Encrypted home on Ubuntu using dmcrypt
Install crypsetup and dmsetup:
# apt-get install crypsetup dmsetup
Install pam_mount:
# apt-get install libpam-mount
Configure PAM to use pam_mount for authentication and session management. PAM authentication captures the user login password, while PAM session set ups the dmcrypt device and mounts it during log on, and unmounts the dmcrypt device during log off.
# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session
Sets up some variables used to make the rest of the steps a little bit easier and more generic:
# USER=solana
# KEYSIZE=128
# DEVICE=/dev/whatever
The meaning of the previous variables is:
- USER defines the username.
- KEYSIZE defines the AES keysize used to encrypt the data. Valid keysizes are 128, 192 and 256.
- DEVICE defines the device that will hold the crypted volume. This can be standard partition, a LVM volume, a NBD, etc..
Generate an AES random encryption key, encrypts it with the user log on password and stores it:
# dd if=/dev/urandom bs=1c count=$((${KEYSIZE}/8)) | openssl enc -aes-${KEYSIZE}-ecb > /home/${USER}.key
When prompted for the passphrase, enter the user’s log on password.
Sets up the dmcrypt device:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | cryptsetup -c aes -s ${KEYSIZE} create crypt-${USER} ${DEVICE}
When asked for the passphrase, just enter the user’s log on password.
Make a new ext3 filesystem on top of the cryptoloop device:
# mkfs.ext3 /dev/mapper/crypt-${USER}
Change the owner, so the user will be able to write to this volume:
# mkdir /mnt/crypt-${USER}
# mount /dev/mapper/crypt-${USER} /mnt/crypt-${USER}
# chown ${USER} /mnt/crypt-${USER}
# umount /dev/mapper/crypt-${USER}
# rmdir /mnt/crypt-${USER}
Frees the dmcrypt device:
# dmsetup remove crypt-${USER}
To test whether mount.crypt and mount the encrypted volume:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | mount.crypt ${DEVICE} /home/${USER} -o keysize=${KEYSIZE}
Frees the dmcrypt device after the test:
# dmsetup remove _dev_mapper_${DEVICE}
Configure pam_mount:
# echo “volume ${USER} crypt - ${DEVICE} /home/${USER} keysize=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf
pam_mount is quite cool, I enjoyed this how-to.
)
The only observation I want to make about it is about home directory’s ownership. After creating the filesystem on the encrypted device the home directory has still “root” as owner, it has to be changed to ${USER} so you can write on your own directory (GDM will even refuse to log in without writing permissions… Luckly plain old console login worked and I fixed up the lil mess
blasnoff said this on October 26th, 2006 at 01:09
You are right, blasnoff.
I have updated the post to include specific instructions on how to change the owner so, hopefully, ${USER} will have write permissions.
Thanks
Felipe Alfaro Solana said this on October 26th, 2006 at 02:48
quiere poner este programa para que mi con putador este en buen estado
vetancourt said this on December 7th, 2006 at 00:49
# echo “@include common-pammount”
vetancourt said this on December 7th, 2006 at 00:49
??
Felipe Alfaro Solana said this on December 9th, 2006 at 07:10
[...] directions from Felipe Alfaro Solana, I set up an encrypted home directory in Ubuntu 7.04. I only had one problem, that exhibited an [...]
Jay’s Technical Talk › Encrypted home directory under Ubuntu linux 7.04 said this on September 20th, 2007 at 16:00
So, does this encrypt an in-place /home? There’s a dearth of explanatory writing in this article, and I want to know my /home directory will be encrypted, and not destroyed. It definitely is NOT clear from this article whether that’s the case or not. I.e., does $DEVICE need to be a totally new partition/LVM lv/etc.?
ectospasm said this on September 17th, 2008 at 11:28