Automatic encryption of home directories using TrueCrypt 6.0a

This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM using the login-password as encryption key.
I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.0a which is a bit different from 4.3a used last time. Futhermore we'll use Ubuntu 8.04 Hardy Heron instead of Debian Etch. For convenience this post will be selfcontained (ie. I copy redundant parts from the old one).

Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.

Using the method described below is no silver bullet and has some issues:

  • Your user passwords may be weak.
  • If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
  • Changing the password requires to log in as root.
  • Some programs (e.g. qmail) rely on an accessible home directory.
  • The home may stay mounted after logout until the next reboot.

Prequisites

Setup

We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:

mkdir /home/private

For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the --text you'll get a graphical user interface).

root@mybox:~# truecrypt --create /home/private/bart.tc
Volume type:
1) Normal
2) Hidden
Select [1]: 1

Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G

Encryption algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) AES-Twofish
 5) AES-Twofish-Serpent
 6) Serpent-AES
 7) Serpent-Twofish-AES
 8 ) Twofish-Serpent
Select [1]: 1

Hash algorithm:
 1) RIPEMD-160
 2) SHA-512
 3) Whirlpool
Select [1]: 1

Filesystem:
 1) FAT
 2) None
Select [1]: 2

Enter password: *************
WARNING: Short passwords are easy to crack using brute force techniques!

We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y

Re-enter password:*************

Enter keyfile path [none]:

Please type at least 320 randomly chosen characters and then press Enter:
dsglregmm;adsf;dsafdsasasadfdsafdsagfdsadsafdsafdsafadsfdsahfarweqasddsaglfdsakg;lrewqk;lggkqqqqqewrgsadgdsag....

Done: 100.000%  Speed: 18.0 MB/s  Left: 0 s

The TrueCrypt volume has been successfully created.

Then we assign the same password as the login password to bart:

root@mybox:~# passwd bart
Enter new UNIX password:
Retype new UNIX password:

Next, we need to format the encrypted partition and move the old home directory into it:

root@mybox:~# truecrypt --text --filesystem=none /home/private/bart.tc
Enter password for /home/hgerlach/newcrypt.tc: *************
Enter keyfile [none]:
Protect hidden volume? (y=Yes/n=No) [No]:

root@mybox:~#  truecrypt --text -l
1: /home/private/bart.tc /dev/mapper/truecrypt1 -

root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1
root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/
root@mybox:~# shopt -s dotglob #make dotfiles visible
root@mybox:~# mv /home/bart/* /mnt/
root@mybox:~# chown bart.users /mnt/
root@mybox:~# umount /mnt
root@mybox:~# truecrypt -d /dev/mapper/truecrypt1

Now we have to configure mount_pam.
In '/etc/security/pam_mount.conf.xml' edit the line
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
into
<truecryptmount>truecrypt-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</truecryptmount>
and add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
Note that we use truecrypt-nl instead of truecrypt. This is a shellscript, that we have to put into '/usr/bin/':

#!/bin/sh
# This is /usr/bin/truecrpyt-nl; append a newline to the password.
(cat; echo)| truecrypt $*

It is a workaround for some bug in either libpam-mount (version 0.32-4) or truecrypt. Libpam-mount sends the password to truecypt without newline. Then truecrypt does not recognize the password. The script above just inserts a newline after the password and makes things work fine.

To the file '/etc/pam.d/common-auth' we add the line:
auth optional pam_mount.so try_first_pass
so it looks like

# /etc/pam.d/common-auth
auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate missingok
auth    optional        pam_mount.so try_first_pass

and to '/etc/pam.d/common-session' we add the line
session optional pam_mount.so
so it looks like

# /etc/pam.d/common-session
session required        pam_unix.so
session optional        pam_mount.so

Now bart can login and use the encrypted home.

Bibliography

Share and Enjoy:
  • description
  • Reddit
  • Digg
  • Google
  • del.icio.us
  • MisterWong

18 Comments

  1. Jan says:

    Hi Henryk,
    thanks for this guide! I thought about integrating truecrypt with pam_mount today and your guide saved me tons of time :-)
    One thing: There's a typo in the line: "&;gt;" instead of a simple ">". I know this is just layout stuff…
    Cheers,
    Jan

  2. Henryk says:

    @Jan
    Thank you, I've fixed it.

  3. Sjoerd says:

    Hello Henryk,

    Thanks for your guide. Plain simple explanation and it works great!
    Apparently the volume stays always mounted after logging out, so i'll run a script via crontab to check whether the user is logged in to determine if he/she still needs the mount. If not logged in, then the volume will be dismounted. It's maybe a bit dirty, but for me it works. Maybe there's a better check (like also checking for running processes of the user) and a better way to do the trick, but for now…

    Here's the script I use for it (in case you're interested) :

    ##### START SCRIPT #####

    #!/bin/bash

    for user in `ls /home|grep -v private`
    do
    echo -n "Checking if user $user is logged in : "

    if ! w | grep $user >/dev/null
    then
    echo "NO"
    echo -n "Checking if userdir is mounted : "
    if mount|grep $user > /dev/null
    then
    echo "YES"
    echo -n "killing mounted trucrypt volume for user $user : "
    truecrypt -d /home/private/$user.tc
    echo "DONE"
    else echo "NO"
    fi
    else echo "YES"
    fi

    done

    ##### END SCRIPT ######

    Cheers,
    Sjoerd

  4. Sjoerd says:

    hmmm the layout changed a bit, so the script doesn't contain tabs etc… sorry for that :(
    Cheers again,
    Sjoerd

  5. sarger says:

    hello.
    when i enter 3200 character it then shows this command.
    Enter keyfile path [finish]

    what should i next

    thanks

  6. Joe says:

    This is very helpful, and I've been trying to use it to get truecrypt encryption on my home directory on Ubuntu 8.10, but I've been having trouble getting the PAM parts to work. The PAM and pam_mount config files have changed slightly since 8.04 and I'm having trouble figuring out how to correctly modify the changed files. Any chance of your updating this for Ubuntu 8.10?

  7. Henryk says:

    @Joe:
    With Ubuntu Intrepid Ibex (8.10) comes improved (easier to use) encryption.
    See
    https://help.ubuntu.com/community/EncryptedPrivateDirectory

    Ubuntu Jaunty Jackalope (9.04) is supposed to further improve the situation:
    https://wiki.ubuntu.com/EncryptedHomeDirectory

    I'm still using 8.04, so I can not yet comment on the above features nor your problems with truecrypt.

  8. Joe says:

    Hi Henryk — thanks for this info, very interesting! However, your method (using truecrypt to encrypt each users whole home directory) seems better to me than 8.10's ~/Private directory. I'd rather just have my whole home dir secure and not have to worry about setting up links, making sure everything works and is in the right place all the time, etc.

    I did manage to figure it out and get pam_mount working. Basically, what you said in your post still works on 8.10, its just that some of the pam files are slightly different. I ended up with:

    /etc/pam.d/common-auth:
    auth [success=1 default=ignore] pam_unix.so nullok_secure
    auth requisite pam_deny.so
    auth required pam_permit.so
    auth optional pam_mount.so try_first_pass

    and /etc/pam.d/common-session:
    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session required pam_unix.so
    session optional pam_ck_connector.so nox11
    session optional pam_mount.so

    Like Sjoerd mentioned, pam_mount doesn't seem to be able to successfully unmount the encrypted file when the user logs out. You get messages like this in the /var/log/auth.log:

    Feb 9 12:59:18 mypc su[27594]: pam_mount(misc.c:348) error setting uid to 0
    Feb 9 12:59:18 mypc su[27359]: pam_mount(pam_mount.c:624) unmount of /home/private/joe.tc failed

    This seems to be because of some problem of ubuntu not having pam_mount set up quite right:

    https://bugs.launchpad.net/ubuntu/+source/libpam-mount/+bug/117736

    So I think I might use Sjoerd's cron script as a workaround to unmount unused home directories until they get that problem fixed.

  9. iupsilon says:

    Nice howto.
    Il mounts correctly the volume at login time but I have some problem when I logoff.
    I would the volume to be unmounted but as the mount is done with root privileges the unmount fails because it doesn't find the mounted volume. I know, just because it tries to unmount it with user privileges but there is no truecrypt volume mounted for the user, in fact root has mounted and still holds it.

    I've verified it by typing "truecrypt -l" once successful logged in
    As root it says that /home/luser/private is mounted and mapped on /media/truecrypt1
    As luser i see no truecrypt volumes mounted.

    As you can see from log when I log off:
    ————————————————————————-
    pam_mount(mount.c:107) ♦pam_mount(mount.c:139) waiting for lsof
    pam_mount(misc.c:285) command: truecrypt [-d] [/home/luser/private]
    pam_mount(misc.c:56) set_myuid: (uid=0, euid=0, gid=1001, egid=1001)
    pam_mount(misc.c:56) set_myuid: (uid=0, euid=0, gid=1001, egid=1001)
    pam_mount(mount.c:104) umount errors:
    pam_mount(mount.c:107) Error: No such volume is mounted.
    pam_mount(mount.c:596) waiting for umount
    pam_mount(pam_mount.c:624) unmount of /home/luser.tc failed
    pam_mount(pam_mount.c:635) pam_mount execution complete
    ————————————————————————-

    Any suggestions?

    Thanks!

    Cheers

  10. jpmcc says:

    Just replaced Ubuntu 8.10 with 9.04 Netbook Remix and this no longer works. Only clue I have is an error message 'unknown pam_mount option "use_first_pass"'. I'll do some digging and see if I can track it down … has anyone else seen this?

    Upgrades :-(

  11. jpmcc says:

    It looks as though the developers of pam_mount have lost patience with the broken scripting interface of Truecrypt and have removed support for it. As a result, pam_mount in Jaunty no longer recognises "truecrypt" as a special fstype (see man pam_mount.conf). This means it does not use the commands in truecrypt %(VOLUME) %(MNTPT), but just tries to use the regular 'mount' command – which fails.

    A horrible workround is to use one of the other special fstypes, e.g. crypt, with Truecrypt:

    truecrypt-nl –text –protect-hidden=no –keyfiles="" %(VOLUME) %(MNTPT)

    which seems to do the trick.

    John

  12. acid says:

    Can you give some more details on this issue? How to use crypt in order to mount truecrypt volume in Jaunty? Thanks in advance. :-)

  13. jpmcc says:

    acid: pam_mount by default uses the standard 'mount' command to mount disks. However, if the fstype is one of a list of exceptions hard-coded into pam_mmount, it will use the matching entry in the xml file instead.

    What appears to have happened is that "truecrypt" has been dropped from the exceptions list.

    The trick is to edit ‘/etc/security/pam_mount.conf.xml’ as per the original instructions above, but use an fstype of "crypt" instead of "truecrypt" ("crypt" is still in the exceptions list):

    truecrypt-nl –text –protect-hidden=no –keyfiles="" %(VOLUME) %(MNTPT)

    A nasty kludge, but it works for me

    John

  14. cnyk says:

    jpmcc: and if you happen to mistype the password, it will go into an endless loop.

  15. berkus says:

    jpmcc: i think html ate your brackets.

  16. Jor says:

    Nice guide.

    However my volume is mounted in a way only accesible by 'sudo'. What can I change to amend this and that the user can access the volume freely.

    Thanks.

  17. Henryk says:

    @Jor

    Did you do this step (see above)?

    root@mybox:~# chown bart.users /mnt/

  18. [...] Linux with the help of TrueCrypt and PAM using the login-password as encryption key. I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.2. Futhermore we'll use Ubuntu 9.04 Jaunty [...]

Leave a Reply