Re: ecryptfs directories as nautilus mounts

["Dustin Kirkland" <kirkland ubuntu com>]

On Mon, Dec 15, 2008 at 8:58 PM, David Zeuthen <david fubar dk> wrote:
> I'm not sure we want to display things in the sidebar for ecryptfs
> "mounts". The fact that ecryptfs uses a POSIX mount is an implementation
> detail of how ecryptfs works; it's certainly not what we would regard as
> a GMount. For the record, a GMount is defined to be a user-visible
> mount. Note that we already go through a lot of pain to filter out other
> UNIX mounts that are not interesting to show either; e.g. you don't what
> stuff like /sys, /proc in your side bar.
>
> I do like the idea of having a Cluebar that is shown in the file manager
> [1] when you are in a hierarchy (e.g. ~/Private) that contains encrypted
> files. So a few questions / thoughts about that

Hi David-

I'm the upstream maintainer of ecryptfs and can help with some of the
more technical details.

>  o  Implementation-wise (since I happen know little or nothing about
>    ecryptfs), how do you suggest that we determine for a given URI
>    that we're in such a hierarchy?

You can check /proc/mounts or /etc/mtab for a filesystem of type
'ecryptfs' matching the first part of the URI.

>    Can you have multiple separate
>    hierarchies with different passphrases (e.g. ~/Private and
>    ~/Work/Private)? Or only one? Or does a single ecryptfs mount
>    allow any file in / to be encrypted?

eCryptfs has extensive support for multiple passphrases, pkcs11
tokens, openssl, etc.  However, no one that I know of is using any of
this.  Frankly, it's just too complex.

The simple case, however, is rather popular.  A single passphrase is
established for an entire mountpoint.  Generally, this is 128-bits of
data from /dev/urandom.  This long, difficult passphrase is then
"wrapped" with the user's system passphrase.  Optionally, on login, a
pam module uses this passphrase to unwrap the mount passphrase and
establish the mount.  Some users, however, do not want this to happen
automatically at login, or perhaps they have configured their system
to automatically log them in without a passphrase.  It is in these
cases that Mike's proposal for Nautilus support of mounting a user's
private directory makes a lot of sense.

>  o  How is the mount performed? Are privileges needed?
>    (sigh, looks like privileges are needed)

/sbin/mount.ecryptfs_private and /sbin/umount.ecryptfs_private are
setuid binaries.  It has been heavily audited by several security
engineers.  The only thing it actually does with root privileges is
perform the mount/unmount.  Extensive checking of parameters happens
before it gets to this point.

>  o  You should be using the keyring to store/retrieve the password;
>    (Need to be careful if the keyring itself is in a encrypted file.
>     Can you determine if a given file is encrypted?)

eCryptfs is a filesystem in the Linux kernel (as opposed to a
userspace, FUSE-based filesystem).

As such, it must use the in-kernel keyring.  This is separate from the
gnome-keyring, though perhaps there is some possibility of stacking
the two?  I don't know about that.

What I do know is that the mount passphrase must be in the current
user/session's kernel keyring.  See keyutils and keyctl.

>  o  It would be nice with a small distro-independent wizard to set
>    this kind of thing up.

I think that's what I've tried to make /usr/bin/ecryptfs-setup-private be...

:-Dustin