User:Delimiter/Encrypted Home

From ConShell
Jump to navigation Jump to search

Rough guide to encrypting a home folder, for data protection. This was implemented on my laptop running Ubuntu Feisty on Sep 18, 2007.

Must read: http://www.linuxjournal.com/article/6481

This is good too: http://blog.gnist.org/article.php?story=EncryptedSwapAndHomeUbuntu

Before you begin - BACKUP YOUR DATA. You have been warned.

Quick aside, here's how I did that. First pop in my USB thumb drive which automounts as /media/KINGSTON. 

cat >salvage-set<<EOF
mdf/.bash_aliases
mdf/.bashrc
mdf/.config
mdf/.dia
mdf/.gconf
mdf/.gconfd
mdf/.gnome2
mdf/.gnupg
mdf/.gtimer
mdf/.keepass
mdf/.keepassx
mdf/.openoffice.org2
mdf/.ssh
mdf/.wine
mdf/*
EOF
cd /home
tar -cjhf /media/KINGSTON/bitpusher/salvage/mdf-vostro-home.tbz2 --files-from mdf/salvage-set


Create the user if necessary (e.g. aesuser) 

adduser aesuser
Adding user `aesuser' ...
Adding new group `aesuser' (1001) ...
Adding new user `aesuser' (1001) with group `aesuser' ...
Creating home directory `/home/aesuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
...

Create an encrypted container to swap in for homedir This creates a 512MB home dir image 

dd if=/dev/urandom of=/home/aesuser.img bs=1M count=512
(this can take awhile)
sudo modprobe cryptoloop
sudo losetup -e aes /dev/loop0 /home/aesuser.img
(use same password as for aesuser!)
sudo mkfs -t ext3 /dev/loop0
sudo mkdir /mnt/loop0
sudo mount -o loop,encryption=aes /home/aesuser.img /mnt/loop0
(use same password as for aesuser!)

Copy (rsync) your data into the crypted container 

rsync -av /home/aesuser/ /mnt/loop0

Cleanup 

umount /mnt/loop0
losetup -d /dev/loop0
mv /home/aesuser /home/aesuser.notused (or delete it)

Setup pam-mount to automount the encrypted home on login See http://pam-mount.sourceforge.net/ 

sudo aptitude install libpam-mount

Stick this line in /etc/security/pam_mount.conf 

volume aesuser  auto - /home/aesuser.img /home/aesuser loop,user,exec,encryption=aes,keybits=256 - -

Add this line to /etc/pam.d/common-auth 

auth       required   pam_mount.so try_first_pass

Add this line to /etc/pam.d/common-session 

session    required   pam_mount.so try_first_pass

Add this line to /etc/modules 

cryptoloop

Reboot and try logging in as aesuser.

Problems

Problem 1 - container is not unmounted at logout. This could be due to multiple sessions as per common-auth settings (pam). Investigating a fix.

Problem 2 - when user is logged in, data in container is accessible to other users. Partial work-around: chmod -R go-rwx /home/aesuser See also http://tech.canterburyschool.org/tech/UbuntuWorkstations which indicates adding dmask=0700 to the pam_mount options should provide the fix. No - I tried on dapper and this option is unrecognized.

Sanity check

mdf-laptop:/# strings /home/aesuser.img | head -20
y-;.$;
jU      1
\\_M
IVt^_
JfC:^
]*Ye
~<w\
q9r|
g~Vk
gu$%I"/
`U0/;
R5g>
u8H1)
,p+A=[)Ns
"'`d
QI`))Q
c5+hF
M;8m'
Ci"J
>dN
Retrieved from "https://conshell.net/wiki/index.php?title=User:Delimiter/Encrypted_Home&oldid=5515"