There are several reasons for having an encrypted home partition. But usually, everyone should have it, if only for the reason that disks do go bad, and you don’t want to replace it and leave private data behind.
With that in mind, there are several options, depending in your operating system and security requirements. In this howto I’ll be concentrating on pam_mount, using a LUKS encrypted partition. Probably limited to Linux, then. PAM works in many Unix systems, but LUKS may be restricted.
But before beginning, you have to choose between security and speed. By that, I mean choose an encryption and chaining algorithms. For the most security, I recommend aes-xts-plain, with essiv:sha256 for IV calculation. For speed, though, on my netbook, I use blowfish-ecb-plain. Blowfish is slightly faster than AES, and not much less secure, but the ECB chaining mode is the fastest and very much insecure method. So choose wisely. Personally, my data isn’t that important, and if cryptanalysts are interested in it, there are better methods on getting the data: http://xkcd.com/538/
Now that you have chosen the algorithm, it’s time to encrypt your swap partition. That’s right, never forget the swap partition, where sensitive data may be swapped out to:
echo 'swap /dev/sdaX /dev/urandom swap,cipher=blowfish-ecb-plain' >> /etc/crypttab echo '/dev/mapper/swap swap swap defaults 0 0' >> /etc/fstab
Then reboot. Make sure you correct the swap device and replace the current entry in /etc/fstab.
Make a backup of your current home folder, or start from a clean state. Choose the partition you want your home to reside on, and format it as a LUKS device. First, however, you should zero the first megabyte or two, so that the detection code doesn’t mistake it as other filesystem:
dd if=/dev/zero of=/dev/sdaY bs=16M count=1
Take care to erase the correct device! And if it contained sensitive data, then remove the count=1 and let it zero the full partition. Next, format it as LUKS. I’ll be using the less secure algorithm. When asked for a passphrase, enter your user’s.
cryptsetup luksFormat /dev/sdaY --cipher blowfish-ecb-plain --key-size 128
OK, you now have a device formated for encryption. Next step, activate it, and format a real filesystem on top:
cryptsetup luksOpen /dev/sdaY enc
This will create the device: /dev/mapper/enc
For filesystem, choose what you will. I use ext4:
mkfs.ext4 /dev/mapper/enc
Then mount it, and restore your original data. Or start from scratch:
mount /dev/mapper/enc /mnt cp -a /etc/skell/.[[:alnum:]]* /mnt/ chown user: /mnt -R umount /mnt
Your home is ready! Unmount it, the job of mounting and unmounting will be done by pam_mount:
umount /mnt cryptsetup luksClose enc
The preliminaries are done. You have your home in an encrypted device. Now, to configure pajm_mount for automatically mount and unmount it.
Make sure you have pam_mount installed in your system. The package is called like the name in Fedora, and libpam-mount in Debian/Ubuntu. The configuration file is /etc/security/pam_mount.conf.xml, read it, and disable any limitation you’re interested in. Add a line for your user:
<volume user="luciano" path="/dev/sdaY" mountpoint="~" options="" />
Note the empty options key, otherwise some default options may get in your way. Try either way. If you didn’t zero the device, and it gets detected as something else than a LUKS device, then add fstype="crypt_LUKS" to the line. You can see what it is detected as with:
# blkid /dev/sdaY /dev/sdaY: UUID=".." SEC_TYPE="ext2" TYPE="ext3"
If it doesn’t say LUKS, then you must add the fstype definition.
pam_mount is now set up. Next, configure PAM to use it. There are some particularities for pam_mount, especially because GDM may try to start daemons as your user before you get your home mounted. Created a configuration file that will be include by other PAM-aware services, defining pam_mount
echo ' auth optional pam_mount.so session optional pam_mount.so ' >> /etc/pam.d/system-mount
Now, depending on your current PAM configuration, you may get away with doing the following steps only to the /etc/pam.d/system-auth or other generic file, included by services’ definitions. But that is not the case for Fedora 11, and do make sure all services include the generic file first.
In my case, I changed the files:
/etc/pam.d/sshd/etc/pam.d/login/etc/pam.d/gdm-password
Now, add the following line as the first auth definition, or as the definition immediately after an selinux permit or close action:
auth include system-mount
Also, for session, respecting the selinux thingy:
session include system-mount
Now try logging in as the user in a console, or via ssh. You should see the prompt for password as: pam_mount password:
If it works, then try a graphical login. Console is easier, a graphical login may get dbus or keyring programs running before the pam_mount is run, but you’ll prevent that by having the system-mount lines as the first ones.
