Having your private data on a laptop is dangerous, since it might be stolen. The only way to protect your data is to encrypt it. This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM. For convenience the login-password is used as encryption key.
Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.
Using the method described below is no silver bullet and has some issues:
- Your user passwords may be weak.
- If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
- Changing the password requires to log in as root.
- Some programs (e.g. qmail) rely on an accessible home directory.
- The home stays mounted after logout until the next reboot.
- GNU Linux (I used Debian etch)
- TrueCrypt (I used 4.3a)
- pam_mount.so (for Debian install the package libpam-mount)
We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:
And now for each user we have to create an encrypted file in /home/private. We start with the user bart
root@mybox:~# truecrypt --create /home/private/bart.tc Volume type: 1) Normal 2) Hidden Select : 1 Filesystem: 1) FAT 2) None Select : 2 Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G Hash algorithm: 1) RIPEMD-160 2) SHA-1 3) Whirlpool Select : 1 Encryption algorithm: 1) AES 2) Blowfish 3) CAST5 4) Serpent 5) Triple DES 6) Twofish 7) AES-Twofish 8) AES-Twofish-Serpent 9) Serpent-AES 10) Serpent-Twofish-AES 11) Twofish-Serpent Select : 1
Then we assign the same password as the login password to bart:
root@mybox:~# passwd bart Enter new UNIX password: Retype new UNIX password:
Next, we need to format the encrypted partition and move the old home directory into it:
root@mybox:~# truecrypt --device-number 1 /home/private/bart.tc Enter password for '/home/private/bart.tc': root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1 root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/ root@mybox:~# shopt -s dotglob #make dotfiles visible root@mybox:~# mv /home/bart/* /mnt/ root@mybox:~# chown bart.users /mnt/ root@mybox:~# umount /mnt root@mybox:~# truecrypt -d /dev/mapper/truecrypt1
Now we have to configure mount_pam.
In ‘/etc/security/pam_mount.conf.xml’ we add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
And to the files '/etc/pam.d/common-auth' we add the line:
auth optional pam_mount.so try_first_pass
so it looks like
# /etc/pam.d/common-auth auth required pam_unix.so nullok_secure auth optional pam_mount.so try_first_pass
and to '/etc/pam.d/common-session' we add the line
session optional pam_mount.so
so it looks like
# /etc/pam.d/common-session session required pam_unix.so session optional pam_mount.so
Now bart can login and use the encrypted home.