Problem solving: Laptop are stolen, sometime, it happens... After watching "Breaking and Entering", I wanted to find a solution to protect my personal data.
The solution I choose is the encryption of my homedir, and to make it as transparent as possible, I’m having my homedir decrypted and mounted at login time.
The following are the different steps I followed for this setup.
The following explains how to set up your Ubuntu system so that it mount your homedir at login time. rest of the time, your homedir sits in a partition, unmounted and encrypted.
In the following, I assume:
The homedir will be encrypted using LUKS
Becoming root at this point will avoid having to precede all commands with sudo. From now on, they all need to be execute by root, so it makes it more convenient. That’s my personal feeling...
$ sudo -i
You may have them already in your system, you may not.
# aptitude install cryptsetup libpam-mount
Note: sha256 and aes, mentioned in previous versions, should already be present
Check and/or load the needed modules. The command to load them all on i586:
# modprobe aes_generic # modprobe sha256_generic # modprobe dm_crypt
Note:The partition I use for swap is /dev/sda2. Make the changes in the follwing according to your partition table and devices.
Edit /etc/crypttab and change it to reflect the following.
# <target name> <source device> <key file> <options> swap /dev/sda2 /dev/random swap
Changes need to be made to /etc/fstab to reflect the new swap partition. Change the line for your swap partition to this:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/swap none swap sw 0 0
Warning: ALL THE DATA ON THIS PARTITION WILL BE LOST
Note:The partition I will use for my homedir is /dev/sda3. Make the changes in the follwing according to your partition table and devices.
Backup all the data that you want to keep from this partition. The following will erase everything from it.
# umount /dev/sda3 # cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda3
Follow the instructions (uppercase YES) and type your passphrase twice. The passphrase must be identical to your user current password. Alternatively, you can change the user’s password to match the passphrase you just set.
Rememeber that the whole protection is as strong as your password. The encryption of your homdedir will not increase the security of your data if your login password stays simple and easy to guess.
From here, your partition is encrypted and ready for you to use. You need to map the physical device which is encrypted to a logical device decrypted:
# cryptsetup luksOpen /dev/sda3 sda3
The new device can be treated like any other.
# mkfs.ext3 -j /dev/mapper/sda3
Configure /etc/security/pam_mount.conf.xml. This file is an XML file. Look for the Volume definitions definition section:
<!-- Volume definitions -->
Right below, add your line similar to the following one:
<volume user="cousin" fstype="crypt" path="/dev/sda3" mountpoint="/home/cousin" />
There is no need to prepare PAM anymore as all the content prepared in previous version of Ubuntu is now included.
In the file /etc/pam.d/common-auth the line comes with the default option “use_first_pass”. This option is not working in my case and result in the partition not being mounted. As I am writting this using the beta of Ubuntu 9.04, I leave it as a comment.
Login as the user and check the partition is mounted properly.
Check the permissions of the files and the mount point. You might have to enforce permissions to your user.
As usual you may want or need to change your password. After choosing your new password, there are few additional steps to go through:
First, you need to add the new password in one of the key slot
$ sudo cryptsetup luksAddKey /dev/sda3 Enter any existing LUKS password: key slot 0 unlocked. Enter new password for key slot:
The new password will be added in key slot #1 (assuming this is the 1st change of password. The old password is in key slot #0).
Then you can delete the old passphrase:
$ sudo cryptsetup luksDelKey /dev/sda3 0
This last command is optional, but some details must be kept in mind: