Upstart script to start eCryptfs encryption

Question

I'm using eCryptfs to mount and encrypt a particular directory via:

mount -t ecryptfs /secure /secure -o ecryptfs_unlink_sigs,ecryptfs_key_bytes=16,ecryptfs_cipher=aes

I've seen examples that use fstab to automatically mount using ecryptfs at boot time.

I'm wondering if it's possible / wise to do this as an upstart script, so that it can be executed as necessary and for testing purposes?

Ideally it would run before other Upstart scripts that depend on the directory being encrypted.

Answer 1

Please check the following script found at ruxkor's gist ( original , superuser ):

#!/bin/bash

# ecryptFS mount script
# taken and slightly modified version
# original at https://superuser.com/questions/227713/ecryptfs-how-to-mount-a-backup-of-an-encrypted-home-dir

# ROOT should be the parent of the .ecryptfs and .Private folders
if [ ! -d "$1" -o "$2" == "" ]; then
    echo "usage: $0 /home/.ecryptfs/USER /mnt/USER"
    exit 1
fi

ROOT=$1
TARGET=$2

sudo mkdir -p $TARGET
cd $ROOT

echo Type your password:
PASS=$(ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase | sed s/Passphrase:\ //)
SIG1=$(head -n1 .ecryptfs/Private.sig)
SIG2=$(tail -n1 .ecryptfs/Private.sig)

echo Passphrase:
echo $PASS
echo Signatures:
echo $SIG1
echo $SIG2

echo Should be empty:
sudo keyctl clear @u
sudo keyctl list @u

echo Do not type anything:
echo $PASS | sudo ecryptfs-add-passphrase --fnek

echo Sould have signatures:
sudo keyctl list @u

echo Mounting $ROOT on $TARGET...
sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_sig=$SIG1,ecryptfs_fnek_sig=$SIG2,passwd=$(echo $PASS) .Private $TARGET

ls $TARGET

You may extend this script to use parameterized passphrase, eg:

ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase PASS

or:

printf "%s" "wrapping passphrase" | ecryptfs-unwrap-passphrase [file] -

Modify the script as required.