Community

Fisnik: Created page with 'jlksdajf'

jlksdajf

Christian Gottschall: /* Maintenance, Backup, Further Considerations */

encFS is an encrypted filesystem available for many operating systems like Linux, Windows, and MacOS. Like [[Using eCryptfs on the B3|eCryptfs]], it does not use a single large image, i.e. file, to store the whole encrypted file system, but it maps the encrypted files to your normal file system. This has a lot of ''advantages'', and some disadvantages, too: (partially taken from [[Using eCryptfs on the B3|eCryptfs]]):

*You don't need to reserve space for encryption (like with creating a partition or a container file).
*You can access the encrypted files and backup them to an untrusted location. Plus, while you are backing them up, both versions - the original, and the copy - will stay in a defined, usable state, with the exception of the file being copied at the moment.
*If a part of the encrypted filesystem, or the media where it is store, gets corrupted, chances are that you loose only a file or two (provided that it is not the <code>.encfs6.xml</code> file that gets corrupted, but you will keep a good copy of this file in a safe place, won't you?). With an image-based filesystems, recovery may (and, generally, will) be much more difficult.

The ''disadvantage'' is:

*An attacker will learn how many files there are, and she will learn the length of your files, and how long their filenames are, approximately. I do not normally consider that a problem, but there may be use-cases where unveiling even this information may be harmful.

For more information on the advantages, and disadvantages, of file-based versus image-level encryption, see e.g. the [http://ecryptfs.sourceforge.net/ecryptfs-faq.html#compare eCryptfs FAQ] or the [http://www.arg0.net/encfsintro EncFS Introduction].

== encFS or eCryptfs...? ==

At this stage, you will probably ask: Shall I/you/he/she/it use encFS, or eCryptfs, or both? There is no simple answer to that question.

Generally, eCryptfs has a much better write performance than encFS (typically twice as fast, sometimes even up to three times as fast), while encFS has a slightly better read performance (see [http://geekparadise.de/2011/04/linux-groser-geschwindigkeitsvergleich-encfsecryptfstruecryptluks/] - unfortunately in German, the numbers are universal. The first table shows write performance, the second table read performance.)

On the other hand, encFS completely resides in user-space, meaning that, in theory, it cannot, by any means, harm your kernel, your system, your hardware, your hamster, and so on. This results in a number of end-user advantages: encFS is, generally, easier to install and even to use.

I, personally, prefer encFS, but this is mostly due to the fact that I encountered it first (long before eCryptfs), '''and''' that it is being used by the great transparent DropBox[http://www.dropbox.com] encryption software BoxCryptor [http://www.boxcryptor.com/] (I am in no way affiliated with them). So, using encFS, you can mount your BoxCryptor-encrypted folders.

== Installing encFS ==

Login to your B3 shell using your user account, and use the <code>su</code> command to become root. (When not extremely perfectly with the Unix shell, please be ''extremely'' cautious while being root - even the smalles mistake may easily lead to disaster. I would recommend entering the commands by copy and paste.

christian@b3:~$ su -

Here, the "christian" part of the shell prompt is my user name. Should you happen to be called in a different way, you might see a slightly different prompt. If "su-ing" has worked, your prompt will have changed to:

root@b3:~#

The B3 ships with a default root password that you can get from the documentation (I think that it is ''excito'' at the moment). If you have not done already, you should use this opportunity to change your root password to something even harder to guess:

passwd root

Here you will have to enter the new password twice. You shoulllld record your new root password in a safe way, or in a safe place (I like Keepass/KeepassX, see http://keepass.info/ and http://www.keepassx.org/)

First, you will have to install the encFS package:

apt-get install encfs

Next, you will have to add your user account to the <code>fuse</code> user group (FUSE - Filesystem in Userspace - is the kernel extension required for user-space file systems, like encFS).

adduser ''christian'' fuse

Should you happen not to be called ''christian'', you will have to modify this command. And if there is more than one user who wants to use encFS, add the other users to the <code>fuse</code> group in the same way. Note that if a user is logged in, changes in group membership will take effect only after the respective user logging off, and logging in, again.

In order to actually make fuse user-usable, you will have to ensure that <code>/dev/fuse</code> is readable by all members of the fuse group:

chmod g+rw /dev/fuse

Just to be sure, make a quick check that all is well by issuing the

ls -l /dev/fuse

command. Its output should look like this:

crw-'''rw'''---- 1 root '''fuse''' 10, 229 Apr 4 02:54 /dev/fuse

Here the important thing is the second '''rw''', and the string '''fuse'''. If your output varies, there may have been some problem with the installation.

Next, just to be sure that everything is working so far, enter the following command:

modprobe fuse

In this case, no news is meaning good news: The command will execute silently if your fuse installation is working. Should any error message be shown at this stage, encFS will not work.

Now, encFS is installed and ready to be used. One important thing at this stage: Stop being <code>root</code>, e.g. by entering the <code>exit</code> command:

root@b3:~# exit

Now, you will see something along the following lines:

logout
christian@b3:~$

If your prompt switches back to your normal user name, and if the "#" paves way for the "$" sign, all is okay.

Next, you will have to log out (e.g. by using the <code>exit</code> command for a second time, or by simply closing your terminal window). (This is necessary to have your membership of the <code>fuse</code> group come into effect.)

Just to be sure that group membership has been granted, enter the following command:

christian@b3:~$ groups

The output of this command should look like this:

users fuse

Your list may be longer than mine, but is has to contain the <code>fuse</code> group. If it does not, there has been an impossible problem. In this case, you might consider re-issuing the <code>adduser ''christian'' fuse</code> command, and logging out, and logging in, one more time.

== Setting up encFS ==

When using encFS, you need to directories: one for storing your encrypted data, and one for showing the unencrypted content. I will call then ''encrypted'' and ''clear'', respectively. You may name them as you wish, but I like the strings "encrypted", and "clear", in their sheer shortness, and simplicity, so I will stick to them for the rest of this turorial.

It is completely on you where you want to place these directories, but you should take into consideration two things:

*It is a good idea to have backups of the ''encrypted'' directory. No-one will be able to read the backup of your ''encrypted'' directory because it is kind of, well, encrypted.
*Normally, you will ''not'' include your unencrypted (''clear'') directory into your normal backups, at least not in your off-site backups.

Since the miscellaneous B3 backup routines (and many other backup tools) save save miscellaneous, or all, directories from the <code>/home</code> tree, I would recommend storing your ''clear'' directory in a completely different place. Why not follow an old Unix convention and use the <code>/mnt</code> tree? I, personally, use <code>/mnt/clear/</code> for my ''clear'' directory.

Since non-root users may not normally access <code>/mnt</code>, you will have to issue three more privileged commands. Since they are so few, I rcommend using the <code>su -c</code> variant of the <code>su</code> command:

su -c "mkdir /mnt/clear"
su -c "chown ''christian'' /mnt/clear"
su -c "chmod go=,u=rwx /mnt/clear"

Each time, you will be asked for your root password.

Just to be sure, enter the following command:

ls -ld /mnt/clear

Its output should look like this:

drwx------ 2 ''christian'' root 4096 4. Apr 15:04 /mnt/clear

Next, let's create your ''encrypted'' directory. This ''should'' be included in your regular backups (you have set up regular backups, haven't you?), so it might be a good idea to store it in your B3's <code>private</code> folder. Enter the following commands:

mkdir ~''christian''/private/encrypted
chmod go= ~''christian'' /private/encrypted

Again, let's check if all is fine by entering the following command:

ls -ld ~''christian''/private/encrypted

Its output should look like this:

drwx------ 4 christian users 4096 4. Apr 15:17 /home/christian/private/encrypted

Now - at last! - you may actually set up encFS. Enter the following command (and be prepared for a lengthy dialog):

encfs ~/private/encrypted /mnt/clear

For the beginning, I would recommend using encFS's "paranoia" mode which uses sane, and safe, defaults for most settings. Answer the first question of encfs with '''P''', and press enter. encFS will require only one further input: that of a password. Choose wisely, and remember this password carefully - without this password, there is no way to decrypt your data again (at least the makers, and the users, of encFS hope so). Here, I strongly recommend using a long password (20 characters? 30?), and, of course, it should not ''mean'' anything. It would be best to randomly generate it (e.g. using Keepass or KeepassX).

== Using encFS ==

If you have set up encFS like shown in this tutorial, you have now two directories: /mnt/clear and ~/private/encrypted. All files you copy to /mnt/clear will get encrypted and will show up in ~/private/encrypted. ''Do not manually touch ~/private/encrypted!'' (You won't normally break something by creating files in your ''encrypted'' directory, but they simply do not belong there. And by deleting a file from ''encrypted'', you will not damage your encrypted filesystem - but, of course, you will lose the single file you have deleted.)

One more important thing: Your ''clear'' directory will show your unencrypted files until it gets unmounted:

#You may, at any time, unmount the directory manually using the umount command (note the missing "n" in the name of the command). Unfortunately, in our setup, this requires root privileges, so you have to enter the following command: su -c "umount /mnt/clear" Here you have to provide your root password again.
#When you shut down your B3 (more precisely: when your B3 restarts - this may totally happen without user interaction, e.g. after a power failure), the ''clear'' directory gets unmounted, too. This is a good thing because if someone wants to steal your B3, he and/or she will normally interrupt the power, thereby unmounting the ''clear'' directory and losing any access to your protected data.

If, at any time in the future, you want to access your encrypted data again, you will have to re-mount it again. This is done by re-issuing the simple encfs command:

encfs ~/private/encrypted /mnt/clear

At this stage, remembering your encryption password will make you a ''much'' happier person.

== Maintenance, Backup, Further Considerations ==

There is no actual maintenance needed, but you should always backup your ''encrypted'' directory. Though damage to, or loss of, one ore more single files will by no means harm all the other files, there is one notable exception: the file <code>.encfs6.xml</code> in your ''encrypted'' directory.This file is as important as your encryption password! If you loose, or damage, either this file, or your password, you will not be able to retrieve your valuable data. So be sure that your backups do include this file, and even if you don't do any backups - at least keep a copy of <code>.encfs6.xml</code> in a safe place.

One more thing: ''Before copying a file to your ''clear'' directory, make sure that it is actually mounted!'' If it is not, your files will not get encrypted, and they will never show up in your ''encrypted'' directory. And they will not get backed up either, because /mnt is normal excluded from any decent backup.''

The easiest way to make sure that the ''clear'' directory is mounted is looking at its contents: If it is empty, either someone has deleted all your files, or the directory got unmounted (e.g. due to a interruption of power).

A more professional way would be to issue the <code>mount</code> command. This command shows all mounted directories. If it contains an entry like this…

encfs on '''/mnt/clear''' type fuse.encfs (rw,nosuid,nodev,default_permissions,user=christian)

...''then'' you can be sure that your ''clear'' directory is up and working.

Johannes:

There is a json-based information interface from where applications (such as the firefox "bubbamon" tool) can get information automatically. <br>This is valid from B3 version 2.4.1 and onwards.
<pre>http://b3/admin/ajax_status/?
..where&nbsp;? can be:
uptime
hardware
version
printers
disks (note: the 'size' field is in 512 Byte blocks)
vgs
mds
fstab
free_space (gives free space for home and system partitions, respectively, in bytes)
</pre>
All of these are available with user level authentication ('admin' not required).

Johannes:

This howto is snitched from our forum, where [http://forum.excito.net/memberlist.php?mode=viewprofile&u=3294 kenned]&nbsp;was kind enough to post it:&nbsp;<br>

----

My ISP gave me a router with built-in DSL modem, so I can't use the B3 as a router. Also I don't care to have the B3 close to the router for several reasons. So I needed to use the B3 as a wireless client, serving files and webpages to the local network over wifi, and here's the recipe I followed. <br>I wanted to put it on the wiki, but couldn't be bothered to request a login.

= <br>B3 Wifi client =

Configure the B3 as a wifi client to make it connect to a wireless router or an access point.

= Prerequisites =

You need to have a user account with shell access for the B3.<br>You also need to be able to log into the root account, either by using "su -" with the root-password, or by using "sudo su -" (which then needs to be set up in advance).

= Disable B3 Access Point<br> =

Log in to the admin website on http://b3.local using the admin logon.<br>Click in to the Settings, Profile page and switch to the "Server only" profile.<br>Then enter the Settings, Network, Wireless page and turn off the wireless access point function of the B3.

= Log on to the root account<br> =

Using an ssh application, eg. putty, log on to the b3 via ssh and log on to the root account.
<pre>[user@MacBook: ~]$ ssh 192.168.1.11
Linux b3 2.6.35.4 #5 Tue Sep 7 16:06:15 CEST 2010 armv5tel

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 24 22:38:42 2011 from macbook.local
user@b3:~$ sudo su -
[sudo] password for user:
root@b3:~#


The following commands all need to be run under the root account.</pre>
= Install tools =

Install wireless-tools and wpasupplicant packages like this:
<pre>change_distribution elvin -u
apt-get update
apt-get install wireless-tools wpasupplicant
</pre>
= Configure wifi device =

Make the file /etc/network/interfaces readable only by root.
<pre>chmod 600 /etc/network/interfaces
</pre>
Enter the following section into this file (changing MyWifiNetwork and MySecretWifiKey with suitable values).
<pre>auto wlan0
iface wlan0 inet dhcp
wpa-ssid MyWifiNetwork
wpa-psk MySecretWifiKey
</pre>
This makes the wlan0 interface start at boot, connect to the network called "MyWifiNetwork" using the WPA PSK password "MySecretWifiKey" and request an IP address from the DHCP server.

Punch a big hole in the firewall for the wlan0 interface and restart the firewall to save the configuration.
<pre>iptables -A INPUT -i wlan0 -j ACCEPT
/etc/init.d/bubba-firewall restart
</pre>
Now start the wlan0 device to check the settings.<br>
<pre>ifup wlan0
</pre>
The console will show that the device has connected to your WLAN, has sent an DHCP request and shortly after received a reply with the IP address to use.

Now enjoy your wirelessly connected B3.<br>kenned<br>