Securely automount encrypted drive at user login

When I wrote this answer a few years ago this was the best way of implementing the solution. I'd now suggest that you look at the next answer using mount.ecryptfs_private instead.

I was also looking for a way to automatically mount a second eCryptfs volume. The following collection of scripts and configuration modifications will securely and automatically mount your volume on login, either to the GUI or the CLI.

There is a better solution that's in the process of being created (though I think not quite ready for automatic mounting on user login, as such this script will have a limited shelf life.):

ecryptfs on too-small harddrive - how to add links into the encryption?

The security of the scripts depends on your home directory being encrypted with eCryptfs so that the script and files with the password to unwrap your passphrase are encrypted. If you leave your computer unlocked with a root shell open after log in it will be possible to access the passwords, however use of sudo NOPASSWD allows secure mounting of the partition without requiring password entry or leaving the passphrase in a file readable by the user.

One known deficiency of these scripts is that your second volume will not be unmounted on logout, as such it's not particularly suitable for multi user systems.

My solution is implemented with several parts, two shell scripts, one that performs the actual mounting and another that serves as a wrapper for it.

This is the wrapper script that validates if the directory is already mounted, if it isn't then it will call the mounting script using sudo:

/home/johnf/scripts/automount_ecryptfs

#!/bin/bash

MOUNT_POINT=/home/johnf/slow

grep -q $MOUNT_POINT /proc/mounts
if [ $? -eq 1 ]; then
  sudo /home/johnf/scripts/mount_other_ecryptfs
fi

This script calls /home/johnf/scripts/mount_other_ecryptfs which is as follows.

Note that this script assumes that you have file name encryption enabled, if you don't it will be necessary to either modify the script to handle detection (look at ecryptfs-recover-private) or you could remove the ecryptfs_fnek_sig mount option.

The following is the /home/johnf/scripts/mount_other_ecryptfs script:

#!/bin/bash

ENCRYPTED_VOLUME=/vol0/.ecryptfs/johnf/.Private/
MOUNT_POINT=/home/johnf/slow
PASSFILE=/home/johnf/scripts/ecryptfs_passphrase
MOUNT_PASSWORD=secret_passphrase
ECRYPTFS_SIG=`head -1 ${ENCRYPTED_VOLUME}//../.ecryptfs/Private.sig`
ECRYPTFS_FNEK_SIG=`tail -1 ${ENCRYPTED_VOLUME}//../.ecryptfs/Private.sig`

printf "%s" $MOUNT_PASSWORD | ecryptfs-insert-wrapped-passphrase-into-keyring ${ENCRYPTED_VOLUME}/../.ecryptfs/wrapped-passphrase
mount -t ecryptfs -o key=passphrase:passfile=${PASSFILE},ecryptfs_sig=${ECRYPTFS_SIG},ecryptfs_fnek_sig=${ECRYPTFS_FNEK_SIG},ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n ${ENCRYPTED_VOLUME} ${MOUNT_POINT}

You will also need to create a file with your password in it, this file will be used by the eCryptfs mount command:

/home/johnf/scripts/ecryptfs_passphrase:

passwd=secret_passphrase

You need to modify the permissions on several files:

chmod +x /home/johnf/scripts/automount_ecryptfs
sudo chown root:root /home/johnf/scripts/mount_other_ecryptfs /home/johnf/scripts/ecryptfs_passphrase
sudo chmod a=x /home/johnf/scripts/mount_other_ecryptfs
sudo chmod 400 /home/johnf/scripts/ecryptfs_passphrase

Before creating the scripts you need to create a sudoers configuration to permit the execution of the mounting script using sudo without entering your sudo password.

Add the following to /etc/sudoers (or a file in /etc/sudoers.d). You will want to replace johnf with your username. It's necessary to use an absolute path to the mounting script.

johnf   ALL = NOPASSWD: /home/johnf/scripts/mount_other_ecryptfs

The final step is to call the automount_ecryptfs script on login.

On Ubuntu Unity (and probably gnome) use the Startup Applications applet to create a new startup program that calls /home/johnf/scripts/automount_ecryptfs.

To automatically mount the second eCryptfs volume on login into a bash shell you will want to modify your ~/.bashrc file. Add the following:

/home/johnf/scripts/automount_ecryptfs

With this configuration in place you should now automatically mount your second eCryptfs volume.

Building on @johnf's answer but using mount.ecryptfs_private instead:

• encrypted /home/bob/ (eg. on a SSD), using Ubuntu's normal encrypted home dir magic.
• encrypted /media/hdd/bob_extra/ (eg. on a HDD), to be mounted to /home/bob/extra. This should automount on login, just like the home dir does.
• use the same keys/credentials for both.

create it

mkdir /media/hdd/bob_extra
cp /home/bob/.ecryptfs/Private.sig /home/bob/.ecryptfs/extra.sig
echo "/media/hdd/bob_extra /home/bob/extra ecryptfs none 0 0" > /home/bob/.ecryptfs/extra.conf

test it

mount.ecryptfs_private extra

running mount, you should see:

...
/media/hdd/bob_extra on /home/bob/extra type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=12345678abcdef,ecryptfs_fnek_sig=abcdef12345678)

to unmount:

sudo umount /media/hdd/bob_extra

setup automount

Create /home/bob/bin/automount_ecryptfs.extra, which will mount it if it hasn't been mounted already.

#!/bin/bash

MOUNT_POINT=/home/bob/extra

grep -q $MOUNT_POINT /proc/mounts
if [ $? -eq 1 ]; then
  mount.ecryptfs_private extra
fi

Make it executable (chmod +x), then add it into /home/bob/.bashrc:

...
/home/bob/bin/automount_ecryptfs.extra

Then add it to Gnome's Startup Applications as well.

You no longer need the solutions above.

Prerequisites:

• an Ubuntu 14.04 LTS install
• an encrypted home directory (see https://help.ubuntu.com/community/EncryptedHome)
• a desire to automatically mount a secondary encrypted drive [edit] when you log in.

Note: this method is less secure than mounting an encrypted drive manually. If someone has physical access to your computer, you are careless with your root password, or your computer has multiple users/guest accounts, this method is not secure; the secondary drive stays mounted when you log out but do not shut down the system, so its contents are visible to other users.

Part 1: Encrypt the secondary drive.

1. In the Unity dash type "disks" and hit enter.
2. Below "Devices" click on the hard drive you want to encrypt.
3. Below "Volumes" click on the cog/more actions button.
4. Click "Format Volume". For type, choose "Encrypted, compatible with Linux systems." Name your drive and give it a strong pass phrase.
5. Click "Format"

Part 2: Automatically mount the HDD on system start-up.

1. Keep the "Disks" application open, and click on the cog.
2. Click "Edit Encryption Options."
3. "Automatic Encryption Options" will be turned on, and the menu below greyed out. Turn automatic encryption options off.
4. Enter the pass phrase from when you formatted the disk. Click "Ok".

You now have an encrypted hard drive that will automatically mount when your computer boots.