# pefs encrypted directory



## NapoleonWils0n (Aug 16, 2018)

Create an encrypted directory using pefs

*pefs install*


```
sudo pkg install pefs-kmod
```

*pefs load kernel module*

Once installed, we next need to load the pefs kernel module:


```
sudo kldload pefs
```

check the pefs kernel module is loaded with kldstat


```
kldstat
```

If we want to keep this module loaded across reboots, add it to /boot/loader.conf:


```
sudo vim /boot/loader.conf
```

then add the following line to /boot/load.conf


```
pefs_load="YES"
```

*pefs encrypted directory*

create an encrypted directory
create a directory in your home directory which we will encrypt with pefs, in this demo the name of the directory is storage


```
mkdir -p ~/storage
```

change permissions to make it readable by only our user


```
chmod 700 ~/storage
```

create the pefs keychain with aes256 encryption


```
pefs addchain -fZ -a aes256 ~/storage
```

At the prompt enter you user login password and then confirm

Enter parent key passphrase:
Reenter parent key passphrase:

list the ~/storage directory to make sure the ~/storage/.pefs.db file is created


```
ls -a ~/storage
```

mount the ~/storage directory


```
pefs mount ~/storage ~/storage
```

pefs add aes256 key


```
pefs addkey -c -a aes256 ~/storage
```

Enter the same password as you used to create the keychain

create a file with some text to test the encryption


```
echo 'testing' > ~/storage/test.txt
```

check the contents of the file and it should be unencrypted


```
less ~/storage/test.txt
```

*unmount the pefs directory*

unmount the ~/storage directory and the file will become encrypted


```
pefs umount ~/storage
```

list the storage directory and the filename will now be encrypted


```
ls -al ~/storage
```

check the contents of the file and it should be encrypted
the filename will be changed from test.txt to an encrypted string


```
less ~/storage/.CHkOvB7RVpxPAwD3X8AgG0hltd_sQV59
```

*remount the pefs ~/storage directory*

remount the pefs ~/storage directory


```
pefs mount ~/storage ~/storage
```

re add the pefs key note you dont have to add the keychain, 
as you have already created the keychain you just have to re add the pefs key


```
pefs addkey -c -a aes256 ~/storage
```

you will be prompted to enter your password, which is your user login password

Enter passphrase:

list the contents of the ~/storage directory


```
ls -al ~/storage
```

check the contents of the file and it should be unencrypted


```
less ~/storage/test.txt
```

pefs showchains for directory show the key added to the keychain


```
pefs showchains -f ~/storage
```

this should show the key is encrypted with aes256 encyption


----------



## tanis (Dec 28, 2019)

Update: Encrypted home directory using PEFS.

This works for local login and remote login. If the remote connection drops for whatever reason, the home directory gets locked again. Unfortunately the setup still lacks the ability to handle local *and* remote login at the the same time. So if you are already logged in remotely and log in locally as well, the home directory will be locked after the local logout. To unlock the home directory again, the following will do the trick:


```
pefs addkey -c $HOME
```

It is also mandatory to know, that if you like to scp files to your home directory it is necessary to login first using ssh, so that your home directory is unlocked.

Bash shell has been used here, and I didn't try the setup with a different shell, but my guess would be it works in a similar fashion.



The following additional files are mandatory, and it helps to create them first, so they are in position, if needed:

File: /etc/pam.d/pam_session.sh
Permission: chmod a+x /etc/pam.d/pam_session.sh

```
#!/bin/sh

log_file=/var/log/log.pam_session
pefs=/usr/local/sbin/pefs

if [ ! -f /usr/home/$PAM_USER/.pefs.db ] ; then
        echo "`date` PAM $PAM_USER: pefs support not enabled!" >> $log_file
        exit 0
fi

SESSION_CNT=`who | grep $PAM_USER | wc -l | grep -E -o [0-9]+`
case "$PAM_SM_FUNC" in
        pam_sm_close_session)
                echo "$PAM_USER active sessions: $SESSION_CNT" >> $log_file
                if [ $SESSION_CNT -ge 1 ] ; then
                        #echo "`date` PAM $PAM_USER: still logged in!" >> $log_file
                        exit 0
                fi
                $pefs flushkeys /usr/home/$PAM_USER
        ;;
esac
```

File: $HOME/.bash_login
Permission: chmod 0644 $HOME/.bash_login
Comment: The file needs to be moved in position at a later stage, please pay attention below.

```
#~/.bash_login

SESSION_CNT=`who | grep $USER | wc -l | grep -E -o [0-9]+`
SESSION_TYPE=`who | grep $USER | grep pts | grep -E -o "\(([0-9]+(\.[0-9]+){3}|localhost)\)$" | tail -1`

if [ -f ~/.pefs.db -a $SESSION_CNT -le 1 -a "$SESSION_TYPE" ] ; then
        if [ "$TERM" != "screen" ] ; then
               echo ""
               echo "Please enter keyword to unlock home directory:"
               /usr/local/sbin/pefs addkey -c `pwd`
        fi
fi

# !! ATTENTION !!
# Following this line all files are still encrypted, if a false keyword has
# been provided.
# !! ATTENTION !!

if [ -f ~/.bashrc ] ; then
        source ~/.bashrc
fi
```

Edit /etc/pam.d/system to enable PEFS support for local login:

```
[..]
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_pefs.so              try_first_pass delkeys
auth            required        pam_unix.so             no_warn try_first_pass nullok

[..]

# session
#session        optional        pam_ssh.so              want_agent
session         optional        /usr/local/lib/pam_pefs.so              delkeys
session         required        pam_lastlog.so          no_fail

[..]
```

Edit /etc/pam.d/sshd to enable PEFS support for remote login:

```
[..]

# session
#session        optional        pam_ssh.so              want_agent
session         optional        pam_exec.so             /etc/pam.d/pam_session.sh
session         required        pam_permit.so

[..]
```

Finally create a user directory with PEFS support:


```
#01. create user
                adduser jdoe
                adjust home directory to /usr/home/jdoe
                user password needs to be the same as chain and key password

                #02. prepare PEFS user setup
                cd /usr/home
                mv jdoe jdoe.orig
                mkdir jdoe
                chown jdoe:jdoe jdoe
                pefs addchain -Z -f /usr/home/jdoe
                pefs mount /usr/home/jdoe /usr/home/jdoe
                pefs addkey /usr/home/jdoe
                -> password = jdoe password
                mv /usr/home/jdoe/.pefs.db /usr/home/.
                umount /usr/home/jdoe
                mv /usr/home/.pefs.db /usr/home/jdoe/.
                chown jdoe:jdoe /usr/home/jdoe/.pefs.db
             
                # .bash_login needs to be unencrypted in the home
                # directory, so on login in will execute and unlock
                # our home directory
                mv /tmp/.bash_login /usr/home/jdoe/.
                chown jdoe:jdoe /usr/home/jdoe/.bash_login
                pefs mount /usr/home/jdoe /usr/home/jdoe
                pefs addkey -c /usr/home/jdoe
                cp -av /usr/home/jdoe.orig/.[a-z]* /usr/home/jdoe/.
                umount /usr/home/jdoe
                rm -rf /usr/home/jdoe.orig
             
                # Add the following line to /etc/fstab
                /usr/home/jdoe /usr/home/jdoe pefs rw,late 0 0
             
                # Mount your home directory using fstab
                mount /usr/home/jdoe
```

Reboot your system to verify there are no errors during the boot sequence.

To avoid entering your password twice using SSH remote login, you can enable ssh certificate based authentication.


----------

