pefs encrypted directory

Create an encrypted directory using pefs

pefs install

Bash:
sudo pkg install pefs-kmod

pefs load kernel module

Once installed, we next need to load the pefs kernel module:

Bash:
sudo kldload pefs

check the pefs kernel module is loaded with kldstat

Bash:
kldstat

If we want to keep this module loaded across reboots, add it to /boot/loader.conf:

Bash:
sudo vim /boot/loader.conf

then add the following line to /boot/load.conf

Bash:
pefs_load="YES"

pefs encrypted directory

create an encrypted directory
create a directory in your home directory which we will encrypt with pefs, in this demo the name of the directory is storage

Bash:
mkdir -p ~/storage

change permissions to make it readable by only our user

Bash:
chmod 700 ~/storage

create the pefs keychain with aes256 encryption

Bash:
pefs addchain -fZ -a aes256 ~/storage

At the prompt enter you user login password and then confirm

Enter parent key passphrase:
Reenter parent key passphrase:

list the ~/storage directory to make sure the ~/storage/.pefs.db file is created

Bash:
ls -a ~/storage

mount the ~/storage directory

Bash:
pefs mount ~/storage ~/storage

pefs add aes256 key

Bash:
pefs addkey -c -a aes256 ~/storage

Enter the same password as you used to create the keychain

create a file with some text to test the encryption

Bash:
echo 'testing' > ~/storage/test.txt

check the contents of the file and it should be unencrypted

Bash:
less ~/storage/test.txt

unmount the pefs directory


unmount the ~/storage directory and the file will become encrypted

Bash:
pefs umount ~/storage

list the storage directory and the filename will now be encrypted

Bash:
ls -al ~/storage

check the contents of the file and it should be encrypted
the filename will be changed from test.txt to an encrypted string

Bash:
less ~/storage/.CHkOvB7RVpxPAwD3X8AgG0hltd_sQV59

remount the pefs ~/storage directory

remount the pefs ~/storage directory

Bash:
pefs mount ~/storage ~/storage

re add the pefs key note you dont have to add the keychain,
as you have already created the keychain you just have to re add the pefs key

Bash:
pefs addkey -c -a aes256 ~/storage

you will be prompted to enter your password, which is your user login password

Enter passphrase:

list the contents of the ~/storage directory

Bash:
ls -al ~/storage

check the contents of the file and it should be unencrypted

Bash:
less ~/storage/test.txt

pefs showchains for directory show the key added to the keychain

Bash:
pefs showchains -f ~/storage

this should show the key is encrypted with aes256 encyption
 
Update: Encrypted home directory using PEFS.

This works for local login and remote login. If the remote connection drops for whatever reason, the home directory gets locked again. Unfortunately the setup still lacks the ability to handle local and remote login at the the same time. So if you are already logged in remotely and log in locally as well, the home directory will be locked after the local logout. To unlock the home directory again, the following will do the trick:

Code:
pefs addkey -c $HOME

It is also mandatory to know, that if you like to scp files to your home directory it is necessary to login first using ssh, so that your home directory is unlocked.

Bash shell has been used here, and I didn't try the setup with a different shell, but my guess would be it works in a similar fashion.



The following additional files are mandatory, and it helps to create them first, so they are in position, if needed:

File: /etc/pam.d/pam_session.sh
Permission: chmod a+x /etc/pam.d/pam_session.sh
Code:
#!/bin/sh

log_file=/var/log/log.pam_session
pefs=/usr/local/sbin/pefs

if [ ! -f /usr/home/$PAM_USER/.pefs.db ] ; then
        echo "`date` PAM $PAM_USER: pefs support not enabled!" >> $log_file
        exit 0
fi

SESSION_CNT=`who | grep $PAM_USER | wc -l | grep -E -o [0-9]+`
case "$PAM_SM_FUNC" in
        pam_sm_close_session)
                echo "$PAM_USER active sessions: $SESSION_CNT" >> $log_file
                if [ $SESSION_CNT -ge 1 ] ; then
                        #echo "`date` PAM $PAM_USER: still logged in!" >> $log_file
                        exit 0
                fi
                $pefs flushkeys /usr/home/$PAM_USER
        ;;
esac

File: $HOME/.bash_login
Permission: chmod 0644 $HOME/.bash_login
Comment: The file needs to be moved in position at a later stage, please pay attention below.
Code:
#~/.bash_login

SESSION_CNT=`who | grep $USER | wc -l | grep -E -o [0-9]+`
SESSION_TYPE=`who | grep $USER | grep pts | grep -E -o "\(([0-9]+(\.[0-9]+){3}|localhost)\)$" | tail -1`

if [ -f ~/.pefs.db -a $SESSION_CNT -le 1 -a "$SESSION_TYPE" ] ; then
        if [ "$TERM" != "screen" ] ; then
               echo ""
               echo "Please enter keyword to unlock home directory:"
               /usr/local/sbin/pefs addkey -c `pwd`
        fi
fi

# !! ATTENTION !!
# Following this line all files are still encrypted, if a false keyword has
# been provided.
# !! ATTENTION !!

if [ -f ~/.bashrc ] ; then
        source ~/.bashrc
fi

Edit /etc/pam.d/system to enable PEFS support for local login:
Code:
[..]
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_pefs.so              try_first_pass delkeys
auth            required        pam_unix.so             no_warn try_first_pass nullok

[..]

# session
#session        optional        pam_ssh.so              want_agent
session         optional        /usr/local/lib/pam_pefs.so              delkeys
session         required        pam_lastlog.so          no_fail

[..]

Edit /etc/pam.d/sshd to enable PEFS support for remote login:
Code:
[..]

# session
#session        optional        pam_ssh.so              want_agent
session         optional        pam_exec.so             /etc/pam.d/pam_session.sh
session         required        pam_permit.so

[..]

Finally create a user directory with PEFS support:

Code:
                #01. create user
                adduser jdoe
                adjust home directory to /usr/home/jdoe
                user password needs to be the same as chain and key password

                #02. prepare PEFS user setup
                cd /usr/home
                mv jdoe jdoe.orig
                mkdir jdoe
                chown jdoe:jdoe jdoe
                pefs addchain -Z -f /usr/home/jdoe
                pefs mount /usr/home/jdoe /usr/home/jdoe
                pefs addkey /usr/home/jdoe
                -> password = jdoe password
                mv /usr/home/jdoe/.pefs.db /usr/home/.
                umount /usr/home/jdoe
                mv /usr/home/.pefs.db /usr/home/jdoe/.
                chown jdoe:jdoe /usr/home/jdoe/.pefs.db
             
                # .bash_login needs to be unencrypted in the home
                # directory, so on login in will execute and unlock
                # our home directory
                mv /tmp/.bash_login /usr/home/jdoe/.
                chown jdoe:jdoe /usr/home/jdoe/.bash_login
                pefs mount /usr/home/jdoe /usr/home/jdoe
                pefs addkey -c /usr/home/jdoe
                cp -av /usr/home/jdoe.orig/.[a-z]* /usr/home/jdoe/.
                umount /usr/home/jdoe
                rm -rf /usr/home/jdoe.orig
             
                # Add the following line to /etc/fstab
                /usr/home/jdoe /usr/home/jdoe pefs rw,late 0 0
             
                # Mount your home directory using fstab
                mount /usr/home/jdoe

Reboot your system to verify there are no errors during the boot sequence.

To avoid entering your password twice using SSH remote login, you can enable ssh certificate based authentication.
 
Back
Top