2011年2月6日星期日

encfs 一个用户级的加密文件系统

encfs

encfs 为我们提供一个用户级的加密文件系统,每个用户都可为自已的目录或文件创建一个加密的文件系统。这个文件系统只能由你加载和访问,其他用户只能看到加密后 的内容。encfs使用fuse库和fuse内核模块来提供文件系统的接口。encfs也是基于GPL的开源软件。


现在最新的2.6内核已 支持fuse,我在这里测试的内核版本是2.16.17.1。使用前要把fuse编译进内核,需选中内核选项路径中的File systems-->Filesystem in Userspace support选项,重新编译。最后安装encfs相关软件:

debian:~# apt-get install encfs fuse-utils

系统默认创建一个fuse组,如果一般用户要在主目录下创建加密文件系统,则要把用户加入fuse组。下面是用一般用户创建加密文件系统的过程。

[email protected]:~$ encfs ~/encode ~/decode                                          #创建命令,要用绝对路径
The directory "/home/yangjing/encode/" does not exist. Should it be created? (y,n) y #创建加密文件系统目录
The directory "/home/yangjing/decode" does not exist. Should it be created? (y,n) y #创建加密文件系统加载点
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p

Paranoia configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 512 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.

-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password: #输入验证密码
Verify Encfs Password:
[email protected]:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda3 9.4G 7.6G 1.4G 85% /
tmpfs 153M 0 153M 0% /dev/shm
tmpfs 10M 56K 10M 1% /dev
//t02/yangjing 29G 26G 3.1G 90% /root/data
/dev/hda1 8.7G 7.7G 616M 93% /mnt/hda1
encfs 9.4G 7.6G 1.4G 85% /home/yangjing/decode #成功加载encfs文件系统
[email protected]:~$

现在我们在decode目录下创建的任何内容都会自动被加密并保存在encode目录下。下面我们试试在加载点创建一些文件和目录。

[email protected]:~$ cd decode/
[email protected]:~/decode$ mkdir test
[email protected]:~/decode$ echo 'encfs test' > test.txt
[email protected]:~/decode$ ls
test test.txt
[email protected]:~/decode$ cd ../encode/
[email protected]:~/encode$ ls
09LTiJuKxiD20yIN0k,l8Q5p KaUAfbP3JMH8PAstrS-5b7eO #文件和目录已自动生成并已加密
[email protected]:~/encode$ cat 09LTiJuKxiD20yIN0k,l8Q5p
[e?f%v;-?B?'TDN{K6 #内容也已加密
[email protected]:~/encode$

使用完加密文件系统后,我们要把加密文件系统卸载掉。这样其他用户就只能看到~/encode目录下加密后的目录和文件,从而有效保护你私人信息的安全。

[email protected]:~$ fusermount -u ~/decode          #卸载encfs文件系统
[email protected]:~$ cd decode/
[email protected]:~/decode$ ls #目录为空
[email protected]:~/decode$ cd ../encode/
[email protected]:~/encode$ ls #目录内容已加密
09LTiJuKxiD20yIN0k,l8Q5p KaUAfbP3JMH8PAstrS-5b7eO
[email protected]:~/encode$ cat 09LTiJuKxiD20yIN0k,l8Q5p
[e?f%v;-?B?'TDN{K6
[email protected]:~/encode$ df #加密文件已卸载
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hda3 9851340 7906980 1443936 85% /
tmpfs 156208 0 156208 0% /dev/shm
tmpfs 10240 56 10184 1% /dev
//t02/yangjing 30233600 27056640 3176960 90% /root/data
/dev/hda1 9068616 7977548 630408 93% /mnt/hda1

其他用户访问加密文件系统时的效果:

localhost:/etc# id
uid=0(root) gid=0(root) groups=0(root)
localhost:/etc# cd /home/yangjing/encode/
localhost:/home/yangjing/encode# ls
09LTiJuKxiD20yIN0k,l8Q5p KaUAfbP3JMH8PAstrS-5b7eO #密文
localhost:/home/yangjing/encode# vi 09LTiJuKxiD20yIN0k,l8Q5p
localhost:/home/yangjing/encode# cat 09LTiJuKxiD20yIN0k,l8Q5p
[e?f%v;-?B?'TDN{K6 #密文
localhost:/home/yangjing/encode#

在加密目录encode目录下,有一个文件叫.encfs5。它是加密文件系统的配置文件上,我们一定要备份好该文件,一旦丢失,你就不能恢复加密的文件。

没有评论:

发表评论