Integration of filesystem-level encryption in Phyllome OS is a work-in-progress
This guide will show you how to compile [1] and configure fscrypt to encrypt virtual disk images. It will also show you how to configure PAM to work alongside fscrypt
fscryptprovides filesystem-level encryption and its library is part of the Linux kernel. It is widely used by Android-based devices, but only compatible with a handful of filesystems
fscrypt:sudo dnf install -y git golang pam-devel m4 authselect
go install github.com/google/fscrypt/cmd/fscrypt@latest
cd ~/go/pkg/mod/github.com/google/fscrypt\@v0.3.3/
If a new version is released, for instance
v0.3.4, update the above path accordingly
make installsudo make install
[...]
install -d /usr/local/bin
install bin/fscrypt /usr/local/bin
install -d /usr/local/lib/security
install bin/pam_fscrypt.so /usr/local/lib/security
m4 --define=PAM_INSTALL_PATH=/usr/local/lib/security/pam_fscrypt.so < pam_fscrypt/config > bin/config
install -d /usr/local/share/pam-configs
install bin/config /usr/local/share/pam-configs/fscrypt
install -Dm644 cmd/fscrypt/fscrypt_bash_completion /usr/local/share/bash-completion/completions/fscrypt
pam_fscrypt.so to /usr/lib64/security/, where it belongs:sudo mv /usr/local/lib/security/pam_fscrypt.so /usr/lib64/security/pam_fscrypt.so
root partition (/) using the command line utility lsblk:lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
zram0 251:0 0 7.8G 0 disk [SWAP]
nvme0n1 252:0 0 50G 0 disk
├─nvme0n1p1 252:1 0 128M 0 part /boot/efi
├─nvme0n1p2 252:2 0 384M 0 part /boot
└─nvme0n1p3 252:3 0 49.5G 0 part /
In this case, it is nvme0n1p3 but valid value may be sda3 or vda3 or system-root for LVM-based systems
tune2fs by providing the absolute path to the root partition:sudo tune2fs -O encrypt /dev/nvme0n1p3
tune2fs 1.45.6 (20-Mar-2020)
sudo zgrep -h ENCRYPTION /boot/config-$(uname -r) | sort | uniq
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
CONFIG_FS_ENCRYPTION_ALGS=y
CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
CONFIG_FS_ENCRYPTION=y
fscrypt:sudo fscrypt setup
Defaulting to policy_version 2 because kernel supports it.
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".
Metadata directories created at "/.fscrypt".
fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1
MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT
/ /dev/nvme0n1p3 ext4 supported Yes
/boot /dev/nvme0n1p2 ext4 not enabled No
authselect:sudo authselect select minimal --force
ecryptfs feature:sudo authselect enable-feature with-ecryptfs
sudo authselect create-profile phyllome --base-on=minimal
New profile was created at /etc/authselect/custom/phyllome
sudo authselect select custom/phyllome --force
Backup stored at /var/lib/authselect/backups/2021-07-15-20-08-13.4Czqor
Profile "custom/phyllome" was selected.
The following nsswitch maps are overwritten by the profile:
- aliases
- automount
- ethers
- group
- hosts
- initgroups
- netgroup
- networks
- passwd
- protocols
- publickey
- rpc
- services
- shadow
sudo nano /etc/authselect/custom/phyllome/system-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent >
auth sufficient pam_unix.so {if not "without-nullok">
auth required pam_faillock.so authfail >
auth required pam_deny.so
auth optional pam_fscrypt.so
account required pam_access.so >
account required pam_faillock.so >
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow {if not >
password required pam_deny.so
password optional pam_fscrypt.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_fscrypt.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so >
session [success=1 default=ignore] pam_succeed_if.so service in crond q>
session required pam_unix.so
According to fscrypt documentation: "The Auth and Session functionality of
pam_fscrypt.soare used to automatically unlock directories when logging in as a user, and lock them when logging out [and] [t]he Password functionality [...] is used to automatically rewrap a user's login protector when their unix passphrase changes."
Unsure which file is the canonic one
sudo cp system-auth password-auth
auth optional pam_fscrypt.so debug
password optional pam_fscrypt.so debug
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent>
session optional pam_lastlog.so silent noupdate showfailed
/etc/pam.d/ directory and add the following line to it to allow PAM to be able to check the UNIX passphrase:sudo nano /etc/pam.d/fscrypt
auth required pam_unix.so
sudo authselect apply-changes
Changes were successfully applied.
This is a work in progress. New policices will have to be designed for SELinux to work nicely with
fscrypt.
sudo mkdir /opt/selinux && cd /opt/selinux/
systemd to access 1000.count file:sudo ausearch -c '(systemd)' --raw | audit2allow -M my-systemd
sudo semodule -X 300 -i my-systemd.pp
secret in your home directory:mkdir ~/secret
fscrypt encrypt ~/secret --source=pam_passphrase
IMPORTANT: Before continuing, ensure you have properly set up your system for
login protectors. See
https://github.com/google/fscrypt#setting-up-for-login-protectors
Enter login passphrase for test:
"/home/groot/secret" is now encrypted, unlocked, and ready for use.
touch ~/secret/recipe-for-pancakes-by-john-locke
cat ~/secret/recipe-for-pancakes-by-john-locke
Pancakes
* Take sweet cream 3/4 + pint.
* Flower a quarter of a pound.
* Eggs 7 leave out of 4 of the whites.
* Beat the Eggs very well.
* Then put in the flower, beat it a quarter of an hower.
* Then put in six spoonfulls of the Cream, beat it a litle Take new sweet butter half a pound. * Melt it to oyle, & take off the skum, power in all the clear by degrees beating it all the time.
* Then put in the rest of your cream. beat it well.
* Half a grated nutmeg & litle orangeflower water. Frie it without butter.
This is the right way
If a message like
key unavailableappears, have a look a the troubleshooting section bellow.
fscrypt encrypt ~/.local/share/libvirt/images --source=pam_passphrase
fscryptdoes not support in-place encryption. Only previously empty directories can be encrypted. If you wish to encrypt a directory which already contains files, move these files outside of the directory, encrypt it, and put the files back in
journalctl -b | grep fscrypt
fscrypt won't unlock, you could try to set SELinux in permissive mode and check error messages using the setroubleshoot software:sudo nano /etc/selinux/config
SELINUX=permissive
Then reboot.
/usr/share/authselect/
/usr/lib64/security/
/etc/authselect
/usr/share/doc/pam-devel
/usr/local/share/pam-configs/fscrypt
/etc/fscrypt.conf
~/.fscrypt
fscrypt official repoAs of now, fscrypt does not ship as an RPM package ↩︎