Since I started dabbling in Cryptocurrency I've been feeling a bit paranoid about protecting my wallet information and keys. Fortunately there are already tools that are dead easy to use.
The standard tool for linux is called eCryptfs and let me tell you how awesome and convenient it is!
eCryptfs
eCryptfs is a cryptographic overlay filesystem for Linux. It's a great tool to encrypt some private data like cryptocurrency wallet keys, private pictures — anything really.
It allows you to mount a password protected, encrypted filesystem on your usual unencrypted filesystem:
dex@~/.private $ ls
Access-Your-Private-Data.desktop README.txt
$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [xxxxxx] into the user session keyring
INFO: Your private directory has been mounted.
INFO: To see this change in your current shell:
cd /home/dex/.private
dex@~/.private $ cd .
dex@~/.private $ ls
myetherwallet btc
Pretty damn cool - simple and secure!
Setup
eCryptfs setup is dead easy!
Since linux version 3.18 eCrypt overlay filesystem is included with core kernel.
Simply enable it with:
modprobe ecryptfs
Then we need some tools to easily mount, unmount and generate our filesystem: ecryptfs-utils
has everything we would need and is available on every linux package manager:
sudo apt install ecryptfs-utils # Ubuntu
sudo pacman -S ecryptfs-utils # Arch
etc. etc.
Once you have it installed you'll find your user-space path populated with a bunch of ecryptfs utils, just type in your terminal ecryptfs-
and press tab to see the goodies:
[dex@nanosaurus ~]$ ecryptfs-<tab>
ecryptfs-add-passphrase
ecryptfs-find
ecryptfs-insert-wrapped-passphrase-into-keyring
ecryptfs-manager
...
Finally to initiate an ecryptfs system we need to run:
$ ecryptfs-setup-private --nopwcheck --noautomount
We use --nopwcheck
and --noautomount
flags here for extra security.
nopwcheck
allows us to use different password from our user's passwordnoautomount
disables automatic encrypted system mounting, since it's also not a very great idea and wouldn't work if our encryption password is different from our user's one.
This command will ask you for login
and mount
passwords. For login password use your own password and for mount password leave it empty as ecryptfs will create it for you using your login password as a seed.
Afterwards the system will be initiated and ~/Private
and ~/.ecryptfs
directories will be created.
Note: you want to backup your encrypted mount password which is located in ~/.ecryptfs/wrapped-passphrase
. Remember that mount password is generated from your login password, so the passphrase is completely useless without your login password - put a copy of this file somewhere where you will never lose it!
Usage
~/Private
is your ecryptfs encrypted directory from now on. To use it you must mount it with ecryptfs-mount-private
command and once you're done using it use ecryptfs-umount-private
command to make it inaccessible once again:
dex@~/Private $ ls
Access-Your-Private-Data.desktop README.txt
$ ecryptfs-mount-private
dex@~/Private $ cd .
dex@~/Private $ ls
myetherwallet btc diary emberassing_hobbies
That's it! Now you have a safe directory on your computer where you can store sensitive data! Even if someone gets access to your user's homespace they'll still need your ecryptfs password to get anything out of it.
Customizing
~/Private
is a pretty terrible name. It's Camelcase and I'd very much prefer it to be hidden.
We can change it to ~/.private
very easily though:
mv ~/Private ~/.private
echo /home/dex/.private > ~/.ecryptfs/Private.mnt
General Security tips
The Three Rule
If it doesn't exist in __three__ places it doesn't exist at all.
Fortunately ecryptfs directory acts like a normal directory so you can easily back it up to usb-stick, cloud storage or even email. Really just put that shit everywhere as longs as you have your login and mount passwords safe no one will be able to access your stuff.
We've all heard magical stories about people losing usb sticks with their bitcoin wallets. Well if you had your wallet encrypted and in three different places that would have never happened!
Long Passwords Triumph
I don't think I can top the explanation by this xkcd comic so I'll just leave you with it and say that just have a simple a-z password which is at least 13 characters long.
Further Reading
If you want to dig deeper I suggest arch-wiki article or symply man ecryptfs
!
Additionally top questions on stackoverflow also offer some interesting read.