For various security reasons, some users may desire (or need) to store the log files created the result of running various tools and applications to an encrypted directory. The following steps will guide the reader through the process of creating a directory with encryption for this purpose.
- Using SSH (or rSSH), login to the sensor with the pwnie user account.
sudo suand press Enter, then retype the password to become superuser.
- Next, type
mkdir encryptedand press Enter to create a directory under
- Next, type
mount -t ecryptfs /home/pwnie/encrypted /home/pwnie/encryptedand press Enter to mount and encrypt the directory using ecryptfs.
- When prompted, to select the key type to use for newly created files, select '2' for passphrase.
When prompted to provide a passphrase, type in a passphrase and press Enter.
DO NOT FORGET THE PASSPHRASE!
- Next, type mount and press Enter to view the mount points. As an example, you will see output similar to the following with the text highlighted in red representing the encrypted directory.
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=504886,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=405684k,mode=755)
/dev/disk/by-uuid/01063397-e6d7-4180-a029-8bb6bc4eb54b on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=811360k)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other)
/home/pwnie/encrypted on /home/pwnie/encrypted type ecryptfs (rw,relatime,ecryptfs_sig=3d70754f713de4c0,ecryptfs_cipher=aes,ecryptfs_key_bytes=24,ecryptfs_unlink_sigs)
- From this point forward, all files written to the
/home/pwnie/encrypteddirectory will be encrypted as long as the directory is mounted. If the directory is not mounted, any files written to this directory will NOT be encrypted.
Now let's test the above...
cp /etc/hosts /home/pwnie/encryptedand press Enter to copy the hosts file to the encrypted directory.
- Next, type
cat /home/pwnie/encrypted/hostsand press Enter to view the decrypted contents of the hosts file.
It is expected you will be able to view the contents of the hosts file.
Now let's unmount the encrypted directory and attempt to view the contents of the hosts file.
unmount /home/pwnie/encrpytedand press Enter to unmount the directory.
- Next, type
cat /home/pwnie/encrypted/hostsand press Enter to view the encrypted contents of the hosts file.
It is expected you will NOT be able to view the contents of the hosts file. In fact, it will be gibberish, which is a technical word for "unintelligible content".
Be aware after having unmounted the
/home/pwnie/encrypted directory, any and all files written to this directory are no longer encrypted. Files are only encrypted when written to the directory if the directory was previously mounted with the ecryptfs option beforehand.
Keep in mind the following:
When you want to enable the writing of files to be encrypted:
mount -t ecryptfs /home/pwnie/encrypted /home/pwnie/encrypted and press Enter.
When you want to disable the writing of files to be encrypted:
unmount /home/pwnie/encrypted and press Enter.
© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.