Encrypted home in Ubuntu (or Kubuntu… or Debian…)

The explanations you’ll find here have been tested with Ubuntu 6.10 (Edgy Eft) and Kubuntu 6.10 (Edgy Eft), they should work without any problem in other members of the Ubuntu family and with minimal changes in other Debian-based distributions like Debian itself or Mepis. In other distributions it might require even more changes.

Motivation

As we put more and more personal information on our computers or computers become lighter, small, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.

I think that if anyone gets a-hold of the information in my notebook (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.

The level of security is not high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s Ok. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. And if the thing becomes really nasty I bet people can find other ways to access my information. My goal is to protect from the regular thieve or from loosing it… so I will mourn for some dollars being lost but I will sleep well at night.

Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful.

Installation

You should install the operating system as you always do with a little detail: create the root partition, the swap partition but not the home partition. Leave some space for the home partition, we’ll create it latter.

After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be open to attacks. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.

Once you got pass that you’ll need two packages (in Ubuntu and Kubuntu, exactly this, in Debian probably too, in others you’ll have to figure it out; actually, this applies to all the document so I won’t repeat it again): cryptsetup and libpam-mount. You can install them with a command like:

aptitude install cryptsetup libpam-mount

Partitioning

Create the partition that will be your home partition. Do it in whatever way you prefer, I’ve personally use cfdisk a lot, but you can also use fdisk or any other partitioning tool. After that to ensure that the partition table is written and read by Linux reboot. Avoiding rebooting might not cause any problem or it may cause weird problems with error messages that are hard to understand and that made me loose an hour or so. So, be safe and reboot.

The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).

To create the mapping run:

cryptsetup --verbose --verify-passphrase luksFormat /dev/hda3

replacing /dev/hda with your particular (real) device. In my case hda1 is root and hda2 is swap. One important piece of advice here would be putting random information on /dev/hda3 so it is harder to guess what’s in there. I haven’t done it because I was working over some other encrypted partition which was created over random data… enough randomness for me. If you are working in a new or blank this putting the random data might be important. Using your favorite search-engine you can find how to do it in 30 seconds.

A bit more about that command. cryptsetup is a program to create this encryption mappings. –verbose is because we like to see a lot of useless data and feel more geeky. –verify-passphrase is to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.

A complete execution of that command will look like:

WARNING!
========
This will overwrite data on /dev/hda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@pulab:~#

The new partition

This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:

root@pulab:~# cryptsetup luksDump /dev/hda3
LUKS header information for /dev/hda3

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 65 d9 47 47 f0 74 5c ad ae 79 03 6c c9 11 4d 56 b2 11 78 90
MK salt: 19 d7 3b c6 04 2d ee e1 77 c0 4b f1 ac e1 3a 21
ce 02 10 9a c5 f7 5a b7 fd f5 d4 96 96 6d 79 0d
MK iterations: 10
UUID: bf5ca0c3-a68f-4544-8840-ba2p2af98918

Key Slot 0: ENABLED
Iterations: 70156
Salt: 08 e1 75 0e d1 1b 92 d1 f1 5f bd 50 9c ec a0 a2
b9 ea f8 da 1a 62 5d 4b 15 f3 4c a3 f3 49 12 83
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.

To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):

root@pulab:~# ls /dev/mapper/
control

Ok! Now open it:

root@pulab:~# cryptsetup luksOpen /dev/hda3 home
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:

root@pulab:~# ls /dev/mapper/
control home

Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in hda3 (from now on, don’t do anything with hda3 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked reiserfs, but you can use whatever you want:

root@pulab:~# mkfs.reiserfs -l home /dev/mapper/home
.
lot's of geeky output
.
root@pulab:~#

and we are done. We can mount it:

root@pulab:~# mount /dev/mapper/home /media/

copy the current data (the home of a user and a couple of files):

root@pulab:~# cp -a /home/* /media/

un-mount it:

root@pulab:~# umount /media/

and close it:

cryptsetup luksClose home

Automagically mounting

There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course then the password of your user should match the pass-phrase in some of the slots of the encrypted device.

You need to modify /etc/pam.d/common-auth adding, at the end:

@include common-pammount

And /etc/pam.d/common-session to add that same line:

@include common-pammount

In /etc/security/pam_mount.conf, around line 174 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put this line:

volume pupeno crypt - /dev/hda3 /home cipher=aes - -

there changing “pupeno” with your username and “/dev/hda3” with your device. And that is the line that will make the magical mount happen.

Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:

/dev/mapper/_dev_hda3 on /home type reiserfs (rw)

You can also list the files on /dev/mapper to find the _dev_hda3 mapping.

And that’s it, it wasn’t so hard, was it ?

More users, more passphrases

If there are more users add more lines to /etc/security/pam_mount.conf, I haven’t tested it but it should work. Also just add more passphrases to the device using cryptsetup in this way:

cryptsetup luksAddKey /dev/hda3

It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:

cryptsetup luksDelKey /dev/hda3 0

where “0” is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.

Comments in the original blog

  1. michuk Says:
    Two more articles describing the same:
    * http://polishlinux.org/howtos/truecrypt-howto/
    * http://polishlinux.org/howtos/encrypted-home-partition-in-linux/

June 11th, 2007 at 5:47 e

  • Andrew Says:

    In Ubuntu 8.04, instead of editing /etc/security/pam_mount.conf you need to edit /etc/security/pam_mount.conf.xml and add something like

    Make sure to add the line to /etc/crypttab:
    cryptohome /dev/devicename noauto luks

    You wrote:
    And /etc/pam.d/common-session to add that same line:

    48c77b0112e4613

    this number should be
    @include common-pammount

    as written above.

    September 10th, 2008 at 8:50 e

    Document Actions
  • Advertisements

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s