eCryptfs
Question
How can I use eCryptfs to provide high-quality encryption for files in AFS?
Context
Currently, files stored in the athena.mit.edu AFS cell are not encrypted during storage. They are encrypted in transit, but the encryption is exceptionally weak (weaker than DES).
File systems like eCryptfs allow you to layer high-quality encryption (e.g., AES) over another file system. You can use them on AFS, provided you
- have root access on your workstation and
- are comfortable using the terminal.
eCryptfs is not officially supported by IS&T, and only minimal testing has been performed. Documentation is provided on a best-effort basis. IS&T recommends you avoid using eCryptfs for critical data, as IS&T will be unable to recover lost data encrypted using eCryptfs. |
Answer
The following instructions are for Debathena workstations, but they can be trivially modified to any workstation on which you hold root access.
Before following these instructions, you should scan through the Ubuntu eCryptfs documentation to get an idea for what you're dealing with.
To decrypt a directory
Do this when you log in.
- Become root by typing sudo -i at the terminal and typing your password when prompted.
- Install eCryptfs by typing apt-get install ecryptfs-utils at the terminal.
- Reacquire AFS tokens by typing aklog at the terminal.
- Decrypt the directory in question by typing mount -t ecryptfs /mit/joeuser/my_private_directory /mit/joeuser/my_private_directory.
- Exit the root prompt by typing exit.
To re-encrypt the directory
Do this before you log out.
- Encrypt the directory in question by typing sudo umount /mit/joeuser/my_private_directory.