This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM using the login-password as encryption key.
I wrote about Automatic encryption of home directories using TrueCrypt before. This time we’ll use TrueCrypt 6.0a which is a bit different from 4.3a used last time. Futhermore we’ll use Ubuntu 8.04 Hardy Heron instead of Debian Etch. For convenience this post will be selfcontained (ie. I copy redundant parts from the old one).
Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.
Using the method described below is no silver bullet and has some issues:
- Your user passwords may be weak.
- If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
- Changing the password requires to log in as root.
- Some programs (e.g. qmail) rely on an accessible home directory.
- The home may stay mounted after logout until the next reboot.
Prequisites
- GNU Linux (Ubuntu 8.04 Hardy Heron)
- TrueCrypt (I used 6.0a)
- pam_mount.so (for Ubuntu install the package libpam-mount)
Setup
We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:
mkdir /home/private
For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the --text you’ll get a graphical user interface).
root@mybox:~# truecrypt --create /home/private/bart.tc Volume type: 1) Normal 2) Hidden Select [1]: 1 Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G Encryption algorithm: 1) AES 2) Serpent 3) Twofish 4) AES-Twofish 5) AES-Twofish-Serpent 6) Serpent-AES 7) Serpent-Twofish-AES 8 ) Twofish-Serpent Select [1]: 1 Hash algorithm: 1) RIPEMD-160 2) SHA-512 3) Whirlpool Select [1]: 1 Filesystem: 1) FAT 2) None Select [1]: 2 Enter password: ************* WARNING: Short passwords are easy to crack using brute force techniques! We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y Re-enter password:************* Enter keyfile path [none]: Please type at least 320 randomly chosen characters and then press Enter: dsglregmm;adsf;dsafdsasasadfdsafdsagfdsadsafdsafdsafadsfdsahfarweqasddsaglfdsakg;lrewqk;lggkqqqqqewrgsadgdsag.... Done: 100.000% Speed: 18.0 MB/s Left: 0 s The TrueCrypt volume has been successfully created.
Then we assign the same password as the login password to bart:
root@mybox:~# passwd bart Enter new UNIX password: Retype new UNIX password:
Next, we need to format the encrypted partition and move the old home directory into it:
root@mybox:~# truecrypt --text --filesystem=none /home/private/bart.tc Enter password for /home/hgerlach/newcrypt.tc: ************* Enter keyfile [none]: Protect hidden volume? (y=Yes/n=No) [No]: root@mybox:~# truecrypt --text -l 1: /home/private/bart.tc /dev/mapper/truecrypt1 - root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1 root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/ root@mybox:~# shopt -s dotglob #make dotfiles visible root@mybox:~# mv /home/bart/* /mnt/ root@mybox:~# chown bart.users /mnt/ root@mybox:~# umount /mnt root@mybox:~# truecrypt -d /dev/mapper/truecrypt1
Now we have to configure mount_pam.
In ‘/etc/security/pam_mount.conf.xml’ edit the line
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
into
<truecryptmount>truecrypt-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</truecryptmount>
and add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
Note that we use truecrypt-nl instead of truecrypt. This is a shellscript, that we have to put into ‘/usr/bin/’:
#!/bin/sh # This is /usr/bin/truecrpyt-nl; append a newline to the password. (cat; echo)| truecrypt $*
It is a workaround for some bug in either libpam-mount (version 0.32-4) or truecrypt. Libpam-mount sends the password to truecypt without newline. Then truecrypt does not recognize the password. The script above just inserts a newline after the password and makes things work fine.
To the file ‘/etc/pam.d/common-auth’ we add the line:
auth optional pam_mount.so try_first_pass
so it looks like
# /etc/pam.d/common-auth auth requisite pam_unix.so nullok_secure auth optional pam_smbpass.so migrate missingok auth optional pam_mount.so try_first_pass
and to ‘/etc/pam.d/common-session’ we add the line
session optional pam_mount.so
so it looks like
# /etc/pam.d/common-session session required pam_unix.so session optional pam_mount.so
Now bart can login and use the encrypted home.
Bibliography
- Homepage of pam_mount
- A good description of pam (in german)
- A similar howto for LUKS and Gentoo