我想在登录新安装时挂载旧的加密主分区。主分区使用 Ubuntu 默认加密 (eCryptFS)。我的旧安装和新安装都使用相同的密码。如何在保证加密安全的情况下做到这一点?
附言:旧安装仍然可以运行,并且我有加密密钥。
答案1
在 XFCE 上尝试过,但我不确定 Unity/Gnome/KDE/etc 的登录时运行启动文件是否都相同,所以 YMMV。
~/.config/autostart 中的 .desktop 文件将在登录时运行,告诉它运行挂载加密文件夹的 bash 脚本应该可以工作。由于您的主页已经加密,因此您可以如果您不想每次都输入密码,请将其他挂载密码存储在 bash 脚本中,虽然不是完全安全,但仍加密保存在磁盘上。例如~/.config/autostart/test.desktop。一个非常基本的脚本,如下所示应该工作:
[Desktop Entry]
Type=Application
Exec=/home/user/.config/autostart/runme.sh
或者在启动前等待几秒钟(例如,在提示输入密码之前给桌面时间进行初始化)并以 root 身份运行,尝试以下操作:
[Desktop Entry]
Type=Application
Exec=sudo bash -c "sleep 5; /home/user/.config/autostart/runme.sh"
或者如果需要更多细节,复制并编辑现有的(如果有的话),或者应该有一个 GUI 方式来制作一个系统→优先→启动应用程序,然后点击添加或者更多类似这样的行也应该可行(对于 XFCE 来说,可能要删掉 OnlyShowIn 行):
[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=test.sh
Comment=test.sh
Exec=/home/user/.config/autostart/test.sh
OnlyShowIn=XFCE;
StartupNotify=false
Terminal=true
Hidden=false
它只是运行目标文件,无法使用,Exec=~/.config/autostart/test.sh因此请相应地替换“用户”。您可能可以使用一行长代码,而不是将其指向 bash 脚本。
我现在正在研究安装部分,使用虚拟 PC 进行测试。由于您已经在使用带有加密主目录的 eCryptFS,因此存在一些复杂情况,而且我之前测试过,您无法拥有加密主目录和家中的另一个加密“私人”文件夹(使用encrypted-setup-private& encrypted-mount-private),但只需使用ecryptfs-add-passphrase& 调用mount.ecryptfs/mount -t ecryptfs就可以了......
跳到下面的脚本,看看哪个能用。下面是可以用的,但我运气不太好。这两个脚本都要求你输入密码,所以它们并不不安全,不过你可以根据需要编辑它,或者使用它来xenity输入它而不是在终端中输入。在这里,mount 需要以 root 身份运行,因此需要将密钥插入“sudo”密钥环。以 root 身份运行整个脚本应该工作……?可能你问错了方向。
#!/bin/bash
# mostly copied from ecryptfs-mount-private
# otherhome should be the path to the folder just outside the actual encrypted home,
# For example, /home/.ecryptfs/[user] and must be readable
otherhome=/otherpartition/home/.ecryptfs/user
decrypted=/media/decrypted
WRAPPED_PASSPHRASE_FILE="$otherhome/.ecryptfs/wrapped-passphrase"
MOUNT_PASSPHRASE_SIG_FILE="$otherhome/.ecryptfs/Private.sig"
PW_ATTEMPTS=3
MESSAGE=`gettext "Enter your login passphrase:"`
if [ ! -d "$decrypted" ]; then
mkdir -p "$decrypted" || { echo "$decrypted does not exist, can not create"; exit 1; }
fi
# interactively prompt for the user's password
if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then
tries=0
stty_orig=`stty -g`
while [ $tries -lt $PW_ATTEMPTS ]; do
echo -n "$MESSAGE"
stty -echo
LOGINPASS=`head -n1`
stty $stty_orig
echo
if [ $(wc -l < "$MOUNT_PASSPHRASE_SIG_FILE") = "1" ]; then
# No filename encryption; only insert fek
if printf "%s\0" "$LOGINPASS" | ecryptfs-unwrap-passphrase "$WRAPPED_PASSPHRASE_FILE" - | ecryptfs-add-passphrase -; then
sig=`head -n1 $otherhome/.ecryptfs/Private.sig`
break
else
echo `gettext "ERROR:"` `gettext "Your passphrase is incorrect"`
tries=$(($tries + 1))
continue
fi
else
if printf "%s\0" "$LOGINPASS" | ecryptfs-insert-wrapped-passphrase-into-keyring "$WRAPPED_PASSPHRASE_FILE" - ; then
sig=`head -n1 $otherhome/.ecryptfs/Private.sig`
fnek_sig=`tail -n1 $otherhome/.ecryptfs/Private.sig`
break
else
echo `gettext "ERROR:"` `gettext "Your passphrase is incorrect"`
tries=$(($tries + 1))
continue
fi
fi
done
if [ $tries -ge $PW_ATTEMPTS ]; then
echo `gettext "ERROR:"` `gettext "Too many incorrect password attempts, exiting"`
exit 1
fi
if [ -v fnek_sig ]; then
# filename encryption enabled, $fnek_sig has been set
mount -i -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig,ecryptfs_fnek_sig=$fnek_sig $otherhome/.Private $decrypted
else
# no filename encryption
mount -i -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=$sig $otherhome/.Private $decrypted
fi
else
echo `gettext "ERROR:"` `gettext "Encrypted private directory is not setup properly"`
exit 1
fi
if grep -qs "$otherhome/.Private $decrypted ecryptfs " /proc/mounts 2>/dev/null; then
echo
echo `gettext "INFO:"` `gettext "Your private directory has been mounted."`
echo
fi
exit 0
这脚本确实有效,
虽然我无法在加密的家中运行任何可执行脚本。必须将其作为bash/ 的参数调用sh,
sudo bash -c ./ecryptfs-mount-single.sh [--rw] [encrypted folder] [mountpoint]
这里是:
#!/bin/sh -e
#
# ecryptfs-mount-single
# Modified by Xen2050 from:
#
# ecryptfs-recover-private
# Copyright (C) 2010 Canonical Ltd.
#
# Authors: Dustin Kirkland <[email protected]>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
error() {
echo "ERROR: $@" 1>&2
echo "Usage: ecryptfs-mount-single [--rw] [encrypted private dir] [mountpoint]"
echo "\tWill attempt to mount [encrypted private dir (.Private)] to [mountpoint]"
echo "\twith standard options: ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
echo "\n\t--rw\tmount with read-write access (optional)"
echo "\t[mountpoint] will attempt to be created if it does not exist"
exit 1
}
info() {
echo "INFO: $@"
}
# We need root access to do the mount
[ "$(id -u)" = "0" ] || error "This program must be run as root."
# Handle parameters
opts="ro"
if [ "$1" = "--rw" ]; then
opts="rw"
shift
fi
if [ -d "$1" ]; then
# Allow for target directories on the command line
d="$1"
# Only supplying one directory
else
error "No private directory found; it must be supplied."
fi
if [ ! -d "$2" ]; then
mkdir -p "$2" || error "mountpoint $2 does not exist, can not create"
fi
# mount directory on the command line
tmpdir=$2
# Determine if filename encryption is on
ls "$d/ECRYPTFS_FNEK_ENCRYPTED"* >/dev/null 2>&1 && fnek="--fnek" || fnek=
if [ -f "$d/../.ecryptfs/wrapped-passphrase" ]; then
info "Found your wrapped-passphrase"
echo -n "Do you know your LOGIN passphrase? [Y/n] "
lpw=$(head -n1)
case "$lpw" in
y|Y|"")
# Use the wrapped-passphrase, if available
info "Enter your LOGIN passphrase..."
ecryptfs-insert-wrapped-passphrase-into-keyring "$d/../.ecryptfs/wrapped-passphrase"
sigs=$(sed -e "s/[^0-9a-f]//g" "$d/../.ecryptfs/Private.sig")
use_mount_passphrase=0
;;
*)
use_mount_passphrase=1
;;
esac
else
# Fall back to mount passphrase
info "Could not find your wrapped passphrase file."
use_mount_passphrase=1
fi
if [ "$use_mount_passphrase" = "1" ]; then
info "To recover this directory, you MUST have your original MOUNT passphrase."
info "When you first setup your encrypted private directory, you were told to record"
info "your MOUNT passphrase."
info "It should be 32 characters long, consisting of [0-9] and [a-f]."
echo
echo -n "Enter your MOUNT passphrase: "
stty_orig=$(stty -g)
stty -echo
passphrase=$(head -n1)
stty $stty_orig
echo
sigs=$(printf "%s\0" "$passphrase" | ecryptfs-add-passphrase $fnek | grep "^Inserted" | sed -e "s/^.*\[//" -e "s/\].*$//" -e "s/[^0-9a-f]//g")
fi
case $(echo "$sigs" | wc -l) in
1)
mount_sig=$(echo "$sigs" | head -n1)
fnek_sig=
mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
;;
2)
mount_sig=$(echo "$sigs" | head -n1)
fnek_sig=$(echo "$sigs" | tail -n1)
mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
;;
*)
continue
;;
esac
(keyctl list @u | grep -qs "$mount_sig") || error "The key required to access this private data is not available."
(keyctl list @u | grep -qs "$fnek_sig") || error "The key required to access this private data is not available."
if mount -i -t ecryptfs -o "$mount_opts" "$d" "$tmpdir"; then
info "Success! Private data mounted at [$tmpdir]."
else
error "Failed to mount private data at [$tmpdir]."
fi
在注销之前/注销时卸载,或者从内核密钥环中删除密钥(使用keyctlclear 或 purge,sudo keyctl clear @u清除所有内容)可能是个好主意。我在加密主目录中安装了第二个文件夹,然后注销,它显然卸载了第二个文件夹(不在 /proc/mounts 中),但仍显示在 中mount。