Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Enterprise Encrypting File System eCryptfs Comments     - Dalvik heap memory management and recycling (Linux)

- Linux System Getting Started Learning: In RedHat Linux driver compiled Ixgbe (Linux)

- GCC and gfortran write MEX program (Matlab2012a) under Ubuntu 14.04 (Programming)

- Source compiler install Nginx (Server)

- Raspberry Pi configuration wireless hotspot (Linux)

- How to configure AWStats in Ubuntu Server (Server)

- Nginx reverse proxy and self-signed https (Server)

- Ubuntu 14.04 CodeBlocks configuration manually compile Boost 1.57.0 (Linux)

- Oracle PL / SQL selective basis (IF CASE), (LOOP WHILE FOR) (Database)

- Ubuntu Live CD by updating Grub resume boot the Boot Menu (Linux)

- HTML5 Fundamentals study notes (Programming)

- CentOS7 virtual machine settings, and bridging problems (Linux)

- Java memory mechanism Description (Programming)

- Ubuntu Apache2 setting, problem solving css, pictures, etc. can not be displayed (Server)

- Commentary Apache + Tomcat + JK implement Tomcat clustering and load (Server)

- Linux System Getting Started Learning: Repair fatal error openssl aes h no such file or directory (Linux)

- Examples 14 grep command (Linux)

- JavaScript function definition mode (Programming)

- Java Access Control (Programming)

- JDK comes with tools JPS (Linux)

  Enterprise Encrypting File System eCryptfs Comments
  Add Date : 2018-11-21      
  In recent years, the protection of sensitive personal data has become a hot issue of concern, the use of encryption technology to become a more successful method of protection. eCryptfs is a powerful enterprise-class encrypted file system by stacking (such as Ext2, Ext3, ReiserFS, JFS, etc.), for the application to provide transparent file system on top of the other, dynamic, efficient and secure encryption. This article first describes the background to encrypt the file system, and then describes how to use eCryptfs, and finally the elaborate design principles eCryptfs.

Encrypting File System Overview

What is Encrypting File System

In recent years, the protection of sensitive data being leaked become a hot topic of attention. In addition to direct intruders steal physical storage device, you can also grab the file data through a network attack; Moreover, since the demand of sharing sensitive data will be accessed by the people, it also increases the possibility of leakage. To encrypt data or files has become an accepted method of protecting more successful. In fact, there has been developed a lot of good encryption algorithms, such as DES, AES, RSA, etc., and there are some applications, such as crypt use these encryption algorithm to encrypt the user completes these tools manually, decryption work. Since these applications operational problems, and the entire system is not closely integrated and vulnerable to attack, so the average user and do not want to use.

Encrypting File System by the file system encryption services into this level to solve the above problems. Usually the contents of encrypted files after a symmetric key encryption algorithm in cipher text form stored on physical media, even if the file is lost or stolen, the encryption key is not in the case of leakage, unauthorized users can not hardly get through the ciphertext reverse plaintext file, thus ensuring high security. At the same time, authorized users access the encrypted files is very convenient. After the initial user authentication, access to common files and encrypted files is no different, as if the file is not encrypted, this is because the encrypted file system automatically in the background, do the relevant work of encryption and decryption. Since encrypted file systems generally work in kernel mode, Common attacks more difficult to work. Another type of system-level encryption scheme is based on a block device, compared with them, Encrypting File System has more advantages, such as:

Support file encryption granularity, that is, the user can select which files or directories is encrypted. Moreover, the application need not be concerned about whether a file is encrypted, can be completely transparent access to encrypted files.
Without prior leave enough space, you can always encrypt or restore files.
Change the key and the encryption algorithm to encrypt individual files easier.
Different files can use different encryption algorithm and key, increases the difficulty of cracking.
Only encrypted file only requires special encryption / decryption processing, without a regular file access overhead.
When transferring encrypted files to another physical medium, no additional encryption / decryption overhead.
Categories Encrypting File System

Encrypting File System can basically be divided into two categories, two types of implementation and target has a relatively large difference. One is for network storage services, usually NFS client / server-based model, commonly referred to as network file system encryption. Network encrypted file system, data is cipher text stored in the network file system, client-server interaction via the client service process and network file, the network file server is responsible for passing user requests ciphertext to the client service process by client service process to decrypt and then to the application. In this model, only requires the client operating system is credible, and the network does not contact the server because the plaintext data, does not require its credibility. The other is the local file system encryption, the ciphertext data directly stored on a local physical media (hard disk, U disk, etc.), by the operating system or service process to complete the reading of data, encryption / decryption. Target local encrypted file system is to deal with the threat of theft of storage media, the same operating system security model encrypted file system resides deemed credible.

Local encrypted file system can be subdivided into two, one is in the original normal file system directly into the cryptographic functions, such as Reiser4, but the existing Ext2, Ext3 and other common file system does not support encryption, so users can not Do not convert the entire file system; the other is called a stacked encrypting file system (Stackable cryptographic file system). This encrypted file system can be viewed as an encryption / decryption conversion layer, rather than a real fully functional file system. Stackable encrypted file system is no corresponding disk layout, do not realize the function of data on physical media access. It must be on top of other general schema file system, first through the lower common file system to read encrypted file ciphertext file is read into memory, then the decrypted plaintext is returned to the top of the user process; first memory when writing encrypted files the password is encrypted and then transmitted to the underlying common file system, they really written by the physical media. Advantages stacked encrypted file that is relatively easy to implement (because the feature is relatively simple) and the user can choose the underlying ordinary filesystem to store encrypted files. eCryptfs discussed herein within the scope of local stacked cryptographic file system.

Inadequate existing encrypted file system

Encrypting File System concept a long time, there are many real-world implementations, such as CFS [2], TCFS, Crypt-FS, FSFS, Waycryptic and Windows EFS, etc., but these encrypted file systems have inherent limitations and security issues .

CFS and TCFS via NFS client / server model to provide cryptographic services, uses only DES algorithm to encrypt the file contents. The main disadvantage is that these two file systems: difficult to use, shared encrypted file is very difficult, the user can not select an encryption algorithm, or temporary swap file may leak plaintext and poor performance and so on.

Waycryptic is a stacked cryptographic file system to provide encryption and decryption function by modifying the Linux kernel's virtual file system layer (VFS). Waycryptic use two algorithms to encrypt the file: file contents using symmetric key encryption algorithms, such as AES, the key randomly generated; at the same time the use of a public key algorithms such as RSA, the encryption key just mentioned. This comprehensive two encryption algorithms only way to ensure that the encryption / decryption speed, and greatly improves safety. Meanwhile Waycryptic allow encrypted files easily and safely shared among multiple users; in response to lost keys, Waycryptic allows the user to specify another account to recover the file. But Waycryptic primarily a research project, more suitable for the individual alone, but can not meet the business needs of the user or a higher level of security needs.

Windows EFS (Encrypting File System) file system is NTFS functionality expansion, you can easily encrypt a file or directory on an NTFS volume. Windows EFS easy to use, powerful, deficiencies that can only be used on Windows operating systems NTFS volume, the file content encryption algorithm used in relatively simple. In addition, if no prior backup certificate, then reinstall the system if you can not access the encrypted files.

Use eCryptfs

eCryptfs Profile

eCryptfs is a powerful introduced in Linux kernel version 2.6.19, enterprise-class encrypted file systems, stacked on top of other file systems (such as Ext2, Ext3, ReiserFS, JFS, etc.), for the application to provide a transparent, dynamic and efficient security and encryption features.

Essentially, eCryptfs like a kernel version of Pretty Good Privacy (PGP) [3] service, interposed between the VFS (virtual file system layer) and the underlying physical file system that acts as a "filter" role. The user application requests to write encrypted file, the system calls the VFS layer to layer, VFS transferred eCryptfs file system components (will explain later) processing, after processing, then transferred to the underlying physical file system; a read request (including open files ) process is the opposite.

eCryptfs design influenced OpenPGP specification, the use of two methods to encrypt individual files:

eCryptfs first uses a symmetric key encryption algorithm to encrypt the contents of the file, it is recommended to use AES-128 algorithm, key FEK (File Encryption Key) randomly generated. Some Encrypting File System to encrypt multiple files or the entire system using the same FEK (not even randomly generated), which can damage the security of the system, because:. A leak if FEK, several, or all of the encrypted files will be easily decrypted ; b If some plaintext leak, an attacker could guess about the other encrypted files;.. c attacker could speculate FEK from rich ciphertext.
Obviously FEK can not be stored in clear text, so eCryptfs using the password provided by the user (Passphrase), public key algorithms (such as RSA algorithm) or TPM (Trusted Platform Module) public key encryption FEK just mentioned. If you use a user password, the password hash function to be processed, and then re-key encryption algorithm using a symmetric FEK. Password / public key called FEFEK (File Encryption Key Encryption Key), FEK encrypted is called EFEK (Encrypted File Encryption Key). By allowing multiple authorized users to access the same encrypted file, so EFEK may have more parts.
This integrated approach not only ensures the speed of encryption and decryption of data files, but also greatly improve the security. Although the data file name is not so important, but the intruder can get useful information by file name or to determine the target, therefore, supports the latest version of eCryptfs filename encryption.

eCryptfs use

eCryptfs need the appropriate kernel modules and the user mode tools in conjunction with use. Userland tools can be obtained from https://launchpad.net/ecryptfs, Debian or Ubuntu system with the user, with the apt-get command to install ecryptfs-utils package to. If you compile your own kernel, you need the following options:

Listing 1. eCryptfs required kernel options

General setup --->
[*] Prompt for development and / or incomplete code / drivers
File systems --->
Miscellaneous filesystems --->
< M> eCrypt filesystem layer support (EXPERIMENTAL)
Security options --->
< M> Enable access key retention support
Cryptographic API --->
< M> MD5 digest algorithm
< M> AES cipher algorithms
ECryptfs first need to load the kernel module, execute modprobe ecryptfs. Then eCryptfs ready to mount an encrypted file storage directory, execute sudo mount -t ecryptfs real_pathecryptfs_mounted_path. Recommended ecryptfs_mounted_path and real directory real_path consistent, so that unauthorized users can not access the encrypted files by the original path.

eCryptfs mount Results

eCryptfs default AES-128 algorithm and use password encryption FEK, eCryptfs more mount options please refer to the man page. If you want to use public-key encryption algorithm FEK, it requires prior use OpenSSL to generate a public / private key pair. Users can also write the default option in .ecryptfsrc file in your home directory, the format of the configuration files, see http://ecryptfs.sourceforge.net/README.

eCryptfs Design

eCryptfs design goals

In order to assess the feasibility of an encryption solution, companies often have to consider many factors, such as employee learning curve, incremental backup is affected, the key is lost, then how to prevent leakage of information or how to recover information, conversion and use of cost, potential risk and so on. eCryptfs early in the design, give full consideration to the needs of business users as follows:

Easy to deploy. eCryptfs totally unnecessary for the other components of the Linux Kernel make any changes, can be used as a stand-alone kernel module for deployment. Meanwhile, eCryptfs does not require additional preparation and conversion process.
Users can freely select the underlying file system to store the encrypted file. Because they do not modify the VFS layer, eCryptfs the mount (mount) to an existing directory on the way to achieve stacking function. Access to eCryptfs mount point in the file are first redirected to eCryptfs kernel file system module.
Easy to use. ECryptfs before each use, the user simply execute mount command, then eCryptfs automatically associated key generation / reading, dynamic document encryption / decryption and metadata preservation work.
Full use of existing mature security technology. For example, eCryptfs for encrypted files using OpenPGP file format, use the kernel implements symmetric key encryption algorithm and hash algorithm Kernel Crypto API and the like.
Enhance security. eCryptfs security password or eventually completely dependent upon the private key to decrypt FEK required. By using the hardware TPM (TPM can generate public / private key pair, the hardware implementation of encryption / decryption operations directly, but can not get the private key from the hardware chip), to ensure that the private key is not leaked eCryptfs maximum extent.
It supports incremental backups. eCryptfs metadata and ciphertext stored in the same file, thus the perfect support for incremental backups and file migration.
Key escrow. Users can pre-specify the recovery account, in case of loss of password encryption FEK / private key, you can also regain the plaintext file by restoring the account; but if you do not specify the recovery account, even if the system administrator can not recover the file contents.
Rich configuration policies. When an application creates a new file in the directory mount point eCryptfs time, eCryptfs have to make many decisions, such as whether the new file encryption, which use algorithms, FEK length, whether to use the TPM, and so on. eCryptfs support Apache similar strategy document, the user can perform detailed configuration depending on the application directory.

eCryptfs architecture

eCryptfs Layer is a more complete kernel file system module, but did not realize the function to access data on physical media. In eCryptfs Layer own data structures, by adding a point to the underlying file system data structure pointer by these pointers, eCryptfs can access the encrypted files. Listing 2 shows some key data structures:

Listing 2. eCryptfs Layer main data structure

static struct file_system_type ecryptfs_fs_type = {
.owner = THIS_MODULE,
.name = "ecryptfs",
.get_sb = ecryptfs_get_sb,
.kill_sb = ecryptfs_kill_block_super,
.fs_flags = 0

struct ecryptfs_sb_info {
struct super_block * wsi_sb;
struct ecryptfs_mount_crypt_stat mount_crypt_stat;

struct ecryptfs_inode_info {
struct inode vfs_inode;
struct inode * wii_inode;
struct file * lower_file; / * wii_inode, lower_file point to the underlying file system corresponding to the data structure * /
struct mutex lower_file_mutex;
struct ecryptfs_crypt_stat crypt_stat;

struct ecryptfs_dentry_info {
/ * The underlying file system dentry * /; struct path lower_path
struct ecryptfs_crypt_stat * crypt_stat;

struct ecryptfs_file_info {
struct file * wfi_file;
struct ecryptfs_crypt_stat * crypt_stat;
eCryptfs Daemon process Keystore and user states together responsible for key management. ECryptfs Layer When you first open a file, read the file header metadata through the underlying file system, post and Keystore module EFEK (FEK encrypted) decryption. As already mentioned, because allowing people to share encrypted files, header metadata can have a bunch EFEK. Description EFEK and the corresponding public key algorithm / password constitute an authentication identifier, represented by ecryptfs_auth_tok structure. Keystore turn parse each ecryptfs_auth_tok encrypted file structure: First (key ring) View all processes in the key chain Are there corresponding private key / password, if not found, then send a message to the Keystore eCryptfs Daemon, by its It prompts the user to enter a password or import the private key. The first successful ecryptfs_auth_tok parsed structure is used to decrypt FEK. If EFEK is encrypted with the public encryption algorithm, because the current Kernel Crypto API does not support public key encryption algorithm, Keystore ecryptfs_auth_tok structure must send eCryptfs Daemon, which it calls the Key Module API or the OpenSSL library to use TPM to decrypt FEK. FEK encrypted file content and the used symmetric key algorithm description information stored in decrypted crypt_stat member ecryptfs_inode_info structure. When eCryptfs Layer to create a new file, Keystore use random function provided by the kernel to create a FEK; when a new file is closed, Keystore eCryptfs Daemon cooperation and create the appropriate EFEK for each authorized user, together metadata stored in the header of the encrypted file.

eCryptfs using OpenPGP file format to store encrypted files Refer to RFC 2440. We know that the symmetric key encryption algorithm in block units encryption / decryption algorithms such as AES block size of 128 bits. Therefore eCryptfs encrypted file into a plurality of logical blocks, called extent. When read in an extent in any part of the ciphertext, the entire extent is read into the Page Cache, by Kernel Crypto API is deciphered; when plaintext data extent any portion is written back to disk, you need to encrypt and write the whole extent. The size of the extent is adjustable, but not larger than the size of the physical page. The current version of the default value is equal extent physical page size, and so in IA32 architecture is 4096 bytes. Head encrypted files stored metadata, including metadata length, flag and EFEK chain, currently the minimum length of 8192 bytes of metadata.

eCryptfs inadequate

Shortcomings eCryptfs that:

Write performance is poor. I used iozone eCryptfs test performance, found that the cost is not too much of a read operation, reduction of up to 29%, and some small test project file but better performance; For write operations, the results of all the test items are very poor, the general decline in 16 times. This is because the Page Cache which holds only plain text, it first needs to read the data decryption operation, subsequent read no overhead; and each time write x bytes of data, it will involve ((x - 1) / extent_size + 1 ) * extent_size byte encryption, so the overhead is relatively large.
There are two cases may cause information leakage:. A system when there is insufficient memory, expressly pages Page Cache encrypted files can be swapped to the swap area, the current solution is to use dm-crypt encrypted swap area. b. Applications may also be after reading the encrypted file, in which some of the contents of the temporary file is written in a manner unmounted eCryptfs directory (such as written directly to / tmp), the solution is to configure the application or modification its implementation.
eCryptfs achieve security is totally dependent on the operating system's own security. If the Linux Kernel compromised, the hacker can easily obtain important information in plain text files, FEK like.
- Installation and Configuration OpenVPN server and client on Ubuntu 15.04 (Server)
- Generate two-dimensional code parsing code Java (Programming)
- Intel Graphics Installer 1.0.3 released, support for Ubuntu (Linux)
- CentOS 5.5 install ntop (Linux)
- CentOS 6.4 dial-up Raiders (Linux)
- How comprehensive resist attacks from the network (Linux)
- Oracle Client + PL SQL Developer enables remote access to the Oracle database (Database)
- Python image processing library (PIL) to install and simple to use (Linux)
- Oracle multi-user concurrency and transaction processing (Database)
- Use Visual Studio Code Development TypeScript (Linux)
- Lua regex (string function) (Programming)
- Linux resource restriction level summary (Linux)
- Spring Data study notes -Helloworld (Programming)
- Linux operating system, the internal and external security overview (Linux)
- After reloading the cinder-volume OpenStack not start properly (Server)
- Use ARChon runtime environment to run Android apps on Ubuntu (Linux)
- Setup Qt development environment under Linux (Linux)
- Puppet 3.5 Source package Installation and Configuration (Server)
- Ubuntu cut screen method (Linux)
- CentOS7 iptables (Linux)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.