Encrypted home in Ubuntu 8.10
This article is like a third edition to “Encrypted home in Ubuntu (or Kubuntu… or Debian…)”, although I keep changing the name. It’s the 8.10 edition. Many things changed and I updated the article for those, and the rest should work as well.
Every day we put more and more personal information on our computers, and our computers become lighter, smaller, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.
I think that if anyone gets a-hold of the information in my personal computer (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.
The level of security for this scheme is not very high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s OK. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. Those are not many and they have other means.
My goal is to protect from the regular thieve or from loosing it… so I would mourn for some money being lost but I will sleep well at night.
Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful and make backups.
You should install the operating system as you always do with a little detail: create the root partition, the swap partition and the home partition. But don’t assign any filesystem to the home partition, do not make or format it and do not set it as home.
After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be accessible to anyone. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.
Once you got pass that you’ll need two packages: cryptsetup and libpam-mount. You can install them with a command like:
aptitude install cryptsetup libpam-mount
During installation, limpam-mount request to convert the previous configuration. As we don’t really have a previous configuration, I’m not sure what it’s going to convert so I just choose “No” (the default) and let it install a fresh configuration.
The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).
To create the mapping run:
sudo modprobe dm-crypt
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda6
replacing /dev/sda6 with your particular (real) device.
A bit more about that command. cryptsetup is a program to create this encryption mappings. –-verbose is there because I like to see a lot of useless data and feel more geeky. –-verify-passphrase is there to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.A complete execution of that command will look like:
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda6 WARNING! ======== This will overwrite data on /dev/sda6 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
The new partition
This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:
sudo cryptsetup luksDump /dev/sda6 LUKS header information for /dev/sda6 Version: 1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Hash spec: sha1 Payload offset: 1032 MK bits: 128 MK digest: ff c3 22 a1 d1 fe 5e e4 e3 37 26 a7 8e 93 43 22 fa 83 c5 91 MK salt: 27 59 46 c5 f2 21 5a 93 46 eb 2a cf 80 f1 46 95 b6 05 79 02 55 a4 49 33 87 d1 25 ae 49 74 40 b6 MK iterations: 10 UUID: 819cf83a-7c9b-49b8-9b74-e0d952aa1234 Key Slot 0: ENABLED Iterations: 208350 Salt: be 31 c7 e3 c9 a8 d5 37 09 12 34 e2 4a 3f a3 85 e0 fd bc 1e e4 3a fb d6 70 7c 7f 12 34 1a 6d 8e 43 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.
To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):
ls /dev/mapper/ control
Ok! Now open it:
sudo cryptsetup luksOpen /dev/sda6 home Enter LUKS passphrase: key slot 0 unlocked. Command successful.
Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:
ls /dev/mapper/ control home
Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in sda6 (from now on, don’t do anything with sda6 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked ReiserFS, but you can use whatever you want:
sudo mkfs.reiserfs -l home /dev/mapper/home ...lot's of geeky output... ReiserFS is successfully created on /dev/mapper/home.
and we are done. We can mount it:
sudo mount /dev/mapper/home /media
copy the current data (the home of a user and a couple of files):
sudo cp -a /home/* /media/ cp: ne povas trovi stato-informon pri '/home/pupeno/.gvfs': Permeso rifuzita
If you don’t speak the international language, that mean: “cp: cannot stat `/home/pupeno/.gvfs': Permission denied”. Everything seems to be OK anyway. Un-mount it:
sudo umount /media/
and close it:
sudo cryptsetup luksClose home
There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course, then, the password of your user should match the pass-phrase in at least one of the slots of the encrypted device.
You need to modify /etc/pam.d/common-auth adding, at the end:
And /etc/pam.d/common-session to add that same line.
In /etc/security/pam_mount.conf.xml, around line 107 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put these lines after that comment (around line 183):
Of course replace “pupeno” with your username and “/dev/sda6″ with your device. And that is the line that will make the magical mount happen.
Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:
/dev/mapper/_dev_sda6 on /home type reiserfs (rw)
You can also list the files on /dev/mapper to find the _dev_sda6 mapping.
And that’s it, it wasn’t so hard, was it ?
More users, more pass-phrases
If there are more users add more lines to /etc/security/pam_mount.conf.xml, I haven’t tested it but it should work. Also just add more pass-phrases to the device using cryptsetup in this way:
sudo cryptsetup luksAddKey /dev/sda6
It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:
sudo cryptsetup luksDelKey /dev/sda6 0
where “0” is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.