Automatic encryption of home directories using TrueCrypt 6.0a
This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM using the login-password as encryption key.
I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.0a which is a bit different from 4.3a used last time. Futhermore we'll use Ubuntu 8.04 Hardy Heron instead of Debian Etch. For convenience this post will be selfcontained (ie. I copy redundant parts from the old one).
Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.
Using the method described below is no silver bullet and has some issues:
- Your user passwords may be weak.
- If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
- Changing the password requires to log in as root.
- Some programs (e.g. qmail) rely on an accessible home directory.
- The home may stay mounted after logout until the next reboot.
- GNU Linux (Ubuntu 8.04 Hardy Heron)
- TrueCrypt (I used 6.0a)
- pam_mount.so (for Ubuntu install the package libpam-mount)
We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:
For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the
--text you'll get a graphical user interface).
root@mybox:~# truecrypt --create /home/private/bart.tc Volume type: 1) Normal 2) Hidden Select : 1 Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G Encryption algorithm: 1) AES 2) Serpent 3) Twofish 4) AES-Twofish 5) AES-Twofish-Serpent 6) Serpent-AES 7) Serpent-Twofish-AES 8 ) Twofish-Serpent Select : 1 Hash algorithm: 1) RIPEMD-160 2) SHA-512 3) Whirlpool Select : 1 Filesystem: 1) FAT 2) None Select : 2 Enter password: ************* WARNING: Short passwords are easy to crack using brute force techniques! We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y Re-enter password:************* Enter keyfile path [none]: Please type at least 320 randomly chosen characters and then press Enter: dsglregmm;adsf;dsafdsasasadfdsafdsagfdsadsafdsafdsafadsfdsahfarweqasddsaglfdsakg;lrewqk;lggkqqqqqewrgsadgdsag.... Done: 100.000% Speed: 18.0 MB/s Left: 0 s The TrueCrypt volume has been successfully created.
Then we assign the same password as the login password to bart:
root@mybox:~# passwd bart Enter new UNIX password: Retype new UNIX password:
Next, we need to format the encrypted partition and move the old home directory into it:
root@mybox:~# truecrypt --text --filesystem=none /home/private/bart.tc Enter password for /home/hgerlach/newcrypt.tc: ************* Enter keyfile [none]: Protect hidden volume? (y=Yes/n=No) [No]: root@mybox:~# truecrypt --text -l 1: /home/private/bart.tc /dev/mapper/truecrypt1 - root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1 root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/ root@mybox:~# shopt -s dotglob #make dotfiles visible root@mybox:~# mv /home/bart/* /mnt/ root@mybox:~# chown bart.users /mnt/ root@mybox:~# umount /mnt root@mybox:~# truecrypt -d /dev/mapper/truecrypt1
Now we have to configure mount_pam.
In '/etc/security/pam_mount.conf.xml' edit the line
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
<truecryptmount>truecrypt-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</truecryptmount>
and add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
Note that we use
truecrypt-nl instead of
truecrypt. This is a shellscript, that we have to put into '/usr/bin/':
#!/bin/sh # This is /usr/bin/truecrpyt-nl; append a newline to the password. (cat; echo)| truecrypt $*
It is a workaround for some bug in either libpam-mount (version 0.32-4) or truecrypt. Libpam-mount sends the password to truecypt without newline. Then truecrypt does not recognize the password. The script above just inserts a newline after the password and makes things work fine.
To the file '/etc/pam.d/common-auth' we add the line:
auth optional pam_mount.so try_first_pass
so it looks like
# /etc/pam.d/common-auth auth requisite pam_unix.so nullok_secure auth optional pam_smbpass.so migrate missingok auth optional pam_mount.so try_first_pass
and to '/etc/pam.d/common-session' we add the line
session optional pam_mount.so
so it looks like
# /etc/pam.d/common-session session required pam_unix.so session optional pam_mount.so
Now bart can login and use the encrypted home.