Motivation

Every day we put more and more personal information on our computers, and our computers become lighter, smaller, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.

I think that if anyone gets a-hold of the information in my personal computer (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.

The level of security for this scheme is not very high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s OK. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. Those are not many and they have other means.

My goal is to protect from the regular thieve or from loosing it… so I would mourn for some money being lost but I will sleep well at night.

Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful and make backups.

Installation

You should install the operating system as you always do with a little detail: create the root partition, the swap partition and the home partition. But don’t assign any filesystem to the home partition, do not make or format it and do not set it as home.

After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be accessible to anyone. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.

Once you got pass that you’ll need two packages: cryptsetup and libpam-mount. You can install them with a command like:

aptitude install cryptsetup libpam-mount

During installation, limpam-mount request to convert the previous configuration. As we don’t really have a previous configuration, I’m not sure what it’s going to convert so I just choose “No” (the default) and let it install a fresh configuration.

Partitioning

The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).

To create the mapping run:

sudo modprobe dm-crypt

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda6

replacing /dev/sda6 with your particular (real) device.

A bit more about that command. cryptsetup is a program to create this encryption mappings. –-verbose is there because I like to see a lot of useless data and feel more geeky. –-verify-passphrase is there to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.A complete execution of that command will look like:

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sda6

WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

The new partition

This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:

sudo cryptsetup luksDump /dev/sda6
LUKS header information for /dev/sda6

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	1032
MK bits:       	128
MK digest:     	ff c3 22 a1 d1 fe 5e e4 e3 37 26 a7 8e 93 43 22 fa 83 c5 91
MK salt:       	27 59 46 c5 f2 21 5a 93 46 eb 2a cf 80 f1 46 95
               	b6 05 79 02 55 a4 49 33 87 d1 25 ae 49 74 40 b6
MK iterations: 	10
UUID:          	819cf83a-7c9b-49b8-9b74-e0d952aa1234

Key Slot 0: ENABLED
	Iterations:         	208350
	Salt:               	be 31 c7 e3 c9 a8 d5 37 09 12 34 e2 4a 3f a3 85
	                      	e0 fd bc 1e e4 3a fb d6 70 7c 7f 12 34 1a 6d 8e 43
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.

To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):

ls /dev/mapper/
control

Ok! Now open it:

sudo cryptsetup luksOpen /dev/sda6 home
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:

ls /dev/mapper/
control  home

Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in sda6 (from now on, don’t do anything with sda6 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked ReiserFS, but you can use whatever you want:

sudo mkfs.reiserfs -l home /dev/mapper/home
...lot's of geeky output...
ReiserFS is successfully created on /dev/mapper/home.

and we are done. We can mount it:

sudo mount /dev/mapper/home /media

copy the current data (the home of a user and a couple of files):

sudo cp -a /home/* /media/
cp: ne povas trovi stato-informon pri '/home/pupeno/.gvfs': Permeso rifuzita

If you don’t speak the international language, that mean: “cp: cannot stat `/home/pupeno/.gvfs’: Permission denied”. Everything seems to be OK anyway. Un-mount it:

sudo umount /media/

and close it:

sudo cryptsetup luksClose home

Automagically mounting

There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course, then, the password of your user should match the pass-phrase in at least one of the slots of the encrypted device.

You need to modify /etc/pam.d/common-auth adding, at the end:

@include common-pammount

And /etc/pam.d/common-session to add that same line.

In /etc/security/pam_mount.conf.xml, around line 107 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put these lines after that comment (around line 183):

Of course replace “pupeno” with your username and “/dev/sda6″ with your device. And that is the line that will make the magical mount happen.

Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:

/dev/mapper/_dev_sda6 on /home type reiserfs (rw)

You can also list the files on /dev/mapper to find the _dev_sda6 mapping.

And that’s it, it wasn’t so hard, was it ?

More users, more pass-phrases

If there are more users add more lines to /etc/security/pam_mount.conf.xml, I haven’t tested it but it should work. Also just add more pass-phrases to the device using cryptsetup in this way:

sudo cryptsetup luksAddKey /dev/sda6

It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:

sudo cryptsetup luksDelKey /dev/sda6 0

where “0″ is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.

Motivation

As we put more and more personal information on our computers or computers become lighter, small, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.

I think that if anyone gets a-hold of the information in my notebook (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.

The level of security is not high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s Ok. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. And if the thing becomes really nasty I bet people can find other ways to access my information. My goal is to protect from the regular thieve or from loosing it… so I will mourn for some dollars being lost but I will sleep well at night.

Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful.

Installation

You should install the operating system as you always do with a little detail: create the root partition, the swap partition but not the home partition. Leave some space for the home partition, we’ll create it latter.

After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be open to attacks. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.

Once you got pass that you’ll need two packages (in Ubuntu and Kubuntu, exactly this, in Debian probably too, in others you’ll have to figure it out; actually, this applies to all the document so I won’t repeat it again): cryptsetup and libpam-mount. You can install them with a command like:

aptitude install cryptsetup libpam-mount

Partitioning

Create the partition that will be your home partition. Do it in whatever way you prefer, I’ve personally use cfdisk a lot, but you can also use fdisk or any other partitioning tool. After that to ensure that the partition table is written and read by Linux reboot. Avoiding rebooting might not cause any problem or it may cause weird problems with error messages that are hard to understand and that made me loose an hour or so. So, be safe and reboot.

The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).

To create the mapping run:

cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3

replacing /dev/sda3 with your particular (real) device. In my case sda1 is root and sda2 is swap. One important piece of advice here would be putting random information on /dev/sda3 so it is harder to guess what’s in there. I haven’t done it because I was working over some other encrypted partition which was created over random data… enough randomness for me. If you are working in a new or blank this putting the random data might be important. Using your favorite search-engine you can find how to do it in 30 seconds.

A bit more about that command. cryptsetup is a program to create this encryption mappings. –verbose is because we like to see a lot of useless data and feel more geeky. –verify-passphrase is to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.

Update: I’ve recently installed Kubuntu in a MacBook Pro and I’ve had to modprobe aes (and possible modprobe dm-crypt too) before being able to run the following command line succesfuly, otherwise I’ve got this message:

Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda5 contains at least 133 sectors.
Failed to write to key storage.
Command failed.

A complete execution of that command will look like:

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@pulab:~#

The new partition

This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:

root@pulab:~# cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 1032
MK bits:        128
MK digest:      65 d9 47 47 f0 74 5c ad ae 79 03 6c c9 11 4d 56 b2 11 78 90
MK salt:        19 d7 3b c6 04 2d ee e1 77 c0 4b f1 ac e1 3a 21
                ce 02 10 9a c5 f7 5a b7 fd f5 d4 96 96 6d 79 0d
MK iterations:  10
UUID:           bf5ca0c3-a68f-4544-8840-ba2p2af98918

Key Slot 0: ENABLED
        Iterations:             70156
        Salt:                   08 e1 75 0e d1 1b 92 d1 f1 5f bd 50 9c ec a0 a2
                                b9 ea f8 da 1a 62 5d 4b 15 f3 4c a3 f3 49 12 83
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.

To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):

root@pulab:~# ls /dev/mapper/
control

Ok! Now open it:

root@pulab:~# cryptsetup luksOpen /dev/sda3 home
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:

root@pulab:~# ls /dev/mapper/
control  home

Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in sda3 (from now on, don’t do anything with sda3 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked reiserfs, but you can use whatever you want:

root@pulab:~# mkfs.reiserfs -l home /dev/mapper/home
.
lot's of geeky output
.
root@pulab:~#

and we are done. We can mount it:

root@pulab:~# mount /dev/mapper/home /media/

copy the current data (the home of a user and a couple of files):

root@pulab:~# cp -a /home/* /media/

un-mount it:

root@pulab:~# umount /media/

and close it:

cryptsetup luksClose home

Automagically mounting

There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course then the password of your user should match the pass-phrase in some of the slots of the encrypted device.

You need to modify /etc/pam.d/common-auth adding, at the end:

@include common-pammount

And /etc/pam.d/common-session to add that same line:

@include common-pammount

In /etc/security/pam_mount.conf, around line 174 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put this line:

volume pupeno crypt - /dev/sda3 /home cipher=aes - -

there changing “pupeno” with your username and “/dev/sda3″ with your device. And that is the line that will make the magical mount happen.

Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:

/dev/mapper/_dev_sda3 on /home type reiserfs (rw)

You can also list the files on /dev/mapper to find the _dev_sda3 mapping.

And that’s it, it wasn’t so hard, was it ?

More users, more pass-phrases

If there are more users add more lines to /etc/security/pam_mount.conf, I haven’t tested it but it should work. Also just add more passphrases to the device using cryptsetup in this way:

cryptsetup luksAddKey /dev/sda3

It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:

cryptsetup luksDelKey /dev/sda3 0

where “0″ is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.

Comments on the original blog

michuk Says:

Two more articles describing the same:
* http://polishlinux.org/howtos/truecrypt-howto/
* http://polishlinux.org/howtos/encrypted-home-partition-in-linux/

June 11th, 2007 at 5:47

Motivation

As we put more and more personal information on our computers or computers become lighter, small, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.

I think that if anyone gets a-hold of the information in my notebook (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.

The level of security is not high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s Ok. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. And if the thing becomes really nasty I bet people can find other ways to access my information. My goal is to protect from the regular thieve or from loosing it… so I will mourn for some dollars being lost but I will sleep well at night.

Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful.

Installation

You should install the operating system as you always do with a little detail: create the root partition, the swap partition but not the home partition. Leave some space for the home partition, we’ll create it latter.

After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be open to attacks. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.

Once you got pass that you’ll need two packages (in Ubuntu and Kubuntu, exactly this, in Debian probably too, in others you’ll have to figure it out; actually, this applies to all the document so I won’t repeat it again): cryptsetup and libpam-mount. You can install them with a command like:

aptitude install cryptsetup libpam-mount

Partitioning

Create the partition that will be your home partition. Do it in whatever way you prefer, I’ve personally use cfdisk a lot, but you can also use fdisk or any other partitioning tool. After that to ensure that the partition table is written and read by Linux reboot. Avoiding rebooting might not cause any problem or it may cause weird problems with error messages that are hard to understand and that made me loose an hour or so. So, be safe and reboot.

The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).

To create the mapping run:

cryptsetup --verbose --verify-passphrase luksFormat /dev/hda3

replacing /dev/hda with your particular (real) device. In my case hda1 is root and hda2 is swap. One important piece of advice here would be putting random information on /dev/hda3 so it is harder to guess what’s in there. I haven’t done it because I was working over some other encrypted partition which was created over random data… enough randomness for me. If you are working in a new or blank this putting the random data might be important. Using your favorite search-engine you can find how to do it in 30 seconds.

A bit more about that command. cryptsetup is a program to create this encryption mappings. –verbose is because we like to see a lot of useless data and feel more geeky. –verify-passphrase is to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.

A complete execution of that command will look like:

WARNING!
========
This will overwrite data on /dev/hda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@pulab:~#

The new partition

This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:

root@pulab:~# cryptsetup luksDump /dev/hda3
LUKS header information for /dev/hda3

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 65 d9 47 47 f0 74 5c ad ae 79 03 6c c9 11 4d 56 b2 11 78 90
MK salt: 19 d7 3b c6 04 2d ee e1 77 c0 4b f1 ac e1 3a 21
ce 02 10 9a c5 f7 5a b7 fd f5 d4 96 96 6d 79 0d
MK iterations: 10
UUID: bf5ca0c3-a68f-4544-8840-ba2p2af98918

Key Slot 0: ENABLED
Iterations: 70156
Salt: 08 e1 75 0e d1 1b 92 d1 f1 5f bd 50 9c ec a0 a2
b9 ea f8 da 1a 62 5d 4b 15 f3 4c a3 f3 49 12 83
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.

To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):

root@pulab:~# ls /dev/mapper/
control

Ok! Now open it:

root@pulab:~# cryptsetup luksOpen /dev/hda3 home
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:

root@pulab:~# ls /dev/mapper/
control home

Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in hda3 (from now on, don’t do anything with hda3 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked reiserfs, but you can use whatever you want:

root@pulab:~# mkfs.reiserfs -l home /dev/mapper/home
.
lot's of geeky output
.
root@pulab:~#

and we are done. We can mount it:

root@pulab:~# mount /dev/mapper/home /media/

copy the current data (the home of a user and a couple of files):

root@pulab:~# cp -a /home/* /media/

un-mount it:

root@pulab:~# umount /media/

and close it:

cryptsetup luksClose home

Automagically mounting

There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course then the password of your user should match the pass-phrase in some of the slots of the encrypted device.

You need to modify /etc/pam.d/common-auth adding, at the end:

@include common-pammount

And /etc/pam.d/common-session to add that same line:

@include common-pammount

In /etc/security/pam_mount.conf, around line 174 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put this line:

volume pupeno crypt - /dev/hda3 /home cipher=aes - -

there changing “pupeno” with your username and “/dev/hda3″ with your device. And that is the line that will make the magical mount happen.

Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:

/dev/mapper/_dev_hda3 on /home type reiserfs (rw)

You can also list the files on /dev/mapper to find the _dev_hda3 mapping.

And that’s it, it wasn’t so hard, was it ?

More users, more passphrases

If there are more users add more lines to /etc/security/pam_mount.conf, I haven’t tested it but it should work. Also just add more passphrases to the device using cryptsetup in this way:

cryptsetup luksAddKey /dev/hda3

It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:

cryptsetup luksDelKey /dev/hda3 0

where “0″ is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.

Comments in the original blog

1. michuk Says:
   Two more articles describing the same:
   * http://polishlinux.org/howtos/truecrypt-howto/
   * http://polishlinux.org/howtos/encrypted-home-partition-in-linux/

June 11th, 2007 at 5:47 e