One of my favorite things about Qubes-OS, is that I can test administrator changes to a Qube and if it fails or I mess it up, I can throw it all away and start over again fairly painlessly. I have made Qubes to test Perl environments, Python environments, linuxbrew, Go, Rust, etc. Today’s adventure was with “eCryptfs”. I have two old Linux boxes, that have been with me forever and I have really been worried about the data stored in them. I try to keep them up to date, but they do have old debris scattered in /bin, /usr/bin, etc. I should rebuild them from scratch on new hardware, and that’s my intention, but this is going to take a good solid weekend of my time. For now, I just want to sort of protect the home directories with eCryptfs. I also don’t want to mess up what I have.
So on my Qubes machine, I cloned the debian-9 template to debian-9-ecryptfs. In a dom0 terminal:
$ cvm-clone debian-9 debian-9-ecryptfs
I want a new template, since I will add the eCryptfs packages and I don’t want to pollute the stock debian-9 template.
Then I start a new terminal in the debian-9-ecryptfs template and apt-get “eCryptfs” based on a couple tutorials I have been reading. These tutorials are:
https://www.howtoforge.com/tutorial/how-to-encrypt-directories-with-ecryptfs-on-ubuntu-16-04/
https://wiki.debian.org/TransparentEncryptionForHomeFolder
http://tombuntu.com/index.php/2008/08/07/create-an-encrypted-private-directory-with-ecryptfs/
To install eCryptfs in the template:
# apt-get install ecryptfs-utils
Now I shutdown the template and create a new Qube based on the new template using the Qube Manager GUI. I let it default to my-new-qube.
Then I start “my-new-qube” and start playing with the tutorials, creating multiple different encrypted directories, mounting and un-mounting them until I think I have decent practice. Then I throw away “my-new-qube”.
To me, this is perfect, I can learn about eCryptfs without risking my old Debian machine or my Qubes-OS machine.
Can you believe I have another blog? 
Leave a Reply