Trace: encryption

Table of Contents

Encryption

dm-crypt / LUKS

Home directory encryption/decryption with LUKS and pam_mount

Requirements

  • Installation of libpam-mount ( man 5 pam_mount.conf)
  • Encryption password and login password must be identical
  • (LightDM)
In my case with LightDM this works out of the box. I don't have experiences with other display managers - that's why I put lightdm with parenthesis to the requirements' list.

Steps

  1. Choose/create a place to store the image files at
  2. pam_mount configuration
  3. Creation of image file, crypto container and filesystem
  4. Mount image and move home contents
  5. Umount image and close container
  6. 1st login with automatic decryption and mount

Create place to store image files at

mkdir -m 0770 /images
chown -R root:users /images

Configuration of pam_mount

An example configuration for /etc/security/pam_mount.conf.xml: 

<volume
                user="*"
                fstype="crypt"
                path="/images/%(USER)_home"
                mountpoint="~"
                options="crypto_name=%(USER)_crypthome,fstype=ext4"
/>

Creation of image file, crypto container and file system

I tried this first on a distribution of LinuxMint and for some reason it didn't work with newly created user accounts.
What helped to make it work was to create the user accounts and log them in at least once at the GUI. 

# su - <USERNAME>
$ truncate -s 80G /images/<USERNAME>_home
$ chmod 0600 /images/<USERNAME>_home
$ cryptsetup luksFormat --type=luks1 /images/<USERNAME>_home

Click for an alternative version of the steps above

<code bash> # truncate -s 80G /images/<USERNAME>_home # chown <USERNAME>:<USERNAME> /images/<USERNAME>_home # chmod 0600 /images/<USERNAME>_home # su -c "cryptsetup luksFormat –type=luks1 /images/<USERNAME>_home" <USERNAME> </code>

–type=luks1 is only needed if you want users to be able to change the password of their own crypto containers.

Now as root we open the crypto-container and create a file system: 

$ exit
# cryptsetup luksOpen /images/<USERNAME>_home <USERNAME>_crypthome
# mkfs.ext4 /dev/mapper/<USERNAME>_crypthome

Mount image and move home contents to the new file system

After mounting we change the ownership of all files there. As it's a fresh ext4 file system there should only be the lost+found folder if at all. Afterwards we move all the contents of the user's home directory to the new file system: 

# mount /dev/mapper/<USERNAME>_crypthome /mnt
# chown -R <USERNAME>:<USERNAME> /mnt/*
# (shopt -s dotglob; mv /home/<USERNAME>/* /mnt/)
# ls -a /mnt
# umount /mnt
# cryptsetup luksClose <USERNAME>_crypthome

That's it - now log in as that user. You should notice that the login process needs a bit more time than before.

https://askubuntu.com/questions/1020390/how-do-i-auto-mount-luks-partition

Simple drive encryption with passphrases (no keyfiles)

In this example I'll gonna encrypt a USB stick that had got the device name sdc in my current system. First I created a new partition with fdisk. First I started fdisk 

# fdisk /dev/sdc

then I pressed o to create a new DOS partition table followed by n to create a new partition.
I created one partition on the whole drive and pressed w to write changes to the disk and exit fdisk. Now we have the partition sdc1 and create a LUKS container on it: 

# cryptsetup luksFormat /dev/sdc1

It will ask if you really want to continue and you have to type in 'YES' with capital letters and afterwards you have to type in the passphrase you want to use for decryption twice. When it finished you can open the LUKS container with: 

# cryptsetup luksOpen /dev/sdc1 cryptstick

where cryptstick is just a temporary name for now. Your device will appear with this name below /dev/mapper and now you can write a filesystem on the new device. I chose ext2 for mine: 

# mkfs.ext2 /dev/mapper/cryptstick

And now it is possible to mount it somewhere and store data on it: 

# mount /dev/mapper/cryptstick /mnt
...
...
..
umount /mnt

After you've unmounted the stick you also have to close the LUKS container again: 

# cryptsetup luksClose cryptstick

That's it. By using it this way you can open your encrypted stick also with graphical several filemanagers provided by desktop environments - by encrypting it with keyfiles this wouldn't be possible anymore.

Simple disk encryption and automatic decryption (and mount) at boot time with unencrypted keyfiles

In this exmaple I'll cover how to encrypt a a device with dm-crypt in luks-mode using a key-file that is stored as plain-text file on encrypted root and how to decrypt it automatically at boot time using man(5) crypttab. In this section I use /dev/sdb as example device to work with.

First we have to create a partition on the device - I use the whole device in this example, so just one partition will be created 

# gdisk /dev/sdb
n
"First sector...." <enter>
"Last sector...." <enter>
"Partition type linux...." <enter>
w
q

Now we create a key-file 

# dd if=/dev/random of=/etc/sdb-key bs=512 count=4 iflag=fullblock
chown 0600 /etc/sdb-key

Now we have the partiton /dev/sdb1 and a key-file - so we create a luks container and open it as cryptdisk to create an ext4 filesystem on it 

# cryptsetup luksFormat /dev/sdb1 /etc/sdb-key
# cryptsetup luksOpen /dev/sdb1 cryptdisk --key-file /etc/sdb-key
# mkfs.ext4 /dev/mapper/cryptdisk
# cryptsetup luksClose cryptdisk

To let the system decrypt the device at boot time I use /etc/crypttab with the following entry 

cryptdisk /dev/sdb1 /etc/sdb-key

and of course I want the system to mount it automatically at boot time - so I insert the following entry into /etc/fstab 

/dev/sdb1    /media/storage   ext4   defaults    0 1
pub/tech/linux/encryption.txt · Last modified: 2023/03/04 07:53
Impressum