For various security reasons, some users may desire (or need) to store the log files created the result of running various tools and applications to an encrypted directory. The following steps will guide the reader through the process of creating a directory with encryption for this purpose.

  1. Using SSH (or rSSH), login to the sensor with the pwnie user account.
  2. Type sudo su and press Enter, then retype the password to become superuser.
  3. Next, type mkdir encrypted and press Enter to create a directory under /home/pwnie/
  4. Next, type mount -t ecryptfs /home/pwnie/encrypted /home/pwnie/encrypted and press Enter to mount and encrypt the directory using ecryptfs.
  5. When prompted, to select the key type to use for newly created files, select '2' for passphrase.
  6. When prompted to provide a passphrase, type in a passphrase and press Enter.

    Important

    DO NOT FORGET THE PASSPHRASE!


  7. Next, type mount and press Enter to view the mount points. As an example, you will see output similar to the following with the text highlighted in red representing the encrypted directory.

    root@pwnix-000c292a9942:/home/pwnie# mount
    sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)

    proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
    udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=504886,mode=755)
    devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
    tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=405684k,mode=755)
    /dev/disk/by-uuid/01063397-e6d7-4180-a029-8bb6bc4eb54b on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
    tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
    tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=811360k)
    fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
    vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other)
    /home/pwnie/encrypted on /home/pwnie/encrypted type ecryptfs (rw,relatime,ecryptfs_sig=3d70754f713de4c0,ecryptfs_cipher=aes,ecryptfs_key_bytes=24,ecryptfs_unlink_sigs)

  8. From this point forward, all files written to the /home/pwnie/encrypted directory will be encrypted as long as the directory is mounted. If the directory is not mounted, any files written to this directory will NOT be encrypted.

    Now let's test the above...

  9. Type cp /etc/hosts /home/pwnie/encrypted and press Enter to copy the hosts file to the encrypted directory.
  10. Next, type cat /home/pwnie/encrypted/hosts and press Enter to view the decrypted contents of the hosts file.

    It is expected you will be able to view the contents of the hosts file.

    Now let's unmount the encrypted directory and attempt to view the contents of the hosts file.

  11. Type unmount /home/pwnie/encrpyted and press Enter to unmount the directory.
  12. Next, type cat /home/pwnie/encrypted/hosts and press Enter to view the encrypted contents of the hosts file.


It is expected you will NOT be able to view the contents of the hosts file. In fact, it will be gibberish, which is a technical word for "unintelligible content".

Be aware after having unmounted the /home/pwnie/encrypted directory, any and all files written to this directory are no longer encrypted. Files are only encrypted when written to the directory if the directory was previously mounted with the ecryptfs option beforehand.

Keep in mind the following:

When you want to enable the writing of files to be encrypted:
Type mount -t ecryptfs /home/pwnie/encrypted /home/pwnie/encrypted and press Enter.

When you want to disable the writing of files to be encrypted:
Type unmount /home/pwnie/encrypted and press Enter.