Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Build ecryptfs-utils from source on Debian 10
#!/bin/bash
set -e
#
# As of 11/24/2019, Debian still can't get it together with ecryptfs-utils so there
# is no longer an ecryptfs-utils in the apt repositories, removing the ability for
# a user to use ecryptfs at all, unless they build from source and manually configure
# the system
#
# Before using this, please see the status of the bugreport:
#
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
#
# Basically, Debian removed the apt package until this bug can be fixed. The problem
# was that private ecryptfs mounts were not being unmounted on logout, almost completely
# voiding the value of the functionality :<
#
# If the bug is not yet fixed, you can use this script/guide to get ecryptfs per-user
# home directory encryption working
#
# This is probably a bit broader than necessary, but many of these are requirements to
# build ecryptfs-utils. Others, such as rsync and lsof are included as they are required
# for ecryptfs-migrate-home at runtime
DEPS="gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
simple-tpm-pk11 rsync lsof build-essential"
# You can use /opt/ecryptfs or something if you don't want it in your root
# Using something other than /usr may cause issues due to assumptions made in this script!
PREFIX=/usr
apt-get update
echo -n 'Press enter to install dependencies via apt-get ...'
apt-get install $DEPS
cd /usr/src
echo 'WARN: The source package is downloaded from the distribution site, but no signature check is performed!'
echo -n 'Press enter to download version 111 of ecryptfs-utils from the distribution site ...'
read x
# Change the link to a different version if desired, but other versions are untested
# This is the latest version as of 2019-11-24 ...
wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
# You should check the signature here, probably
tar -xvzf ecryptfs-utils_111.orig.tar.gz
cd ecryptfs-utils-111
echo 'NOTE: if the following step fails, you may need to apt-get some additional dependencies'
echo -n 'Press enter to configure, build and install ecryptfs-utils from source ...'
read x
./configure LIBS='-lkeyutils -lnss3 -lnssutil3' --prefix=/usr KEYUTILS_LIBS='-lnss3 -lnssutil3' NSS_CFLAGS='-I/usr/include/nss -I/usr/include/nspr'
make -j && make install
cd
echo 'The ecryptfs-utils are now installed on your system, but there is more to do'
echo 'Step 1 - fix pam so that mounting is automated'
echo -n ' Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue... '
read x
echo 'auth required pam_ecryptfs.so unwrap' >> /etc/pam.d/common-auth
echo -n ' Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue... '
read x
echo 'session optional pam_ecryptfs.so unwrap' >> /etc/pam.d/common-session
echo 'Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary'
echo 'to add the setuid bit to /usr/sbin/mount.ecryptfs_private'
echo 'Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime'
echo -n ' Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ... '
read x
chmod u+s /usr/sbin/mount.ecryptfs_private
echo 'Done. Consider the following manual steps for increased security:'
echo ' 1. Create a group called "ecryptfs" using "groupadd ecryptfs"'
echo ' 2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group'
echo ' 3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app'
echo
echo 'Installation and configuration complete!'
echo 'Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory'
echo 'Make sure you test to ensure things are working, this is not official documentation!'
@b00mbox

This comment has been minimized.

Copy link

@b00mbox b00mbox commented Mar 28, 2020

Great. Thanks.

@seriousramius

This comment has been minimized.

Copy link

@seriousramius seriousramius commented May 14, 2020

Thank you. After the restart i got the message: ERROR: Cannot get ecryptfs version, ecryptfs kernel module not loaded?
After running: modprobe ecryptfs the module is loaded and the migration run's well. Regards

@leephillips

This comment has been minimized.

Copy link

@leephillips leephillips commented Mar 25, 2021

I really appreciate this! It saved me a load of time (and works out of the box).

@mzpqnxow

This comment has been minimized.

Copy link
Owner Author

@mzpqnxow mzpqnxow commented Mar 26, 2021

@leephillips happy it was helpful for you- btw, you should take a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854, it seems to suggest Debian may be including the package again soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment