使用Fscrypt轻松获得文件级加密 (tech blog)

2020-12-18 14:44:41 浏览数 (1)

不久以前,我就证明了对大多数用户而言,文件级加密具有足够的安全性,并且比全盘加密具有更高的性能。表达这种异质观点的努力比预期的要少得多。相对的,一些读者发送了表示好奇和渴望尝试文件级加密的消息和评论。

这是一个惊喜。我不确定有多少人愿意实施文件级加密,我想这样做的人会选择安装Linux Mint这样的发行版,通过像菜单中的复选框一般较不费力的途径。

我的论点几乎完全留在理论领域。因此,我更想挑战一个代表性不足的模型。一种理论方法适合于此练习,同时将实施留给那些足够勇于将理论付诸实践的人。毕竟,Linux是要做您想做的事,而我并不想告诉任何人可能的事。

但是,既然我观察到大众对设置文件级加密的兴趣,我就想贡献这一部分,作为对这样做的一种方法的演示,该方法广泛用于Linux桌面用户。我通过发行版的GUI安装程序配置了文件级加密设置,但并非每个人都具有此选项。因此,为了向尽可能多的用户提供类似的加密方案,我将引导您逐步了解如何使用fscrypt创建加密的文件系统。

请注意,这涉及修补命令行以及进行部分或完全手动的操作系统安装。如果不能吸引您,您可能希望将其继续下去。幸运的是,在系统安装后,您可以应用一些图形解决方案。

释放内在能量

什么是fscrypt?

Fscrypt是一个工具,它提供了一个简单的命令行界面,用于配置内置在扩展4(更常见的是“ ext4”)文件系统中的加密。它本身并不是一种加密算法,而是用户和ext4的本机加密之间的中介。 fscrypt的目的是将ext4加密的原本难以理解的内容解密为中级Linux可以理解的内容。

尽管简单,但fscrypt提供了多种配置模式。首先,它可以加密任何目录,从而保护其中的所有文件和子目录。锁定时,此保护会模糊文件名及其所有内容的数据

其次,对于那些寻求不干扰安全性的用户来说,最吸引人的是,用户可以将解密设置为在输入用户密码后自动进行。与其获得第二个单独的解密提示以及登录提示,登录操作本身就是执行解密。

启动您的终端!

这里的基本运行计划非常简单。首先,在所需的ext4文件系统上启用加密。其次,安装fscrypt。第三,您编辑PAM配置文件以将解密过程链接到您的用户帐户的密码。

关于PAM的简要说明:这是在Linux系统上强制执行Unix帐户访问原则的原因。其职责包括将用户与根帐户分开,并为每个帐户授予权限。最后,在文件系统上启用fscrypt。

在继续之前,我应该给予一些警告。

首先,出于以下两个原因,Arch Linux上执行了以下步骤。第一,我为fscrypt咨询的文档来自Arch Wiki,因此它们自然可以在Arch Linux上运行得最流畅。在Arch Wiki上找到的信息通常可以完美地应用于其他发行版,但并不总是很合适。第二,Arch Linux的安装是从零开始的。由于用户手动执行每个步骤,因此可以轻松停止并根据fscrypt设置要求在步骤之间插入其他命令。

并非所有的GUI Linux安装程序都允许您暂停自定义新操作系统的过程,而仅在完全完成后才交出控制权。例如,fscrypt仅适用于空用户目录,大多数发行版的GUI安装程序会在安装过程中自动填充这些文件(例如,使用“文档”之类的目录)。

另外,如前所述,我正在安装过程中执行加密。因此,在启用fscrypt后安装时,本指南将不完全适用。有很多方法可以做到,但是它们比较麻烦。因此,如果您正在阅读本指南,建议您在安装过程中照做并配置fscrypt。

无论我选择哪个发行版来演示fscrypt,它的运行方式总是与其他人使用的不同。考虑到Arch Linux的安装看起来或多或少类似于每个用户的首选发行版的安装,因此您必须在两者之间进行转换。

如果您使用的是Arch Linux或De等DIY发行版,您将能够在链中的正确链接上运行所有内容。我知道Ubuntu和Linux Mint的图形安装程序可以让您在选择的位置执行一些手动步骤,但是我不能说大多数发行版。只需确保了解您的发行版以及它允许​​进行中间安装即可。

最后,本演练将仅向您显示如何为一个非特权用户帐户加密主目录。我之所以选择它,是因为它与我在文件级加密策略中主张的一致。调整该过程以加密另一个目录不需要花很多时间,而只需了解这里的目标即可。

关于我的符号的注释:命令的任何蓝色斜体部分表示所选文本不是文字,而应根据情况提供适当的文本。

有了这些,让我们开始吧。

对驱动器进行分区并创建ext4文件系统后,您将需要启用ext4的本机加密。不过,在执行此操作之前,请先使用以下命令仔细检查文件系统的块大小是否已正确设置。

#tune2fs -l分区| grep“块大小”

#getconf PAGE_SIZE

如果输出彼此匹配,则一切正常。接下来,只需执行以下命令即可实际激活加密。

#tune2fs -O加密分区

从这开始,按常规完成基本系统的安装以创建可引导系统,但是没有窗口管理器或桌面环境,并且只有根帐户(即没有特权用户帐户)。

完成后,启动系统并安装fscrypt。这应该是最简单的步骤,因为它只是从软件包管理器中进行安装。您应该可以在发行版的默认存储库中找到它,但是如果没有,则可以从源代码构建它。幸运的是,我不必这样做。

现在我们开始设置fscrypt。运行以下命令以开始使用。

#fscrypt设置

这将创建/etc/fscrypt.conf配置文件和/.fscrypt目录。

如果您的文件系统未安装在根目录下(例如,/ home位于其自己的分区上),则还需要运行此文件系统。

#fscrypt设置mount_point

这将在该安装点创建一个.fscrypt目录。

接下来,您将需要配置PAM以处理fscrypt模块,因此您的登录密码将自动解密您的加密文件系统。 PAM文件有些挑剔,因此请务必严格遵循这些步骤。您需要以正确的顺序将正确的行添加到正确的文件中。

在/etc/pam.d/system-login文件中,将以下内容添加到“ auth”部分的末尾。

验证可选的pam_fscrypt.so

在同一文件的“会话”部分的末尾,添加此行。

会话可选pam_fscrypt.so drop_caches lock_policies

然后,在/etc/pam.d/passwd文件中,将以下内容添加到文件末尾。

密码可选pam_fscrypt.so

完成所有实际准备工作之后,您最终可以创建目标用户帐户并加密其主目录(即/ home目录中以用户帐户命名并属于该用户帐户的目录)。

导航到/ home目录,并为目标用户创建一个空目录。

#mkdir用户名

这需要与您要赋予用户帐户的名称匹配。说到这,请使用下面的命令创建您刚创建其目录的用户。

#useradd用户名-d / home / username

您的用户帐户尚未准备好。您需要设置该用户的密码,因为默认情况下该密码为空,并且fscrypt会提示您输入密码,以最终确定登录密码和解密密码之间的链接。

#passwd用户名

您还需要授予新用户对该目录的所有权,因为该目录当前属于创建该目录的根帐户。

#chown用户名:usergroup / home / username

在这里时,您最好检查一下是否没有文件或目录放置在新用户的目录中-fscrypt的方式需要明确。

现在,您实际上可以使用此命令对用户目录进行加密。

#fscrypt加密/ home /用户名‐‐user =用户名

这将启动配置对话框。在有关保护器类型的提示下,选择使用登录密码的选项。当提示结束时,通过运行以下命令检查加密目录的状态,以确保正确挂接了PAM。

#fscrypt状态/ home /用户名

如果“未锁定”状态显示为“是”,那么一切都很好。如果不是,则出了问题。

通过所有这些操作,您应该可以毫无问题地注销root帐户并登录到新用户。下次启动时,在登录帐户之前不会收到解密提示,因为加密不是在分区级别上应用,而是在文件级别上应用。用户登录的外观和感觉与未加密文件时没有什么不同。但是他们是。

恭喜你!您现在正在享受高性能的计算机体验和无缝的现代加密保护。

Get No-Fuss File-Level Crypto With Fscrypt

Not long ago, I made the case that for most users file-level encryption is adequately secure and much higher-performing than full-disk encryption. I received a lot less pushback than anticipated for expressing this heterodox view — by which I mean I actually got none. Quite to the contrary, some readers sent messages and comments expressing curiosity and eagerness to try file-level encryption.

This came as a surprise. I wasn’t sure how many people would want to put file-level encryption into practice, and I imagined those who did would take the less arduous route of installing a distribution like Linux Mint that offers this as a checkbox in a menu.

That’s why I left my argument almost entirely in the realm of theory. I was more interested in challenging an accepted model with an underrepresented alternative. A theoretical approach suited this exercise while simultaneously leaving implementation up to those intrepid enough to put theory into practice. After all, Linux is about doing what you want, and I was not about to tell anyone what that might be.

But now that I have observed interest in setting up file-level encryption, I wanted to contribute this piece as a demonstration of one means of doing so which is widely available for Linux desktop users. I configured my file-level encryption setup via my distro’s GUI installer, but not everyone has this option. So, to offer a similar encryption scheme to as many users as possible, I will walk you through how to use fscrypt to create an encrypted filesystem.

Be warned that this involves tinkering on the command line and doing a partially or fully manual operating system installation. If that doesn’t appeal to you, you’ll probably want to pass on this. Fortunately, there are graphical solutions that you can apply after system installation.

Unlocking the Power Within

So what is fscrypt?

Fscrypt is a tool that presents a simple command line interface for configuring the encryption built into the extension 4 (more commonly “ext4”) filesystem. It is not an encryption algorithm in its own right, but an intermediary between the user and ext4’s native encryption. The intent behind fscrypt is to decipher the otherwise arcane incantations of ext4 encryption into something comprehensible to intermediate Linux.

While simple, fscrypt offers multiple configuration modes. First, it can encrypt any directory, protecting all the files and subdirectories within. This protection obscures both the filenames and data of all its contents when it’s locked

Second, and most appealing for those seeking unobtrusive security, is that users can set the decryption to occur automatically upon entering their user password. Instead of getting a second, separate decryption prompt along with the login prompt, the act of logging in itself performs the decryption.

Start Your Terminals!

The basic game plan here is fairly straightforward. First, you enable encryption on the desired ext4 filesystems. Second, you install fscrypt. Third, you edit the PAM configuration files to link the decryption process to your user account’s password.

A brief note on PAM: it’s what enforces the Unix account access principles on your Linux system. Its duties include separating user from root accounts and giving each account its permissions. Lastly, you enable fscrypt on the filesystem.

Before proceeding, I should note some caveats.

To start with, the steps below were executed on Arch Linux, for two reasons. One, the documentation I consulted for fscrypt came from the Arch Wiki, so they will naturally run the smoothest on Arch Linux. Information found on the Arch Wiki is often perfectly applicable to other distros, but it isn’t always a perfect fit. Two, Arch Linux’s installation is piecemeal from the ground up. Since the user executes every step manually, they can easily stop and insert additional commands between steps, as fscrypt setup requires.

Not all GUI Linux installers let you pause the process to customize your new OS, but only hand back control when it’s completely finished. For instance, fscrypt only works on an empty user directory, and most distributions’ GUI installers automatically populate these (e.g. with directories like “Documents”) during installation.

Additionally, as the foregoing implies, I am performing the encryption during installation. This guide, then, will not be totally applicable when enabling fscrypt post-installation. There are ways of doing this, but they are more cumbersome. So, if you’re reading along with this guide, I encourage you to follow suit and configure fscrypt during installation.

Regardless of which distro I would have picked to demo fscrypt, it would invariably proceed differently than something someone else is using. Considering that Arch Linux’s installation will look more or less similar to that of each user’s preferred distribution, you will have to translate between the two.

If you are using a DIY distro like Arch Linux or Debian, you’ll be able to run everything at the right link in the chain. I know Ubuntu’s and Linux Mint’s graphical installers allow you to execute some manual steps at select points, but I can’t speak for most distributions. Just be sure to know your distro and what it allows mid-installation.

Finally, this walkthrough will only show you how to encrypt the home directory for one unprivileged user account. I chose this because it is consistent with what I advocated in my file-level encryption pitch. It shouldn’t take much to adapt the process to encrypting another directory, but just be aware of the objective here.

One note about my notation: Any blue italic portion of a command indicates that the selected text is not literal, and that you should instead supply the appropriate text for your situation.

With that out of the way, let’s get to it.

Once you have your drive partitioned and your ext4 filesystems created, you will need to enable ext4’s native encryption. Before doing so, though, double-check that your filesystem’s block size is set correctly with the following commands.

# tune2fs -l partition | grep ‘Block size’

# getconf PAGE_SIZE

If the outputs match each other, everything is fine. Next, simply execute the command below to actually activate the encryption.

# tune2fs -O encrypt partition

From this point, finish installing the base system as normal to create a bootable system, but with no window manager or desktop environment, and only a root account (i.e. no unprivileged user accounts).

When that’s finished, boot into your system and install fscrypt. This should be the easiest step, as it’s just installing it from your package manager. You should be able to find it in your distribution’s default repository, but if not, you can build it from source. Mercifully, I have not had to do so.

Now we start setting fscrypt up. Run the command below to get started.

# fscrypt setup

This creates the /etc/fscrypt.conf configuration file and the /.fscrypt directory.

If your filesystem is not mounted at root, like if you have /home on its own partition, you also need to run this.

# fscrypt setup mount_point

This creates a .fscrypt directory at that mount point.

Next, you will need to configure PAM to handle the fscrypt module, so your login password will automatically decrypt your encrypted filesystem. PAM files are finicky, so be very careful to follow these steps exactly. You need to add the right lines to the right files, and in the right order.

In the /etc/pam.d/system-login file, add the following to the end of the “auth” section.

auth optional pam_fscrypt.so

In the same file, at the end of the “session” section, add this line.

session optional pam_fscrypt.so drop_caches lock_policies

Then, in the /etc/pam.d/passwd file, add the following to the end of the file.

password optional pam_fscrypt.so

With all the real prep work out of the way, you can finally create your target user account and encrypt its home directory (ie. the directory in the /home directory named after, and belonging to, your user account).

Navigate to the /home directory and create an empty directory for the target user.

# mkdir username

This needs to match the name you are going to give your user account. Speaking of which, use the command below to create that user whose directory you just made.

# useradd username -d /home/username

Your user account isn’t ready yet, though. You’ll need to set this user’s password, since it’s blank by default and fscrypt will prompt you for it to finalize the link between the login password and decryption password.

# passwd username

You’ll also need to give your new user account ownership of its directory, since it currently belongs to the root account that created it.

# chown username:usergroup /home/username

While you’re here, you might as well check that no files or directories were placed in the new user’s directory — fscrypt’s way needs to be clear.

You can now actually encrypt your user’s directory, which you do with this command.

# fscrypt encrypt /home/username ‐‐user=username

This will initiate a configuration dialog. At the prompt about protector type, select the option for using the login password. When the prompts conclude, check the status of your encrypted directory, to ensure that PAM is properly hooked up, by running the command below.

# fscrypt status /home/username

If the “Unlocked” status reads “Yes” then you’re all clear. If not, something went wrong.

With all of that out of the way, you should be able to log out of the root account and into your new user with no problems. On your next boot, you won’t get a decryption prompt before your account login, because the encryption is not applied at the partition level but at the file level. Your user login will look and feel no different than if your files were not encrypted. But they are.

Congratulations! You are now enjoying a high-performing computing experience with seamless modern encryption protection.

https://linuxinsider.com/story/get-no-fuss-file-level-crypto-with-fscrypt-86953.html

Jonathan Terrasi

0 人点赞