mzpqnxow · October 24, 2025 10:21 · leephillips · Mar 25, 2021 · mzpqnxow · Mar 26, 2021
diff --git a/build-ecryptfs-debian-buster.sh b/build-ecryptfs-debian-buster.sh
 #!/bin/bash
 set -e
 #
 # As of 11/24/2019, Debian still can't get it together with ecryptfs-utils so there
 # is no longer an ecryptfs-utils in the apt repositories, removing the ability for
 # a user to use ecryptfs at all, unless they build from source and manually configure
 # the system
 #
 # Before using this, please see the status of the bugreport:
 #
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
 #
 # Basically, Debian removed the apt package until this bug can be fixed. The problem
 # was that private ecryptfs mounts were not being unmounted on logout, almost completely
 # voiding the value of the functionality :<
 # 
 # If the bug is not yet fixed, you can use this script/guide to get ecryptfs per-user
 # home directory encryption working
 #
 # This is probably a bit broader than necessary, but many of these are requirements to
 # build ecryptfs-utils. Others, such as rsync and lsof are included as they are required
 # for ecryptfs-migrate-home at runtime
 DEPS="gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
      libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
      simple-tpm-pk11 rsync lsof build-essential"
 # You can use /opt/ecryptfs or something if you don't want it in your root
 # Using something other than /usr may cause issues due to assumptions made in this script!
 PREFIX=/usr
 apt-get update
 echo -n 'Press enter to install dependencies via apt-get ...'
 apt-get install $DEPS
 cd /usr/src
 echo 'WARN: The source package is downloaded from the distribution site, but no signature check is performed!'
 echo -n 'Press enter to download version 111 of ecryptfs-utils from the distribution site ...'
 read x
 # Change the link to a different version if desired, but other versions are untested
 # This is the latest version as of 2019-11-24 ...
 wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
 # You should check the signature here, probably
 tar -xvzf ecryptfs-utils_111.orig.tar.gz
 cd ecryptfs-utils-111
 echo 'NOTE: if the following step fails, you may need to apt-get some additional dependencies'
 echo -n 'Press enter to configure, build and install ecryptfs-utils from source ...'
 read x
 ./configure LIBS='-lkeyutils -lnss3 -lnssutil3' --prefix=/usr KEYUTILS_LIBS='-lnss3 -lnssutil3' NSS_CFLAGS='-I/usr/include/nss -I/usr/include/nspr'
 make -j && make install
 cd
 echo 'The ecryptfs-utils are now installed on your system, but there is more to do'
 echo 'Step 1 - fix pam so that mounting is automated'
 echo -n '  Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue... '
 read x
 echo 'auth    required        pam_ecryptfs.so unwrap' >> /etc/pam.d/common-auth
 echo -n '  Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue... '
 read x
 echo 'session optional        pam_ecryptfs.so unwrap' >> /etc/pam.d/common-session
 echo 'Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary'
 echo 'to add the setuid bit to /usr/sbin/mount.ecryptfs_private'
 echo 'Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime'
 echo -n '  Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ... '
 read x
 chmod u+s /usr/sbin/mount.ecryptfs_private
 echo 'Done. Consider the following manual steps for increased security:'
 echo '  1. Create a group called "ecryptfs" using "groupadd ecryptfs"'
 echo '  2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group'
 echo '  3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app'
 echo
 echo 'Installation and configuration complete!'
 echo 'Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory' 
 echo 'Make sure you test to ensure things are working, this is not official documentation!'
	#!/bin/bash
	set -e
	#
	# As of 11/24/2019, Debian still can't get it together with ecryptfs-utils so there
	# is no longer an ecryptfs-utils in the apt repositories, removing the ability for
	# a user to use ecryptfs at all, unless they build from source and manually configure
	# the system
	#
	# Before using this, please see the status of the bugreport:
	#
	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765854
	#
	# Basically, Debian removed the apt package until this bug can be fixed. The problem
	# was that private ecryptfs mounts were not being unmounted on logout, almost completely
	# voiding the value of the functionality :<
	#
	# If the bug is not yet fixed, you can use this script/guide to get ecryptfs per-user
	# home directory encryption working
	#
	# This is probably a bit broader than necessary, but many of these are requirements to
	# build ecryptfs-utils. Others, such as rsync and lsof are included as they are required
	# for ecryptfs-migrate-home at runtime
	DEPS="gpgv2 intltool keyutils libgpgme-dev libkeyutils-dev libnss3-dev libpam-dev \
	libpam-pkcs11 libpkcs11-helper1-dev libtspi-dev python2-dev python3-dev \
	simple-tpm-pk11 rsync lsof build-essential"
	# You can use /opt/ecryptfs or something if you don't want it in your root
	# Using something other than /usr may cause issues due to assumptions made in this script!
	PREFIX=/usr
	apt-get update
	echo -n 'Press enter to install dependencies via apt-get ...'
	apt-get install $DEPS
	cd /usr/src
	echo 'WARN: The source package is downloaded from the distribution site, but no signature check is performed!'
	echo -n 'Press enter to download version 111 of ecryptfs-utils from the distribution site ...'
	read x
	# Change the link to a different version if desired, but other versions are untested
	# This is the latest version as of 2019-11-24 ...
	wget https://launchpad.net/ecryptfs/trunk/111/+download/ecryptfs-utils_111.orig.tar.gz
	# You should check the signature here, probably
	tar -xvzf ecryptfs-utils_111.orig.tar.gz
	cd ecryptfs-utils-111
	echo 'NOTE: if the following step fails, you may need to apt-get some additional dependencies'
	echo -n 'Press enter to configure, build and install ecryptfs-utils from source ...'
	read x
	./configure LIBS='-lkeyutils -lnss3 -lnssutil3' --prefix=/usr KEYUTILS_LIBS='-lnss3 -lnssutil3' NSS_CFLAGS='-I/usr/include/nss -I/usr/include/nspr'
	make -j && make install
	cd
	echo 'The ecryptfs-utils are now installed on your system, but there is more to do'
	echo 'Step 1 - fix pam so that mounting is automated'
	echo -n ' Add auth required pam_ecryptfs unwrap to pam common-auth? Enter to continue... '
	read x
	echo 'auth required pam_ecryptfs.so unwrap' >> /etc/pam.d/common-auth
	echo -n ' Add auth optional pam_ecryptfs unwrap to /etc/pam.d/common-session? Enter to continue... '
	read x
	echo 'session optional pam_ecryptfs.so unwrap' >> /etc/pam.d/common-session
	echo 'Done fixing PAM. If you want configuration/migration of users to use ecryptfs to work, it is necessary'
	echo 'to add the setuid bit to /usr/sbin/mount.ecryptfs_private'
	echo 'Step 2 - fix permissions on mount.ecryptfs_private so setreuid succeeds at runtime'
	echo -n ' Use chmod to set setuid bit on mount.ecryptfs_private? Enter to continue ... '
	read x
	chmod u+s /usr/sbin/mount.ecryptfs_private
	echo 'Done. Consider the following manual steps for increased security:'
	echo ' 1. Create a group called "ecryptfs" using "groupadd ecryptfs"'
	echo ' 2. Place "trusted" users who should be allowed to user ecryptfs in that group by editing /etc/group'
	echo ' 3. Use "chmod 4750 && chgrp /usr/sbin/mount.ecryptfs_private ecryptfs" to protect the mount app'
	echo
	echo 'Installation and configuration complete!'
	echo 'Try using ecryptfs-migrate-home to migrate a user to an encrypted home directory'
	echo 'Make sure you test to ensure things are working, this is not official documentation!'
No results found