Automatic encryption of home directories using TrueCrypt

Having your private data on a laptop is dangerous, since it might be stolen. The only way to protect your data is to encrypt it. This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM. For convenience the login-password is used as encryption key.

Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.

Using the method described below is no silver bullet and has some issues:

  • Your user passwords may be weak.
  • If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
  • Changing the password requires to log in as root.
  • Some programs (e.g. qmail) rely on an accessible home directory.
  • The home stays mounted after logout until the next reboot.

Prequisites

  • GNU Linux (I used Debian etch)
  • TrueCrypt (I used 4.3a)
  • pam_mount.so (for Debian install the package libpam-mount)

Setup

We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:

mkdir /home/private

And now for each user we have to create an encrypted file in /home/private. We start with the user bart

root@mybox:~# truecrypt --create /home/private/bart.tc
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Filesystem:
1) FAT
2) None
Select [1]: 2

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G

Hash algorithm:
1) RIPEMD-160
2) SHA-1
3) Whirlpool
Select [1]: 1

Encryption algorithm:
1) AES
2) Blowfish
3) CAST5
4) Serpent
5) Triple DES
6) Twofish
7) AES-Twofish
8) AES-Twofish-Serpent
9) Serpent-AES
10) Serpent-Twofish-AES
11) Twofish-Serpent
Select [1]: 1

Then we assign the same password as the login password to bart:

root@mybox:~# passwd bart
Enter new UNIX password:
Retype new UNIX password:

Next, we need to format the encrypted partition and move the old home directory into it:

root@mybox:~# truecrypt --device-number 1 /home/private/bart.tc
Enter password for '/home/private/bart.tc':
root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1
root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/
root@mybox:~# shopt -s dotglob #make dotfiles visible
root@mybox:~# mv /home/bart/* /mnt/
root@mybox:~# chown bart.users /mnt/
root@mybox:~# umount /mnt
root@mybox:~# truecrypt -d /dev/mapper/truecrypt1

Now we have to configure mount_pam.
In ‘/etc/security/pam_mount.conf.xml’ we add the line:

<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />

And to the files '/etc/pam.d/common-auth' we add the line:

auth    optional        pam_mount.so try_first_pass

so it looks like

# /etc/pam.d/common-auth
auth    required        pam_unix.so nullok_secure
auth    optional        pam_mount.so try_first_pass

and to '/etc/pam.d/common-session' we add the line

session optional        pam_mount.so

so it looks like

# /etc/pam.d/common-session
session required        pam_unix.so
session optional        pam_mount.so

Now bart can login and use the encrypted home.

Bibliography