Comments on: Automatic encryption of home directories using TrueCrypt 6.0a

By: Little Impact » Blog Archive » Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec

Mon, 14 Sep 2009 21:06:24 +0000

[...] Linux with the help of TrueCrypt and PAM using the login-password as encryption key. I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.2. Futhermore we'll use Ubuntu 9.04 Jaunty [...]

By: Henryk

Henryk — Fri, 24 Jul 2009 20:57:32 +0000

@Jor

Did you do this step (see above)?

root@mybox:~# chown bart.users /mnt/

By: Jor

Jor — Fri, 24 Jul 2009 00:45:41 +0000

Nice guide.

However my volume is mounted in a way only accesible by 'sudo'. What can I change to amend this and that the user can access the volume freely.

Thanks.

By: berkus

berkus — Mon, 22 Jun 2009 13:57:09 +0000

jpmcc: i think html ate your brackets.

By: cnyk

cnyk — Tue, 12 May 2009 02:10:33 +0000

jpmcc: and if you happen to mistype the password, it will go into an endless loop.

By: jpmcc

jpmcc — Mon, 04 May 2009 15:06:53 +0000

acid: pam_mount by default uses the standard 'mount' command to mount disks. However, if the fstype is one of a list of exceptions hard-coded into pam_mmount, it will use the matching entry in the xml file instead.

What appears to have happened is that "truecrypt" has been dropped from the exceptions list.

The trick is to edit ‘/etc/security/pam_mount.conf.xml’ as per the original instructions above, but use an fstype of "crypt" instead of "truecrypt" ("crypt" is still in the exceptions list):

truecrypt-nl –text –protect-hidden=no –keyfiles="" %(VOLUME) %(MNTPT)

A nasty kludge, but it works for me

John

By: acid

acid — Mon, 04 May 2009 04:20:24 +0000

Can you give some more details on this issue? How to use crypt in order to mount truecrypt volume in Jaunty? Thanks in advance. :-)

By: jpmcc

jpmcc — Wed, 29 Apr 2009 20:32:57 +0000

It looks as though the developers of pam_mount have lost patience with the broken scripting interface of Truecrypt and have removed support for it. As a result, pam_mount in Jaunty no longer recognises "truecrypt" as a special fstype (see man pam_mount.conf). This means it does not use the commands in truecrypt %(VOLUME) %(MNTPT), but just tries to use the regular 'mount' command - which fails.

A horrible workround is to use one of the other special fstypes, e.g. crypt, with Truecrypt:

truecrypt-nl –text –protect-hidden=no –keyfiles="" %(VOLUME) %(MNTPT)

which seems to do the trick.

John

By: jpmcc

jpmcc — Sun, 26 Apr 2009 19:20:02 +0000

Just replaced Ubuntu 8.10 with 9.04 Netbook Remix and this no longer works. Only clue I have is an error message 'unknown pam_mount option "use_first_pass"'. I'll do some digging and see if I can track it down … has anyone else seen this?

Upgrades :-(

By: iupsilon

iupsilon — Mon, 16 Feb 2009 16:13:15 +0000

Nice howto.
Il mounts correctly the volume at login time but I have some problem when I logoff.
I would the volume to be unmounted but as the mount is done with root privileges the unmount fails because it doesn't find the mounted volume. I know, just because it tries to unmount it with user privileges but there is no truecrypt volume mounted for the user, in fact root has mounted and still holds it.

I've verified it by typing "truecrypt -l" once successful logged in
As root it says that /home/luser/private is mounted and mapped on /media/truecrypt1
As luser i see no truecrypt volumes mounted.

As you can see from log when I log off:
————————————————————————-
pam_mount(mount.c:107) ♦pam_mount(mount.c:139) waiting for lsof
pam_mount(misc.c:285) command: truecrypt [-d] [/home/luser/private]
pam_mount(misc.c:56) set_myuid: (uid=0, euid=0, gid=1001, egid=1001)
pam_mount(misc.c:56) set_myuid: (uid=0, euid=0, gid=1001, egid=1001)
pam_mount(mount.c:104) umount errors:
pam_mount(mount.c:107) Error: No such volume is mounted.
pam_mount(mount.c:596) waiting for umount
pam_mount(pam_mount.c:624) unmount of /home/luser.tc failed
pam_mount(pam_mount.c:635) pam_mount execution complete
————————————————————————-

Any suggestions?

Thanks!

Cheers