Automatic encryption of home directories using TrueCrypt 6.0a

This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM using the login-password as encryption key.
I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.0a which is a bit different from 4.3a used last time. Futhermore we'll use Ubuntu 8.04 Hardy Heron instead of Debian Etch. For convenience this post will be selfcontained (ie. I copy redundant parts from the old one).

Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.

Using the method described below is no silver bullet and has some issues:

  • Your user passwords may be weak.
  • If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
  • Changing the password requires to log in as root.
  • Some programs (e.g. qmail) rely on an accessible home directory.
  • The home may stay mounted after logout until the next reboot.



We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:

mkdir /home/private

For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the --text you'll get a graphical user interface).

root@mybox:~# truecrypt --create /home/private/
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G

Encryption algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) AES-Twofish
 5) AES-Twofish-Serpent
 6) Serpent-AES
 7) Serpent-Twofish-AES
 8 ) Twofish-Serpent
Select [1]: 1

Hash algorithm:
 1) RIPEMD-160
 2) SHA-512
 3) Whirlpool
Select [1]: 1

 1) FAT
 2) None
Select [1]: 2

Enter password: *************
WARNING: Short passwords are easy to crack using brute force techniques!

We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y

Re-enter password:*************

Enter keyfile path [none]:

Please type at least 320 randomly chosen characters and then press Enter:

Done: 100.000%  Speed: 18.0 MB/s  Left: 0 s

The TrueCrypt volume has been successfully created.

Then we assign the same password as the login password to bart:

root@mybox:~# passwd bart
Enter new UNIX password:
Retype new UNIX password:

Next, we need to format the encrypted partition and move the old home directory into it:

root@mybox:~# truecrypt --text --filesystem=none /home/private/
Enter password for /home/hgerlach/ *************
Enter keyfile [none]:
Protect hidden volume? (y=Yes/n=No) [No]:

root@mybox:~#  truecrypt --text -l
1: /home/private/ /dev/mapper/truecrypt1 -

root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1
root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/
root@mybox:~# shopt -s dotglob #make dotfiles visible
root@mybox:~# mv /home/bart/* /mnt/
root@mybox:~# chown bart.users /mnt/
root@mybox:~# umount /mnt
root@mybox:~# truecrypt -d /dev/mapper/truecrypt1

Now we have to configure mount_pam.
In '/etc/security/pam_mount.conf.xml' edit the line
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
<truecryptmount>truecrypt-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</truecryptmount>
and add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
Note that we use truecrypt-nl instead of truecrypt. This is a shellscript, that we have to put into '/usr/bin/':

# This is /usr/bin/truecrpyt-nl; append a newline to the password.
(cat; echo)| truecrypt $*

It is a workaround for some bug in either libpam-mount (version 0.32-4) or truecrypt. Libpam-mount sends the password to truecypt without newline. Then truecrypt does not recognize the password. The script above just inserts a newline after the password and makes things work fine.

To the file '/etc/pam.d/common-auth' we add the line:
auth optional try_first_pass
so it looks like

# /etc/pam.d/common-auth
auth    requisite nullok_secure
auth    optional migrate missingok
auth    optional try_first_pass

and to '/etc/pam.d/common-session' we add the line
session optional
so it looks like

# /etc/pam.d/common-session
session required
session optional

Now bart can login and use the encrypted home.