Note: In Ubuntu 7.10 and before, module names and pam_mount syntax changed. See the previous version here
Problem solving: Laptop are stolen, sometime, it happens... After watching "Breaking and Entering", I wanted to find a solution to protect my personal data.
The solution I choose is the encryption of my homedir, and to make it as transparent as possible, I’m having my homedir decrypted and mounted at login time.
The following are the different steps I followed for this setup.
The following explains how to set up your Ubuntu system so that it mount your homedir at login time. rest of the time, your homedir sits in a partition, unmounted and encrypted.
In the following, I assume:
The homedir will be encrypted using LUKS
Becoming root at this point will avoid having to precede all commands with sudo. From now on, they all need to be execute by root, so it makes it more convenient. That’s my personal feeling...
$ sudo -i
You may have them already in your system, you may not.
# aptitude install sha256 cryptsetup libpam-mount
Check and/or load the needed modules. The command to load them all on i586:
# modprobe aes_generic # modprobe sha256_generic # modprobe dm_crypt
Note:The partition I use for swap is /dev/sda2. Make the changes in the follwing according to your partition table and devices.
Edit /etc/crypttab and change it to reflect the following.
# <target name> <source device> <key file> <options> swap /dev/sda2 /dev/random swap
Changes need to be made to /etc/fstab to reflect the new swap partition. Change the line for your swap partition to this:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/swap none swap sw 0 0
Warning: ALL THE DATA ON THIS PARTITION WILL BE LOST
Note:The partition I will use for my homedir is /dev/sda3. Make the changes in the follwing according to your partition table and devices.
Backup all the data that you want to keep from this partition. The following will erase everything from it.
# umount /dev/sda3 # cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda3
Follow the instructions (uppercase YES) and type your passphrase twice. The passphrase must be identical to your user current password. Alternatively, you can change the user’s password to match the passphrase you just set.
Rememeber that the whole protection is as strong as your password. The encryption of your homdedir will not increase the security of your data if your login password stays simple and easy to guess.
From here, your partition is encrypted and ready for you to use. You need to map the physical device which is encrypted to a logical device decrypted:
# cryptsetup luksOpen /dev/sda3 sda3
The new device can be treated like any other.
# mkfs.ext3 -j /dev/mapper/sda3
Configure /etc/security/pam_mount.conf. This file is an XML file full of comments. Leave them as is and look for the encypted home directory definition section:
<!-- Linux encrypted home directory examples, using dm_crypt:
Outside of any comments (starting with <!– and finishing with –>), I added my line, keeping it very simple:
<volume user="cousin" fstype="crypt" path="/dev/sda3" mountpoint="/home/cousin" />
In both files /etc/pam.d/common-auth and /etc/pam.d/common-session add the following line at the end of the file:
Login as the user and check the partition is mounted properly
As usual you may want or need to change your password. After choosing your new password, there are few additional steps to go through:
First, you need to add the new password in one of the key slot
$ sudo cryptsetup luksAddKey /dev/sda3 Enter any existing LUKS password: key slot 0 unlocked. Enter new password for key slot:
The new password will be added in key slot #1 (assuming this is the 1st change of password. The old password is in key slot #0).
Then you can delete the old passphrase:
$ sudo cryptsetup luksDelKey /dev/sda3 0
This last command is optional, but some details must be kept in mind: