/* pragma: section-numbers 2 */ ====== eCryptfs ====== eCryptfs is a POSIX-compliant enterprise-class stacked (on top of other filesystem) cryptographic filesystem for Linux. ===== Resources ===== * [[https://launchpad.net/ecryptfs/|Project homepage]] ===== Contents ===== /* UndefinedMacro: TableOfContents(None) */ ===== Initial configuration ===== Install ecryptfs-utils-85-4 and pam-pam_ecryptfs-85-4 or newer. Add all users that should be able to encrypt their data to ecryptfs group. ==== Setup PAM ==== Three new lines. Note need to be places after pam_unix.so! [root@host ~]# cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed auth required pam_env.so auth required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed auth required pam_unix.so try_first_pass # ECRYPTFS SUPPORT - has to be AFTER pam_unix auth optional pam_ecryptfs.so unwrap account required pam_tally.so file=/var/log/faillog onerr=succeed account required pam_time.so account required pam_unix.so # password [success=1 ignore=reset abort=die default=bad] pam_pwgen.so upper=1 digit=1 password required pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass sha512 shadow use_authtok # ECRYPTFS SUPPORT - has to be AFTER pam_unix password required pam_ecryptfs.so password required pam_exec.so failok seteuid /usr/bin/make -C /var/db # password required pam_exec.so failok seteuid /usr/bin/make -C /var/yp session optional pam_keyinit.so revoke debug session required pam_limits.so change_uid session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so # ECRYPTFS SUPPORT - has to be AFTER pam_unix session optional pam_ecryptfs.so unwrap ===== Account migration ===== End all USER session, logout from machine and run from root: ''ecryptfs-migrate-home -u USER'' Follow instruction on the screen.