Tagged: home directory

Encrypt Your Data With EncFS (OpenSUSE 12.3)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 04/12/2013

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. It is a pass-through filesystem, not an encrypted block device, which means it is created on top of an existing filesystem. This tutorial shows how you can use EncFS on OpenSUSE 12.3 to encrypt your data.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I’m using the username falko on my OpenSUSE 12.3 system in this tutorial.

2 Installing EncFS

Become root first:

su

EncFS can then be installed as follows:

zypper install encfs

Exit the root shell:

exit

You should now take a look at the EncFS man page to familiarize yourself with its options:

man encfs

3 Using EncFS

I will now create the directories encrypted and decrypted in my home directory:

mkdir -p ~/encrypted
mkdir -p ~/decrypted

The decrypted directory acts as the mount point for the encrypted directory. To mount ~/encrypted to ~/decrypted, simply run:

encfs ~/encrypted ~/decrypted

If you run this command for the first time, the EncFS setup is started, and you must define a password for the encrypted volume:

falko@linux-ci7w:~> encfs ~/encrypted ~/decrypted
Creating new encrypted volume.
Please choose from one of the following options:
 enter ”x” for expert configuration mode,
 enter ”p” for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
>
 <– p

Paranoia configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: ”ssl/aes”, version 3:0:2
Filename encoding: ”nameio/block”, version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.

————————– WARNING ————————–
The external initialization-vector chaining option has been
enabled.  This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs ’mutt’ and ’procmail’ are known to fail.  For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: <– yoursecretpassword
Verify Encfs Password: <– yoursecretpassword
falko@linux-ci7w:~>

Make sure you remember the password because there’s no way to recover your encrypted data if you forget the password!

You should now find the EncFS volume in the outputs of

mount

falko@linux-ci7w:~> mount
devtmpfs on /dev type devtmpfs (rw,relatime,size=1020060k,nr_inodes=255015,mode=755)
tmpfs on /dev/shm type tmpfs (rw,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
/dev/sda2 on / type ext4 (rw,relatime,data=ordered)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=24,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
tmpfs on /var/lock type tmpfs (rw,nosuid,nodev,relatime,mode=755)
tmpfs on /var/run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,relatime)
tmpfs on /media type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
/dev/sda3 on /home type ext4 (rw,relatime,data=ordered)
none on /proc/fs/vmblock/mountPoint type vmblock (rw,relatime)
gvfs-fuse-daemon on /run/user/falko/gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
encfs on /home/falko/decrypted type fuse.encfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=100,default_permissions)
falko@linux-ci7w:~>

and

df -h

falko@linux-ci7w:~> df -h
Filesystem      Size  Used Avail Use% Mounted on
rootfs           12G  3.4G  7.5G  31% /
devtmpfs        997M  4.0K  997M   1% /dev
tmpfs          1004M   96K 1004M   1% /dev/shm
tmpfs          1004M  568K 1003M   1% /run
/dev/sda2        12G  3.4G  7.5G  31% /
tmpfs          1004M     0 1004M   0% /sys/fs/cgroup
tmpfs          1004M  568K 1003M   1% /var/lock
tmpfs          1004M  568K 1003M   1% /var/run
tmpfs          1004M     0 1004M   0% /media
/dev/sda3        17G  387M   16G   3% /home
encfs            17G  387M   16G   3% /home/falko/decrypted
falko@linux-ci7w:~>

To save your data in encrypted form, put your data into the decrypted directory, just as you would do with a normal directory:

cd ~/decrypted
echo “hello foo” > foo
echo “hello bar” > bar
ln -s foo foo2

If you check the contents of the directory, you will see that you can see it in unencrypted form…

ls -l

falko@linux-ci7w:~/decrypted> ls -l
total 8
-rw-r–r– 1 falko users 10 Dec  5 20:04 bar
-rw-r–r– 1 falko users 10 Dec  5 20:04 foo
lrwxrwxrwx 1 falko users  3 Dec  5 20:04 foo2 -> foo
falko@linux-ci7w:~/decrypted>

… while in the encrypted directory, it’s encrypted:

cd ~/encrypted
ls -l

falko@linux-ci7w:~/encrypted> ls -l
total 8
-rw-r–r– 1 falko users 26 Dec  5 20:04 7ijqcKIYQH4hNiq1XjXYmozt
lrwxrwxrwx 1 falko users 24 Dec  5 20:04 eYgd4NX4d1bfjKPd61jmPZ5G -> 7ijqcKIYQH4hNiq1XjXYmozt
-rw-r–r– 1 falko users 26 Dec  5 20:04 z8GFaXk7mXU7hgWxk0Md6zZn
falko@linux-ci7w:~/encrypted>

To unmount the encrypted volume, run:

cd
fusermount -u ~/decrypted

Check the outputs of…

mount

… and…

df -h

… and you will see that the EncFS volume isn’t listed anymore.

To mount it again, run

encfs ~/encrypted ~/decrypted

You will be asked for the password you defined earlier:

falko@linux-ci7w:~> encfs ~/encrypted ~/decrypted
EncFS Password:
<– yoursecretpassword
falko@linux-ci7w:~>

If you specify the correct password, this will mount the ~/encrypted directory to ~/decrypted from where you can access your encrypted data in unencrypted form. If you forget the password, your encrypted data is lost!

If you want to change the password, you can do this with the

encfsctl passwd ~/encrypted

command.

falko@linux-ci7w:~> encfsctl passwd ~/encrypted
Enter current Encfs password
EncFS Password:
<– yoursecretpassword
Enter new Encfs password
New Encfs Password:
<– newsecretpassword
Verify Encfs Password: <– newsecretpassword
Volume Key successfully updated.
falko@linux-ci7w:~>

4 Links

Check out the original source here.

http://bit.ly/15fkdWR1024 bytes, configuration mode, encrypte dvolume, encrypted volume, filesystem, home directory, interface, interfaec, root shell

OpenSUSE 12.3 Samba Standalone Server With tdbsam Backend

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 04/05/2013

This tutorial explains the installation of a Samba fileserver on OpenSUSE 12.3 and how to configure it to share files over the SMB protocol as well as how to add users. Samba is configured as a standalone server, not as a domain controller. In the resulting setup, every user has his own home directory accessible via the SMB protocol and all users have a shared directory with read-/write access.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I’m using an OpenSUSE 12.3 system here with the hostname server1.example.com and the IP address 192.168.0.100.

2 Installing Samba

We can install Samba as follows:

zypper install cups-libs samba

Unfortunately Samba conflicts with the package patterns-openSUSE-minimal_base-conflicts. Therefore we must choose to uninstall that package:

server1:~ # zypper install cups-libs samba
Loading repository data…
Reading installed packages…
‘cups-libs’ is already installed.
No update candidate for ’cups-libs-1.5.4-5.2.1.x86_64′. The highest available version is already installed.
Resolving package dependencies…

Problem: samba-3.6.12-59.2.1.x86_64 requires samba-client >= 3.6.12, but this requirement cannot be provided
  uninstallable providers: samba-client-3.6.12-59.2.1.x86_64[openSUSE-12.3-1.7]
                   samba-client-3.6.12-59.2.1.i586[repo-oss]
                   samba-client-3.6.12-59.2.1.x86_64[repo-oss]
 Solution 1: deinstallation of patterns-openSUSE-minimal_base-conflicts-12.3-7.10.1.x86_64
 Solution 2: do not install samba-3.6.12-59.2.1.x86_64
 Solution 3: do not install samba-3.6.12-59.2.1.x86_64
 Solution 4: break samba-3.6.12-59.2.1.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/4/c] (c): <– 1

Edit the smb.conf file:

vi /etc/samba/smb.conf

Make sure you have the following lines in the [global] section:

[...]
        security = user
        passdb backend = tdbsam
[...]

This enables Linux system users to log in to the Samba server.

(If you get the message You do not have a valid vim binary package installed. Please install either “vim”, “vim-enhanced” or “gvim”., please run

zypper install vim

to install vi and try again. )

Then create the system startup links for Samba and start it:

systemctl enable smb.service
systemctl start smb.service

3 Adding Samba Shares

Now I will add a share that is accessible by all users.

Create the directory for sharing the files and change the group to the users group:

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

vi /etc/samba/smb.conf

[...]
[allusers]
  comment = All Users
  path = /home/shares/allusers
  valid users = @users
  force group = users
  create mask = 0660
  directory mask = 0771
  writable = yes

If you want all users to be able to read and write to their home directories via Samba, add the following lines to /etc/samba/smb.conf (make sure you comment out or remove the other [homes] section in the smb.conf file!):

[...]
[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writable = yes
   create mask = 0700
   directory mask = 0700

Now we restart Samba:

systemctl restart smb.service

4 Adding And Managing Users

In this example, I will add a user named tom. You can add as many users as you need in the same way, just replace the username tom with the desired username in the commands.

useradd tom -m -G users

(If you see the following error, please ignore it:

server1:~ # useradd tom -m -G users
configuration error – unknown item ‘LASTLOG_ENAB’ (notify administrator)
server1:~ #

)

Set a password for tom in the Linux system user database. If the user tom should not be able to log in to the Linux system, skip this step.

passwd tom

-> Enter the password for the new user.

Now add the user to the Samba user database:

smbpasswd -a tom

-> Enter the password for the new user.

Now you should be able to log in from your Windows workstation with the file explorer (address is \\192.168.0.100 or \\192.168.0.100\tom for tom‘s home directory) using the username tom and the chosen password and store files on the Linux server either in tom‘s home directory or in the public shared directory.

5 Links

Check out the original source here.

http://bit.ly/ZPaW6Nasmba client, domain controller, home directory, repository, samba client, smb protocol, standalone server, stnadalone server