Encryption
dm-crypt / LUKS
Home directory encryption/decryption with LUKS and pam_mount
Requirements
- Installation of libpam-mount ( man 5 pam_mount.conf)
- Encryption password and login password must be identical
- (LightDM)
Steps
- Choose/create a place to store the image files at
- pam_mount configuration
- Creation of image file, crypto container and filesystem
- Mount image and move home contents
- Umount image and close container
- 1st login with automatic decryption and mount
Create place to store image files at
mkdir -m 0770 /images chown -R root:users /images
Configuration of pam_mount
An example configuration for /etc/security/pam_mount.conf.xml:
<volume user="*" fstype="crypt" path="/images/%(USER)_home" mountpoint="~" options="crypto_name=%(USER)_crypthome,fstype=ext4" />
Creation of image file, crypto container and file system
I tried this first on a distribution of LinuxMint and for some reason it didn't work with newly created user accounts.
What helped to make it work was to create the user accounts and log them in at least once at the GUI.
# su - <USERNAME> $ truncate -s 80G /images/<USERNAME>_home $ chmod 0600 /images/<USERNAME>_home $ cryptsetup luksFormat --type=luks1 /images/<USERNAME>_home
Click for an alternative version of the steps above
<code bash> # truncate -s 80G /images/<USERNAME>_home # chown <USERNAME>:<USERNAME> /images/<USERNAME>_home # chmod 0600 /images/<USERNAME>_home # su -c "cryptsetup luksFormat –type=luks1 /images/<USERNAME>_home" <USERNAME> </code>
–type=luks1
is only needed if you want users to be able to change the password of their own crypto containers.
Now as root we open the crypto-container and create a file system:
$ exit # cryptsetup luksOpen /images/<USERNAME>_home <USERNAME>_crypthome # mkfs.ext4 /dev/mapper/<USERNAME>_crypthome
Mount image and move home contents to the new file system
After mounting we change the ownership of all files there. As it's a fresh ext4 file system there should only be the lost+found folder if at all. Afterwards we move all the contents of the user's home directory to the new file system:
# mount /dev/mapper/<USERNAME>_crypthome /mnt # chown -R <USERNAME>:<USERNAME> /mnt/* # (shopt -s dotglob; mv /home/<USERNAME>/* /mnt/) # ls -a /mnt # umount /mnt # cryptsetup luksClose <USERNAME>_crypthome
That's it - now log in as that user. You should notice that the login process needs a bit more time than before.
https://askubuntu.com/questions/1020390/how-do-i-auto-mount-luks-partition
Simple drive encryption with passphrases (no keyfiles)
In this example I'll gonna encrypt a USB stick that had got the device name sdc
in my current system.
First I created a new partition with fdisk
. First I started fdisk
# fdisk /dev/sdc
then I pressed o
to create a new DOS partition table followed by n
to create a new partition.
I created one partition on the whole drive and pressed w
to write changes to the disk and exit fdisk. Now we have the partition sdc1
and create a LUKS container on it:
# cryptsetup luksFormat /dev/sdc1
It will ask if you really want to continue and you have to type in 'YES' with capital letters and afterwards you have to type in the passphrase you want to use for decryption twice. When it finished you can open the LUKS container with:
# cryptsetup luksOpen /dev/sdc1 cryptstick
where cryptstick is just a temporary name for now. Your device will appear with this name below /dev/mapper
and now you can write a filesystem on the new device. I chose ext2
for mine:
# mkfs.ext2 /dev/mapper/cryptstick
And now it is possible to mount it somewhere and store data on it:
# mount /dev/mapper/cryptstick /mnt ... ... .. umount /mnt
After you've unmounted the stick you also have to close the LUKS container again:
# cryptsetup luksClose cryptstick
That's it. By using it this way you can open your encrypted stick also with graphical several filemanagers provided by desktop environments - by encrypting it with keyfiles this wouldn't be possible anymore.
Simple disk encryption and automatic decryption (and mount) at boot time with unencrypted keyfiles
In this exmaple I'll cover how to encrypt a a device with dm-crypt in luks-mode using a key-file that is stored as plain-text file on encrypted root and how to decrypt it automatically at boot time using man(5) crypttab. In this section I use /dev/sdb as example device to work with.
First we have to create a partition on the device - I use the whole device in this example, so just one partition will be created
# gdisk /dev/sdb n "First sector...." <enter> "Last sector...." <enter> "Partition type linux...." <enter> w q
Now we create a key-file
# dd if=/dev/random of=/etc/sdb-key bs=512 count=4 iflag=fullblock chown 0600 /etc/sdb-key
Now we have the partiton /dev/sdb1 and a key-file - so we create a luks container and open it as cryptdisk to create an ext4 filesystem on it
# cryptsetup luksFormat /dev/sdb1 /etc/sdb-key # cryptsetup luksOpen /dev/sdb1 cryptdisk --key-file /etc/sdb-key # mkfs.ext4 /dev/mapper/cryptdisk # cryptsetup luksClose cryptdisk
To let the system decrypt the device at boot time I use /etc/crypttab with the following entry
cryptdisk /dev/sdb1 /etc/sdb-key
and of course I want the system to mount it automatically at boot time - so I insert the following entry into /etc/fstab
/dev/sdb1 /media/storage ext4 defaults 0 1