-1

I've been trying to set up encrypted folder following the instructions in https://wiki.archlinux.org/index.php/ECryptfs#Without_ecryptfs-utils. In that case a mount passphrase is manually created and wrapped using a chosen password ("Arch" in that example). This is working as expected.

There is yet another possibility how to manually set up things. Namely using simple mount e.g.: mount -t ecryptfs ~/.Private/ ~/Private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y

In this case I'm prompted for a [password] and after that folder is mounted.

My question is: where is the mount passphrase hidden in the second example? And how is my entered [password] related to it and to the FEKEK in this case.

Could anybody please explain?

Thank you in advance.

4

1 回答 1

0

我认为输入的密码成为“文件加密密钥、加密密钥或 FEKEK”sudo本身,并在挂载文件夹时临时存储在内核密钥环(如果需要挂载,则为根的密钥环)。您可以在安装和卸载之前和之后看到钥匙圈sudo keyctl show

它不会将密码/FEKEK 存储在磁盘上的任何位置,这与您喜欢的 ArchWiki 中的“Without ecryptfs-utils”方法以及下面的 ecryptfs-utils 中的方法不同。

仅供参考,使用 ecryptfs-utils 工具,如果您没有指定自己的密码,它将创建一个随机(16 字节)密码来使用,它显然是文件加密密钥(FEKEK)/ FNEK。

查看几个 ecryptfs-utils 工具,(几个是 shell 脚本)在ecryptfs-migrate-home其中收集一些数据和调用ecryptfs-setup-private,它具有生成更安全的 16 字节随机密码/FEKEK/FNEK 的功能(然后被“包装”/使用您的登录密码加密并存储在磁盘上):

random_passphrase () {
        bytes=$1
        # Pull $1 of random data from /dev/urandom,
        # and convert to a string of hex digits
        od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
}
于 2015-02-15T14:09:51.347 回答