Encrypted home on Ubuntu using dmcrypt
7 Comments Published by Felipe Alfaro Solana September 8th, 2006 in Linux, Security, UbuntuInstall crypsetup and dmsetup:
# apt-get install crypsetup dmsetup
Install pam_mount:
# apt-get install libpam-mount
Configure PAM to use pam_mount for authentication and session management. PAM authentication captures the user login password, while PAM session set ups the dmcrypt device and mounts it during log on, and unmounts the dmcrypt device during log off.
# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session
Sets up some variables used to make the rest of the steps a little bit easier and more generic:
# USER=solana
# KEYSIZE=128
# DEVICE=/dev/whatever
The meaning of the previous variables is:
- USER defines the username.
- KEYSIZE defines the AES keysize used to encrypt the data. Valid keysizes are 128, 192 and 256.
- DEVICE defines the device that will hold the crypted volume. This can be standard partition, a LVM volume, a NBD, etc..
Generate an AES random encryption key, encrypts it with the user log on password and stores it:
# dd if=/dev/urandom bs=1c count=$((${KEYSIZE}/8)) | openssl enc -aes-${KEYSIZE}-ecb > /home/${USER}.key
When prompted for the passphrase, enter the user’s log on password.
Sets up the dmcrypt device:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | cryptsetup -c aes -s ${KEYSIZE} create crypt-${USER} ${DEVICE}
When asked for the passphrase, just enter the user’s log on password.
Make a new ext3 filesystem on top of the cryptoloop device:
# mkfs.ext3 /dev/mapper/crypt-${USER}
Change the owner, so the user will be able to write to this volume:
# mkdir /mnt/crypt-${USER}
# mount /dev/mapper/crypt-${USER} /mnt/crypt-${USER}
# chown ${USER} /mnt/crypt-${USER}
# umount /dev/mapper/crypt-${USER}
# rmdir /mnt/crypt-${USER}
Frees the dmcrypt device:
# dmsetup remove crypt-${USER}
To test whether mount.crypt and mount the encrypted volume:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | mount.crypt ${DEVICE} /home/${USER} -o keysize=${KEYSIZE}
Frees the dmcrypt device after the test:
# dmsetup remove _dev_mapper_${DEVICE}
Configure pam_mount:
# echo “volume ${USER} crypt – ${DEVICE} /home/${USER} keysize=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf
7 Comments to “Encrypted home on Ubuntu using dmcrypt”
- 1 Pingback on Sep 20th, 2007 at 16:00
pam_mount is quite cool, I enjoyed this how-to.
)
The only observation I want to make about it is about home directory’s ownership. After creating the filesystem on the encrypted device the home directory has still “root” as owner, it has to be changed to ${USER} so you can write on your own directory (GDM will even refuse to log in without writing permissions… Luckly plain old console login worked and I fixed up the lil mess
You are right, blasnoff.
I have updated the post to include specific instructions on how to change the owner so, hopefully, ${USER} will have write permissions.
Thanks
quiere poner este programa para que mi con putador este en buen estado
# echo “@include common-pammount”
??
So, does this encrypt an in-place /home? There’s a dearth of explanatory writing in this article, and I want to know my /home directory will be encrypted, and not destroyed. It definitely is NOT clear from this article whether that’s the case or not. I.e., does $DEVICE need to be a totally new partition/LVM lv/etc.?