1
I'm learning how to use eCryptfs: https://wiki.archlinux.org/index.php/ECryptfs
I get things as below from the link:
This is used to derive the actual file encryption master key. Thus, you should not enter a custom one unless you know what you are doing - instead press Enter to let it auto-generate a secure random one. It will be encrypted using the login passphrase and stored in this encrypted form in ~/.ecryptfs/wrapped-passphrase. Later it will automatically be decrypted ("unwrapped") again in RAM when needed, so you never have to enter it manually. Make sure this file does not get lost, otherwise you can never access your encrypted folder again!
So I did a simple test:
mkdir -p ~/test
mount -t ecryptfs ~/test ~/test
cd ~/test && vim data
umount -t ecryptfs ~/test
For now, I did get an encrypted file, which means that ~/test/data
was unreadable.
Of course, if I mount it again, I can read it.
Now, I delete ~/.ecryptfs
: sudo rm -rf ~/.ecryptfs
.
Then I try to mount it: sudo mount -t ecryptfs ~/test ~/test
To my surprise, I can still mount it and read the ~/test/data
.
Now I'm confused. I thought I could move ~/.encryptfs
into some USB to keep my secret data secure. But it doesn't seem to work because I can still mount it even if I delete ~/.encryptfs
. Am I doing something wrong?
If I'm right, the whole security is based on ONLY one thing: the login passphrase. In this case, what is the wrapped-passphrase? why is it so important? why does it say " Make sure this file does not get lost, otherwise you can never access your encrypted folder again!"?
Did you reboot the system in between? The above text is also telling you that it will be kept in RAM. – Seth – 2018-01-30T09:18:00.690
@Seth Yes, I rebooted. – Yves – 2018-01-30T09:25:54.277
I don't have a system to write a post on, but
keyctl show
. – user1686 – 2018-01-30T09:34:17.300@grawity Sorry but what do you mean? I should
keyctl unlink
manually afterumount
? – Yves – 2018-01-30T09:35:48.113@grawity Well, I just
keyctl unlink
all I can but I can still mount it only if I type login passphrase, which means that I CAN get decrypt it without~/.encryptfs
. – Yves – 2018-01-30T09:52:44.583