Contents
搭建ecryptfs源码编译环境
1.基础环境
Ubuntu 22.04 LTS
Linux ubuntu-vm 5.15.0-56-generic
2.源码版本
源码版本:ecryptfs-utils_111.orig.tar.gz
下载链接:https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
3.安装相关依赖
sudo apt update && sudo apt install -y gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
simple-tpm-pk11 rsync lsof build-essential
4.重新安装automake-1.15
wget https://mirrors.tuna.tsinghua.edu.cn/gnu/automake/automake-1.15.tar.gz
tar -zxvf automake-1.15.tar.gz
cd automake-1.15
./configure
sudo make && make install
5.下载源码
wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
tar -xvzf ecryptfs-utils_111.orig.tar.gz
6.编译脚本
注意文件夹路径以及自适应修改
以下脚本适合脚本和源码ecryptfs-utils-111文件夹均放置在~/Desktop目录下
#!/bin/bash
set -e
#
# As of 11/24/2019, Debian still can't get it together with ecryptfs-utils so there
# is no longer an ecryptfs-utils in the apt repositories, removing the ability for
# a user to use ecryptfs at all, unless they build from source and manually configure
# the system
#
# Before using this, please see the status of the bugreport:
#
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
#
# Basically, Debian removed the apt package until this bug can be fixed. The problem
# was that private ecryptfs mounts were not being unmounted on logout, almost completely
# voiding the value of the functionality :<
#
# If the bug is not yet fixed, you can use this script/guide to get ecryptfs per-user
# home directory encryption working
#
# This is probably a bit broader than necessary, but many of these are requirements to
# build ecryptfs-utils. Others, such as rsync and lsof are included as they are required
# for ecryptfs-migrate-home at runtime
##DEPS="gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
## libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
## simple-tpm-pk11 rsync lsof build-essential"
# You can use /opt/ecryptfs or something if you don't want it in your root
# Using something other than /usr may cause issues due to assumptions made in this script!
PREFIX=/usr
##apt-get update
##echo -n 'Press enter to install dependencies via apt-get ...'
##apt-get install $DEPS
##cd /usr/src
##echo 'WARN: The source package is downloaded from the distribution site, but no signature check is performed!'
##echo -n 'Press enter to download version 111 of ecryptfs-utils from the distribution site ...'
##read x
# Change the link to a different version if desired, but other versions are untested
# This is the latest version as of 2019-11-24 ...
##wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
# You should check the signature here, probably
##tar -xvzf ecryptfs-utils_111.orig.tar.gz
rm -rf /usr/src/ecryptfs-utils-111
cp -r ./ecryptfs-utils-111 /usr/src
cd /usr/src/ecryptfs-utils-111
echo 'NOTE: if the following step fails, you may need to apt-get some additional dependencies'
echo -n 'Press enter to configure, build and install ecryptfs-utils from source ...'
read x
./configure LIBS='-lkeyutils -lnss3 -lnssutil3' --prefix=/usr KEYUTILS_LIBS='-lnss3 -lnssutil3' NSS_CFLAGS='-I/usr/include/nss -I/usr/include/nspr'
make -j && make install
cd
echo 'The ecryptfs-utils are now installed on your system, but there is more to do'
echo 'Step 1 - fix pam so that mounting is automated'
echo -n ' Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue... '
read x
echo 'auth required pam_ecryptfs.so unwrap' >> /etc/pam.d/common-auth
echo -n ' Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue... '
read x
echo 'session optional pam_ecryptfs.so unwrap' >> /etc/pam.d/common-session
echo 'Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary'
echo 'to add the setuid bit to /usr/sbin/mount.ecryptfs_private'
echo 'Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime'
echo -n ' Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ... '
read x
chmod u+s /usr/sbin/mount.ecryptfs_private
echo 'Done. Consider the following manual steps for increased security:'
echo ' 1. Create a group called "ecryptfs" using "groupadd ecryptfs"'
echo ' 2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group'
echo ' 3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app'
echo
echo 'Installation and configuration complete!'
echo 'Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory'
echo 'Make sure you test to ensure things are working, this is not official documentation!'
7.编译源码
sudo chmod +x build.sh
sudo ./build.sh
8.编译成功提示
...
The ecryptfs-utils are now installed on your system, but there is more to do
Step 1 - fix pam so that mounting is automated
Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue...
Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue...
Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary
to add the setuid bit to /usr/sbin/mount.ecryptfs_private
Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime
Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ...
Done. Consider the following manual steps for increased security:
1. Create a group called "ecryptfs" using "groupadd ecryptfs"
2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group
3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app
Installation and configuration complete!
Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory
Make sure you test to ensure things are working, this is not official documentation!