I'm using eCryptfs to mount and encrypt a particular directory via:
mount -t ecryptfs /secure /secure -o ecryptfs_unlink_sigs,ecryptfs_key_bytes=16,ecryptfs_cipher=aes
I've seen examples that use fstab to automatically mount using ecryptfs at boot time.
I'm wondering if it's possible / wise to do this as an upstart script, so that it can be executed as necessary and for testing purposes?
Ideally it would run before other Upstart scripts that depend on the directory being encrypted.
Please check the following script found at ruxkor's gist (original, superuser):
#!/bin/bash
# ecryptFS mount script
# taken and slightly modified version
# original at https://superuser.com/questions/227713/ecryptfs-how-to-mount-a-backup-of-an-encrypted-home-dir
# ROOT should be the parent of the .ecryptfs and .Private folders
if [ ! -d "$1" -o "$2" == "" ]; then
echo "usage: $0 /home/.ecryptfs/USER /mnt/USER"
exit 1
fi
ROOT=$1
TARGET=$2
sudo mkdir -p $TARGET
cd $ROOT
echo Type your password:
PASS=$(ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase | sed s/Passphrase:\ //)
SIG1=$(head -n1 .ecryptfs/Private.sig)
SIG2=$(tail -n1 .ecryptfs/Private.sig)
echo Passphrase:
echo $PASS
echo Signatures:
echo $SIG1
echo $SIG2
echo Should be empty:
sudo keyctl clear @u
sudo keyctl list @u
echo Do not type anything:
echo $PASS | sudo ecryptfs-add-passphrase --fnek
echo Sould have signatures:
sudo keyctl list @u
echo Mounting $ROOT on $TARGET...
sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_sig=$SIG1,ecryptfs_fnek_sig=$SIG2,passwd=$(echo $PASS) .Private $TARGET
ls $TARGET
You may extend this script to use parameterized passphrase, e.g.:
ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase PASS
or:
printf "%s" "wrapping passphrase" | ecryptfs-unwrap-passphrase [file] -
Modify the script as required.