt lock
/media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/Encrypted
sudo umount /media/pocket/00ce662c-e1e8-4eff-a6dd-65ac1385de78/
So the issue of the day is to refine that and document it.
I will then try to use fscrypt to encrypt home directories and have it
unlocked upon login with pam as another project.
As a sanity check, does it work for a subdirectory?
mkdir /home/fscrypt/tst
fscrypt encrypt /home/fscrypt/tst
Yes, I have that working as I continue to work on this, as above
If your are going to create a portable home directory for a specific
user then you may face a number of issues. *Login* protector is stored
in /.fscrypt, not on the mounted partition, see the fscrypt README.md
file. Another problem is locking on logout because pam_fscrypt locks
the directory immediately on logout, but systemd user session is still
running at this moment (UserStopDelaySec=10 in /etc/systemd/logind.conf).
Not sure if that is entirely the case, as my above method seems to be
working
- <https://github.com/google/fscrypt/issues/95>
Implement automatic unlocking though a systemd service
- <https://github.com/systemd/systemd/issues/8598>
systemd-user doesn't properly close its PAM session
That maybe the next dragon to slay......
systemd-homed has another idea of managing per-user encrypted
directories, but I have not tried it.
https://systemd.io/HOME_DIRECTORY/
systemd-home is another issue that I want to have a go at.
--
It's not easy to be me
