如何使用EncFS在Debian 8上加密数据(Jessie)

EncFS在用户空间中提供加密的文件系统。 它运行没有任何特殊权限,并使用FUSE库和Linux内核模块提供文件系统接口。 它是一个传递文件系统,而不是加密的块设备,这意味着它是在现有文件系统之上创建的。 本教程将介绍如何在Debian Jessie上使用EncFS来加密数据。

1初步说明

我使用的用户名, 直到我的Debian Jessie系统 在本教程中

2安装EncFS

在您的服务器或桌面上以root用户身份登录,当您使用远程服务器时,您可以通过SSH登录。 EncFS可以用apt安装如下(我们需要root权限):

apt-get -y install encfs

您将收到以下警告:

Encfs security information

According to a security audit by Taylor Hornby (Defuse Security), the current implementation of Encfs is vulnerable or potentially vulnerable to multiple types of attacks. For example, an attacker with read/write access to encrypted data might lower the decryption complexity for subsequently encrypted data without this being noticed by a legitimate user, or might use timing analysis to deduce information.

Until these issues are resolved, encfs should not be considered a safe home for sensitive data in scenarios where such attacks are possible.

虽然encfs可能不是为大型组织或政府加密数据的解决方案,也可能在第三方以上述方式对数据进行写入访问的服务器上使用,但它仍然足够安全,可以在您的桌面。 当您决定使用encfs时请考虑这一点。

您可能需要查看EncFS手册页,以便您现在熟悉其选项:

man encfs

3使用EncFS

我现在将在我的主目录中创建加密解密的目录:

mkdir -p ~/encrypted
mkdir -p ~/decrypted

解密的目录充当加密目录的安装点。 要挂载〜/加密〜/解密 ,只需运行:

encfs ~/encrypted ~/decrypted

如果首次运行此命令,则会启动EncFS安装程序,并且必须为加密卷定义密码:

till@desktop1:~$ encfs ~/encrypted ~/decrypted
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> <-- p
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password: <-- enter a secure password
Verify Encfs Password:<-- enter a secure password
till@desktop1:~$

确保您记住密码,因为如果您忘记了密码,则无法恢复加密数据!

您现在应该在输出中找到EncFS卷

mount
till@desktop1:~$ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=125548,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=204216k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=aquota.user,grpjquota=aquota.group)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
encfs on /home/till/decrypted type fuse.encfs (rw,nosuid,nodev,relatime,user_id=5004,group_id=5005,default_permissions)

df -h
till@desktop11:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 57G 2.2G 52G 5% /
udev 10M 0 10M 0% /dev
tmpfs 200M 4.7M 195M 3% /run
tmpfs 499M 0 499M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 499M 0 499M 0% /sys/fs/cgroup
encfs 57G 2.2G 52G 5% /home/till/decrypted

要以加密形式保存数据,请将数据放入解密的目录中,就像使用普通目录一样:

cd ~/decrypted
echo "hello foo" > foo
echo "hello bar" > bar
ln -s foo foo2

如果您检查目录的内容,您将看到您可以以未加密的形式看到它...

ls -l
till@desktop1:~/decrypted$ ls -l
total 8
-rw-r--r-- 1 till till 10 Jan 14 10:38 bar
-rw-r--r-- 1 till till 10 Jan 14 10:38 foo
lrwxrwxrwx 1 till till 3 Jan 14 10:38 foo2 -> foo
till@desktop1:~/decrypted$

...在加密目录中,它被加密:

cd ~/encrypted
ls -l
till@desktop1:~/encrypted$ ls -l
total 8
lrwxrwxrwx 1 till till 24 Jan 14 10:38 ewoacflDuTvKLjSZxXsipVZh -> nwekRkg2xWwmUW-P3YgCFNzI
-rw-r--r-- 1 till till 26 Jan 14 10:38 nwekRkg2xWwmUW-P3YgCFNzI
-rw-r--r-- 1 till till 26 Jan 14 10:38 r7sj2xc9OJEHk,nETdYAtMZu
till@desktop1:~/encrypted$

4装载和卸载encfs卷

要卸载加密的卷,请运行:

cd
fusermount -u ~/decrypted

检查...的输出

mount

...和...

df -h

...您将看到EncFS卷不再列出。

再次安装,运行

encfs ~/encrypted ~/decrypted

将要求您提供之前定义的密码:

直到@ desktop1:〜$ encfs〜/ encrypted〜/解密
EncFS密码: < - yoursecretpassword
直到@ desktop1:〜$

如果您指定了正确的密码,那么将把〜/ encrypted目录安装到〜/解密的位置,从那里可以以加密形式访问加密数据。 如果您忘记密码,您的加密数据将丢失!

5更改encfs密码

如果要更改密码,可以使用

encfsctl passwd ~/encrypted

命令。

直到@ desktop1:〜$ encfsctl passwd〜/加密
输入当前的Encfs密码
EncFS密码: < - yoursecretpassword
输入新的Encfs密码
新密码密码: < - newsecretpassword
验证Encfs密码: < - newsecretpassword
卷密钥已成功更新。

6链接

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏