Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/iqb/ecryptfs

Userland EcryptFS library written in PHP
https://github.com/iqb/ecryptfs

crypto ecryptfs php

Last synced: 5 months ago
JSON representation

Userland EcryptFS library written in PHP

Awesome Lists containing this project

README 

          
Userland EcryptFS library written in PHP

========================================



[![Build Status](https://travis-ci.org/iqb/ecryptfs.png?branch=master)](https://travis-ci.org/iqb/ecryptfs)

[![Scrutinizer Score](https://scrutinizer-ci.com/g/iqb/ecryptfs/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/iqb/ecryptfs)

[![Code Coverage](https://scrutinizer-ci.com/g/iqb/ecryptfs/badges/coverage.png?b=master)](https://scrutinizer-ci.com/g/iqb/ecryptfs)

[![Software License](https://img.shields.io/badge/License-LGPL%20V3-brightgreen.svg?style=flat-square)](LICENSE)



[EcryptFS](http://ecryptfs.org/) is a Linux file system that allows you encrypt your files (and filenames).

It is part of the Linux Kernel and is used e.g. by Ubuntu to encrypt users home directories.



EcryptFS uses two (possibly different) keys for encryption:

- the FNEK (File Name Encryption Key) for encrypting/decrypting files names

- the FEKEK (File Encryption Key Encryption Key) for encrypting/decryption the file specific random key the file contents is encrypted with 



By default, these two keys are derived from a passphrase.



Encrypting/Decrypting file names

--------------------------------



Encrypted file names start with the prefix `ECRYPTFS_FNEK_ENCRYPTED.` followed by the encrypted original file name.

E.g. `ECRYPTFS_FNEK_ENCRYPTED.FWayVrRYlN446EY.WUc7GBFqG9GB6qF3eRmJZ7NYS7ANeS4Gfi9c34ZDTU--` decrypts to `loremipsum.txt` you use the passphrase `test`.



The code for encrypting and decrypting file names looks like this:



```php

 [

            'passphrase' => $passphrase,

        ]

    ]);

    

    // alternatively we could use constants to avoid typos:

    $context = \stream_context_create([

        \Iqb\Ecryptfs\StreamWrapper::STREAM_NAME => [

            \Iqb\Ecryptfs\StreamWrapper::CONTEXT_PASSPHRASE => $passphrase,

        ]

    ]);

    

    // This will print some lorem ipsum text

    echo \file_get_contents('ecryptfs://' . __DIR__ . '/tests/data/encrypted/ECRYPTFS_FNEK_ENCRYPTED.FWayVrRYlN446EY.WUc7GBFqG9GB6qF3eRmJZ7NYS7ANeS4Gfi9c34ZDTU--', null, $context), PHP_EOL;

```



Everything after the `ecryptfs://` and the stream context is passed to `fopen()` so you can access encrypted files with all available stream wrappers in PHP.



If you don't have a file put an open resource (e.g. a file opened via HTTP by Guzzle), you can pass the resource via the stream context:



```php

 [

            \Iqb\Ecryptfs\StreamWrapper::CONTEXT_PASSPHRASE => $passphrase,

            \Iqb\Ecryptfs\StreamWrapper::CONTEXT_STREAM => $stream_resource,

        ]

    ]);

    

    // This will print some lorem ipsum text

    // Everything after the 'ecryptfs://' is ignored

    echo \file_get_contents('ecryptfs://', null, $context), PHP_EOL;

```



Limitations

-----------



- Seeking in the decrypted file content is not supported yet

- Encrypting files is not possible yet

- Currently only AES (with 128 and 256 bits) are fully supported

- AES with 192 bits only works for file names (due to limitations in the original EcryptFS kernel implementation)

- If the randomly generated file encryption key (FEK) available for decryption with multiple FEKEKs (as is theoretically possible in the EcryptFS file header but not used AFAIK), only the first packet is tried. If it was encrypted with another FEKEK, the decryption will fail.  



Compatibility

-------------



To test compatibility with your specific version of EcryptFS just run the test suite with PHPUnit.

The IntegrationTest class creates real EcryptFS mounts and writes files to the mounts to verify the functionality.

That requires that the EcryptFS utilities package (e.g. ecryptfs-utils in Debian/Ubuntu) is installed and the tests

are run by root or sudo without password is executable. 



The library is developed on Debian Stretch with Kernel 4.9 but is at least compatible with the EcryptFS versions in Debian Jessie, the CI tests run on Ubuntu AFAIK.

The EcryptFS on disk format seems pretty stable to the chances for incompatibilities with future Kernel Versions is quite slim.