Anyone used e4cyrpt on OpenWRT

pigeon35 · May 24, 2023, 10:28pm

Hello,

I've used e4crypt on Ubuntu no problem, but cant seem to get it working on OpenWRT 22.03.5

Has anyone used it?

Steps were:

Unmount partition:
umount /dev/nvme0n1p2

Check it:
e2fsck -Df /dev/nvme0n1p2

List features to check:
tune2fs -l /dev/nvme0n1p2

Convert to 64bit (if not already):
resize2fs -b /dev/nvme0n1p2

Enable checksums support (if not already): 
tune2fs -O metadata_csum /dev/nvme0n1p2

Enable fast commits (if not already):
tune2fs -O fast_commit /dev/nvme0n1p2

Enable encryption (if not already):
tune2fs -O encrypt /dev/nvme0n1p2

Then create the salt and add a key using that salt

head -c 16 /dev/random | xxd -p > ~/.salt

e4crypt add_key -S 0x`cat ~/.salt`

Enter passphrase (echo disabled): 
Added key with descriptor [b41016c2dce1a9fa]

root@Router:~# keyctl show
Session Keyring
 179505062 --alswrv      0 65534  keyring: _uid_ses.0
 330372125 --alswrv      0 65534   \_ keyring: _uid.0
 780929598 --alsw-v      0     0   \_ logon: ext4:b41016c2dce1a9fa

Then create encrypted directory:

e4crypt set_policy b41016c2dce1a9fa /srv/vm/enc/
Error [Not supported] setting policy.
The key descriptor [b41016c2dce1a9fa] may not match the existing encryption context for directory [/srv/vm/enc/].

Odd.

So whats already there.

e4crypt get_policy /srv/vm/enc/
Error getting policy for /srv/vm/enc/: Not supported

An error.

Am I missing a kmod or ??

slh · May 24, 2023, 11:13pm

FS_ENCRYPTION is globally disabled for OpenWrt, it cannot be added by a kernel module (bool).

pigeon35 · May 24, 2023, 11:26pm

Oh, ok.

I use more generally gocryptfs, so might try and get a package of that going.
Assuming using fuse is ok.

Somebody looks to have done one already / can be borrowed:

Will give it a go.

slh · May 25, 2023, 12:00am

fuse should be fine (e.g. things like ntfs-3g are already supported), golang might pose more of a hurdle (limited arch support, not that commonly used on OpenWrt, relatively huge footprint).

pigeon35 · May 26, 2023, 11:35pm

Just to confirm that I did get gocryptfs onto OpenWRT 22.03.5 by compiling using the SDK and modified version of the Makefile linked earlier.

But my skills are limited and although the binary built, the final packaging errored.
So I cheated and just SCP the binary onto the router.

But hey, at least it works

In case anyone is interested, the modified Makefile is:

#
# Copyright (C) 2010-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

include $(TOPDIR)/rules.mk

PKG_NAME:=gocryptfs
PKG_VERSION:=2.3.2
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/rfjakob/$(PKG_NAME)/archive/v$(PKG_VERSION)
PKG_HASH:=199505728ad5216d7df7b937948c37e0b5405db9fecf7ddf605bd0dcf7f17287

PKG_MAINTAINER:=Nobody <nobody@noone.com>
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE

PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1
PKG_USE_MIPS16:=0

GO_PKG:=github.com/rfjakob/gocryptfs/v2
GO_PKG_BUILD_PKG:=github.com/rfjakob/gocryptfs/v2

GO_PKG_LDFLAGS_X:= \
	main.GitVersion=$(PKG_VERSION) \
	main.BuildDate=$(SOURCE_DATE_EPOCH) \
	main.GitVersionFuse="[unknown]"

include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/nls.mk
include ../../../packages-openwrt-22.03/lang/golang/golang-package.mk


define Build/Compile
		# Needed so gocryptfs can see what version its dealing with:
		echo $(PKG_VERSION) > $(PKG_BUILD_DIR)/VERSION
		# Build without OpenSSL (fewer deps and speedtests show its faster without):
		$(PKG_BUILD_DIR)/build-without-openssl.bash
endef

define Package/gocryptfs
  SECTION:=utils
  CATEGORY:=Utilities
  TITLE:=An encrypted overlay filesystem written in Go
  URL:=https://nuetzlich.net/gocryptfs/
  DEPENDS:=$(GO_ARCH_DEPENDS) +libfuse +fuse-utils +kmod-fuse
endef

define Package/gocryptfs/description
  An encrypted overlay filesystem written in Go
endef

define Package/gocryptfs/install
	$(call GoPackage/Package/Install/Bin,$(1))
endef

$(eval $(call GoBinPackage,gocryptfs))
$(eval $(call BuildPackage,gocryptfs))

EDIT: It doesn't produce an installable package, but the binary is there and works.
I'll post another topic on it perhaps and try and get some help to finish the job properly.

system · June 5, 2023, 11:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.