Automatic encryption of home directories using TrueCrypt 6.0a
This post describes how to encrypt the home directory of your users on GNU Linux with the help of TrueCrypt and PAM using the login-password as encryption key.
I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.0a which is a bit different from 4.3a used last time. Futhermore we'll use Ubuntu 8.04 Hardy Heron instead of Debian Etch. For convenience this post will be selfcontained (ie. I copy redundant parts from the old one).
Update: There is a more current version of this post dealing with TrueCrypt 6.2 and Ubuntu 9.04:Automatic encryption of home directories using TrueCrypt 6.2 and pam_exec.
Using the method described below is no silver bullet and has some issues:
- Your user passwords may be weak.
- If your computer gets stolen while turned on, the passwort may be easier to recover than you might think (see here).
- Changing the password requires to log in as root.
- Some programs (e.g. qmail) rely on an accessible home directory.
- The home may stay mounted after logout until the next reboot.
Prequisites
- GNU Linux (Ubuntu 8.04 Hardy Heron)
- TrueCrypt (I used 6.0a)
- pam_mount.so (for Ubuntu install the package libpam-mount)
Setup
We will create one file for each user to hold his encrypted home directory. To keep them we create a directory:
mkdir /home/private
For each user we have to create an encrypted file in /home/private. We start with the user bart (if you leave out the --text you'll get a graphical user interface).
root@mybox:~# truecrypt --create /home/private/bart.tc Volume type: 1) Normal 2) Hidden Select [1]: 1 Enter volume size (bytes - size/sizeK/sizeM/sizeG): 1G Encryption algorithm: 1) AES 2) Serpent 3) Twofish 4) AES-Twofish 5) AES-Twofish-Serpent 6) Serpent-AES 7) Serpent-Twofish-AES 8 ) Twofish-Serpent Select [1]: 1 Hash algorithm: 1) RIPEMD-160 2) SHA-512 3) Whirlpool Select [1]: 1 Filesystem: 1) FAT 2) None Select [1]: 2 Enter password: ************* WARNING: Short passwords are easy to crack using brute force techniques! We recommend choosing a password consisting of more than 20 characters. Are you sure you want to use a short password? (y=Yes/n=No) [No]: y Re-enter password:************* Enter keyfile path [none]: Please type at least 320 randomly chosen characters and then press Enter: dsglregmm;adsf;dsafdsasasadfdsafdsagfdsadsafdsafdsafadsfdsahfarweqasddsaglfdsakg;lrewqk;lggkqqqqqewrgsadgdsag.... Done: 100.000% Speed: 18.0 MB/s Left: 0 s The TrueCrypt volume has been successfully created.
Then we assign the same password as the login password to bart:
root@mybox:~# passwd bart Enter new UNIX password: Retype new UNIX password:
Next, we need to format the encrypted partition and move the old home directory into it:
root@mybox:~# truecrypt --text --filesystem=none /home/private/bart.tc Enter password for /home/hgerlach/newcrypt.tc: ************* Enter keyfile [none]: Protect hidden volume? (y=Yes/n=No) [No]: root@mybox:~# truecrypt --text -l 1: /home/private/bart.tc /dev/mapper/truecrypt1 - root@mybox:~# mkfs.ext2 /dev/mapper/truecrypt1 root@mybox:~# mount /dev/mapper/truecrypt1 /mnt/ root@mybox:~# shopt -s dotglob #make dotfiles visible root@mybox:~# mv /home/bart/* /mnt/ root@mybox:~# chown bart.users /mnt/ root@mybox:~# umount /mnt root@mybox:~# truecrypt -d /dev/mapper/truecrypt1
Now we have to configure mount_pam.
In '/etc/security/pam_mount.conf.xml' edit the line
<truecryptmount>truecrypt %(VOLUME) %(MNTPT)</truecryptmount>
into
<truecryptmount>truecrypt-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</truecryptmount>
and add the line:
<volume fstype="truecrypt" path="/home/private/%(USER).tc" mountpoint="/home/%(USER)/" />
Note that we use truecrypt-nl instead of truecrypt. This is a shellscript, that we have to put into '/usr/bin/':
#!/bin/sh # This is /usr/bin/truecrpyt-nl; append a newline to the password. (cat; echo)| truecrypt $*
It is a workaround for some bug in either libpam-mount (version 0.32-4) or truecrypt. Libpam-mount sends the password to truecypt without newline. Then truecrypt does not recognize the password. The script above just inserts a newline after the password and makes things work fine.
To the file '/etc/pam.d/common-auth' we add the line:
auth optional pam_mount.so try_first_pass
so it looks like
# /etc/pam.d/common-auth auth requisite pam_unix.so nullok_secure auth optional pam_smbpass.so migrate missingok auth optional pam_mount.so try_first_pass
and to '/etc/pam.d/common-session' we add the line
session optional pam_mount.so
so it looks like
# /etc/pam.d/common-session session required pam_unix.so session optional pam_mount.so
Now bart can login and use the encrypted home.
Bibliography
- Homepage of pam_mount
- A good description of pam (in german)
- A similar howto for LUKS and Gentoo
Hi Henryk,
thanks for this guide! I thought about integrating truecrypt with pam_mount today and your guide saved me tons of time :-)
One thing: There's a typo in the line: "&;gt;" instead of a simple ">". I know this is just layout stuff…
Cheers,
Jan
@Jan
Thank you, I've fixed it.
Hello Henryk,
Thanks for your guide. Plain simple explanation and it works great!
Apparently the volume stays always mounted after logging out, so i'll run a script via crontab to check whether the user is logged in to determine if he/she still needs the mount. If not logged in, then the volume will be dismounted. It's maybe a bit dirty, but for me it works. Maybe there's a better check (like also checking for running processes of the user) and a better way to do the trick, but for now…
Here's the script I use for it (in case you're interested) :
##### START SCRIPT #####
#!/bin/bash
for user in `ls /home|grep -v private`
do
echo -n "Checking if user $user is logged in : "
if ! w | grep $user >/dev/null
then
echo "NO"
echo -n "Checking if userdir is mounted : "
if mount|grep $user > /dev/null
then
echo "YES"
echo -n "killing mounted trucrypt volume for user $user : "
truecrypt -d /home/private/$user.tc
echo "DONE"
else echo "NO"
fi
else echo "YES"
fi
done
##### END SCRIPT ######
Cheers,
Sjoerd
hmmm the layout changed a bit, so the script doesn't contain tabs etc… sorry for that :(
Cheers again,
Sjoerd
hello.
when i enter 3200 character it then shows this command.
Enter keyfile path [finish]
what should i next
thanks
This is very helpful, and I've been trying to use it to get truecrypt encryption on my home directory on Ubuntu 8.10, but I've been having trouble getting the PAM parts to work. The PAM and pam_mount config files have changed slightly since 8.04 and I'm having trouble figuring out how to correctly modify the changed files. Any chance of your updating this for Ubuntu 8.10?
@Joe:
With Ubuntu Intrepid Ibex (8.10) comes improved (easier to use) encryption.
See
https://help.ubuntu.com/community/EncryptedPrivateDirectory
Ubuntu Jaunty Jackalope (9.04) is supposed to further improve the situation:
https://wiki.ubuntu.com/EncryptedHomeDirectory
I'm still using 8.04, so I can not yet comment on the above features nor your problems with truecrypt.
Hi Henryk — thanks for this info, very interesting! However, your method (using truecrypt to encrypt each users whole home directory) seems better to me than 8.10's ~/Private directory. I'd rather just have my whole home dir secure and not have to worry about setting up links, making sure everything works and is in the right place all the time, etc.
I did manage to figure it out and get pam_mount working. Basically, what you said in your post still works on 8.10, its just that some of the pam files are slightly different. I ended up with:
/etc/pam.d/common-auth:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so try_first_pass
and /etc/pam.d/common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ck_connector.so nox11
session optional pam_mount.so
Like Sjoerd mentioned, pam_mount doesn't seem to be able to successfully unmount the encrypted file when the user logs out. You get messages like this in the /var/log/auth.log:
Feb 9 12:59:18 mypc su[27594]: pam_mount(misc.c:348) error setting uid to 0
Feb 9 12:59:18 mypc su[27359]: pam_mount(pam_mount.c:624) unmount of /home/private/joe.tc failed
This seems to be because of some problem of ubuntu not having pam_mount set up quite right:
https://bugs.launchpad.net/ubuntu/+source/libpam-mount/+bug/117736
So I think I might use Sjoerd's cron script as a workaround to unmount unused home directories until they get that problem fixed.
Nice howto.
Il mounts correctly the volume at login time but I have some problem when I logoff.
I would the volume to be unmounted but as the mount is done with root privileges the unmount fails because it doesn't find the mounted volume. I know, just because it tries to unmount it with user privileges but there is no truecrypt volume mounted for the user, in fact root has mounted and still holds it.
I've verified it by typing "truecrypt -l" once successful logged in
As root it says that /home/luser/private is mounted and mapped on /media/truecrypt1
As luser i see no truecrypt volumes mounted.
As you can see from log when I log off:
————————————————————————-
pam_mount(mount.c:107) ♦pam_mount(mount.c:139) waiting for lsof
pam_mount(misc.c:285) command: truecrypt [-d] [/home/luser/private]
pam_mount(misc.c:56) set_myuid: (uid=0, euid=0, gid=1001, egid=1001)
pam_mount(misc.c:56) set_myuid: (uid=0, euid=0, gid=1001, egid=1001)
pam_mount(mount.c:104) umount errors:
pam_mount(mount.c:107) Error: No such volume is mounted.
pam_mount(mount.c:596) waiting for umount
pam_mount(pam_mount.c:624) unmount of /home/luser.tc failed
pam_mount(pam_mount.c:635) pam_mount execution complete
————————————————————————-
Any suggestions?
Thanks!
Cheers
Just replaced Ubuntu 8.10 with 9.04 Netbook Remix and this no longer works. Only clue I have is an error message 'unknown pam_mount option "use_first_pass"'. I'll do some digging and see if I can track it down … has anyone else seen this?
Upgrades :-(
It looks as though the developers of pam_mount have lost patience with the broken scripting interface of Truecrypt and have removed support for it. As a result, pam_mount in Jaunty no longer recognises "truecrypt" as a special fstype (see man pam_mount.conf). This means it does not use the commands in truecrypt %(VOLUME) %(MNTPT), but just tries to use the regular 'mount' command – which fails.
A horrible workround is to use one of the other special fstypes, e.g. crypt, with Truecrypt:
truecrypt-nl –text –protect-hidden=no –keyfiles="" %(VOLUME) %(MNTPT)
which seems to do the trick.
John
Can you give some more details on this issue? How to use crypt in order to mount truecrypt volume in Jaunty? Thanks in advance. :-)
acid: pam_mount by default uses the standard 'mount' command to mount disks. However, if the fstype is one of a list of exceptions hard-coded into pam_mmount, it will use the matching entry in the xml file instead.
What appears to have happened is that "truecrypt" has been dropped from the exceptions list.
The trick is to edit ‘/etc/security/pam_mount.conf.xml’ as per the original instructions above, but use an fstype of "crypt" instead of "truecrypt" ("crypt" is still in the exceptions list):
truecrypt-nl –text –protect-hidden=no –keyfiles="" %(VOLUME) %(MNTPT)
A nasty kludge, but it works for me
John
jpmcc: and if you happen to mistype the password, it will go into an endless loop.
jpmcc: i think html ate your brackets.
Nice guide.
However my volume is mounted in a way only accesible by 'sudo'. What can I change to amend this and that the user can access the volume freely.
Thanks.
@Jor
Did you do this step (see above)?
root@mybox:~# chown bart.users /mnt/
[...] Linux with the help of TrueCrypt and PAM using the login-password as encryption key. I wrote about Automatic encryption of home directories using TrueCrypt before. This time we'll use TrueCrypt 6.2. Futhermore we'll use Ubuntu 9.04 Jaunty [...]