Pablo's blog

A bit of this, a bit of that and a lot about computers

Encrypted home in Ubuntu 8.10

This article is like a third edition to “Encrypted home in Ubuntu (or Kubuntu… or Debian…)”, although I keep changing the name. It’s the 8.10 edition. Many things changed and I updated the article for those, and the rest should work as well.

Motivation

Every day we put more and more personal information on our computers, and our computers become lighter, smaller, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.

I think that if anyone gets a-hold of the information in my personal computer (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.

The level of security for this scheme is not very high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s OK. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. Those are not many and they have other means.

My goal is to protect from the regular thieve or from loosing it… so I would mourn for some money being lost but I will sleep well at night.

Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful and make backups.

Installation

You should install the operating system as you always do with a little detail: create the root partition, the swap partition and the home partition. But don’t assign any filesystem to the home partition, do not make or format it and do not set it as home.

After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be accessible to anyone. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.

Once you got pass that you’ll need two packages: cryptsetup and libpam-mount. You can install them with a command like:

aptitude install cryptsetup libpam-mount

During installation, limpam-mount request to convert the previous configuration. As we don’t really have a previous configuration, I’m not sure what it’s going to convert so I just choose “No” (the default) and let it install a fresh configuration.

Partitioning

The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).

To create the mapping run:

sudo modprobe dm-crypt
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda6

replacing /dev/sda6 with your particular (real) device.

A bit more about that command. cryptsetup is a program to create this encryption mappings. –-verbose is there because I like to see a lot of useless data and feel more geeky. –-verify-passphrase is there to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.A complete execution of that command will look like:

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda6

WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

The new partition

This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:

sudo cryptsetup luksDump /dev/sda6
LUKS header information for /dev/sda6

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	1032
MK bits:       	128
MK digest:     	ff c3 22 a1 d1 fe 5e e4 e3 37 26 a7 8e 93 43 22 fa 83 c5 91
MK salt:       	27 59 46 c5 f2 21 5a 93 46 eb 2a cf 80 f1 46 95
               	b6 05 79 02 55 a4 49 33 87 d1 25 ae 49 74 40 b6
MK iterations: 	10
UUID:          	819cf83a-7c9b-49b8-9b74-e0d952aa1234

Key Slot 0: ENABLED
	Iterations:         	208350
	Salt:               	be 31 c7 e3 c9 a8 d5 37 09 12 34 e2 4a 3f a3 85
	                      	e0 fd bc 1e e4 3a fb d6 70 7c 7f 12 34 1a 6d 8e 43
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.

To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):

ls /dev/mapper/
control

Ok! Now open it:

sudo cryptsetup luksOpen /dev/sda6 home
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:

ls /dev/mapper/
control  home

Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in sda6 (from now on, don’t do anything with sda6 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked ReiserFS, but you can use whatever you want:

sudo mkfs.reiserfs -l home /dev/mapper/home
...lot's of geeky output...
ReiserFS is successfully created on /dev/mapper/home.

and we are done. We can mount it:

sudo mount /dev/mapper/home /media

copy the current data (the home of a user and a couple of files):

sudo cp -a /home/* /media/
cp: ne povas trovi stato-informon pri '/home/pupeno/.gvfs': Permeso rifuzita

If you don’t speak the international language, that mean: “cp: cannot stat `/home/pupeno/.gvfs': Permission denied”. Everything seems to be OK anyway. Un-mount it:

sudo umount /media/

and close it:

sudo cryptsetup luksClose home

Automagically mounting

There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course, then, the password of your user should match the pass-phrase in at least one of the slots of the encrypted device.

You need to modify /etc/pam.d/common-auth adding, at the end:

@include common-pammount

And /etc/pam.d/common-session to add that same line.

In /etc/security/pam_mount.conf.xml, around line 107 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put these lines after that comment (around line 183):


Of course replace “pupeno” with your username and “/dev/sda6″ with your device. And that is the line that will make the magical mount happen.

Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:

/dev/mapper/_dev_sda6 on /home type reiserfs (rw)

You can also list the files on /dev/mapper to find the _dev_sda6 mapping.

And that’s it, it wasn’t so hard, was it ?

More users, more pass-phrases

If there are more users add more lines to /etc/security/pam_mount.conf.xml, I haven’t tested it but it should work. Also just add more pass-phrases to the device using cryptsetup in this way:

sudo cryptsetup luksAddKey /dev/sda6

It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:

sudo cryptsetup luksDelKey /dev/sda6 0

where “0” is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.

About these ads

Single Post Navigation

5 thoughts on “Encrypted home in Ubuntu 8.10

  1. hi,

    i would like to follow your guide exactly, but I have already set up a separate partition and set it as /home.

    can I revert this somehow to follow your guide step-by-step?

    thanks for your geeky input.

    • lapa,

      What you need to do is create a /home2, copy everything from /home into /home2 in the same way I explain how to do it at the end of the tutorial, unmount /home and remove it from /etc/fstab. Move /home2 to /home. Reboot to be sure that everything is working as expected. And then you can follow this tutorial. If you don’t have enough space in / to have everything from /home in /home2, then you’ll need external storage to do the move.

      If you are using Ubuntu 9.04 or latter, I think they already have some nice encryption system for your whole home, so you may want to look into that before you even start with my tutorial. It’s quite possible my tutorial is obsoleted and deprecated.

  2. Victor on said:

    Hi, Pablo!
    Thank you for the post! Everything works great on Jaunty. But recently I installed Karmic Koala, followed the same procedure (except for creating the disk – I used the existing one), and – ups – can’t even log in, log in window says: “error initiating conversation with authentication system – general failure”. Remarkably, I can mount this volume manually in Koala. Do you have any idea what’s wrong? If you use Karmic and LUKS, can you share your experience? Thanks in advance.

  3. Pablo,
    Great tutorial, however I would not use this method on Ubuntu 9.10 until it can be investigated further. I can no longer log in from putty or at the machine. My guess is that the problem lies in automatically mounting the drive at login.

    • JD: Yes, upgrading when doing this was always a delicate process. There was a change of format from ini-like to xml of the config file in an upgrade. And besides, Ubuntu 9.10 now supports encrypting /home on the special installation option, everyone should use that instead and consider this tutorial obsolete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 377 other followers

%d bloggers like this: