This article is like a second edition to Encrypted home in Ubuntu (or Kubuntu… or Debian…). Important changes include that I have tested it for Ubuntu 7.04 Feisty Fawn and it works, but the devices are sd instead of hd due to all hard disk being viewed as SCSI (I am not sure why). Also I corrected some text layout problems of the previous article and I am no longer targeting Debian. Since Debian 4.0 Etch encrypting the whole file system (but /boot) is trivial because it is supported on the install, so you are not likely going to need this. Also, it seems more and more Ubuntu is taking a different direction than Debian so we may start to find big differences and I am not going to test this on Debian.
As we put more and more personal information on our computers or computers become lighter, small, more mobile. In other words, the importance of the information gets higher and the possibility of being loosed or stolen gets higher as well.
I think that if anyone gets a-hold of the information in my notebook (s)he’d be able to impersonate me and make my life a mess. That’s why I like keeping all my information encrypted. That is, I have a separate partition for /home and it is encrypted.
The level of security is not high and if you are a real paranoid you should be reading some other tutorials. I am using just a pass-phrase for the encryption so I am susceptible to dictionary attacks, my swap is not encrypted, so some personal information would be available there. But that’s Ok. I am not trying to protect from the people with enough sophistication to perform the needed operations to retrieve that information. And if the thing becomes really nasty I bet people can find other ways to access my information. My goal is to protect from the regular thieve or from loosing it… so I will mourn for some dollars being lost but I will sleep well at night.
Disclaimer: the information will be encrypted, you’ll be able to access it with a key: a pass-phrase. If you loose it, you won’t be able to access than information again, so, be careful.
You should install the operating system as you always do with a little detail: create the root partition, the swap partition but not the home partition. Leave some space for the home partition, we’ll create it latter.
After you did that you should be booting into a fresh system. Be sure not to store any sensitive information now, because it’ll be open to attacks. Some thinks to take care, if you use a browser or some instant messaging client, do not make them save the password, if you can avoid typing the passwords at all, that will be better.
Once you got pass that you’ll need two packages (in Ubuntu and Kubuntu, exactly this, in Debian probably too, in others you’ll have to figure it out; actually, this applies to all the document so I won’t repeat it again): cryptsetup and libpam-mount. You can install them with a command like:
aptitude install cryptsetup libpam-mount
Create the partition that will be your home partition. Do it in whatever way you prefer, I’ve personally use cfdisk a lot, but you can also use fdisk or any other partitioning tool. After that to ensure that the partition table is written and read by Linux reboot. Avoiding rebooting might not cause any problem or it may cause weird problems with error messages that are hard to understand and that made me loose an hour or so. So, be safe and reboot.
The encryption we are going to use works like this. Linux puts a layer around a device and creates a new virtual device. Whatever is written to this new virtual device is written to the real device but encrypted. All this works at a very low level and it is called mapping. There are other kind of mappings (to perform other operations than encrypting… think for example as creating volumes of various partitions so they’d be seen as one).
To create the mapping run:
cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3
replacing /dev/sda3 with your particular (real) device. In my case sda1 is root and sda2 is swap. One important piece of advice here would be putting random information on /dev/sda3 so it is harder to guess what’s in there. I haven’t done it because I was working over some other encrypted partition which was created over random data… enough randomness for me. If you are working in a new or blank this putting the random data might be important. Using your favorite search-engine you can find how to do it in 30 seconds.
A bit more about that command. cryptsetup is a program to create this encryption mappings. –verbose is because we like to see a lot of useless data and feel more geeky. –verify-passphrase is to be asked twice for the pass-phrase, so we don’t insert a wrong pass-phrase by accident. luksFormat is the action. luks is a new system that lets us have more than one password, change passwords, add passwords, etc to some encrypted device. Very handy.
Update: I’ve recently installed Kubuntu in a MacBook Pro and I’ve had to modprobe aes (and possible modprobe dm-crypt too) before being able to run the following command line succesfuly, otherwise I’ve got this message:
Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda5 contains at least 133 sectors. Failed to write to key storage. Command failed.
A complete execution of that command will look like:
WARNING! ======== This will overwrite data on /dev/sda3 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. root@pulab:~#
The new partition
This new system, luks, also let us inspect what is in a luks-formatted partition. It works like this:
root@pulab:~# cryptsetup luksDump /dev/sda3 LUKS header information for /dev/sda3 Version: 1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Hash spec: sha1 Payload offset: 1032 MK bits: 128 MK digest: 65 d9 47 47 f0 74 5c ad ae 79 03 6c c9 11 4d 56 b2 11 78 90 MK salt: 19 d7 3b c6 04 2d ee e1 77 c0 4b f1 ac e1 3a 21 ce 02 10 9a c5 f7 5a b7 fd f5 d4 96 96 6d 79 0d MK iterations: 10 UUID: bf5ca0c3-a68f-4544-8840-ba2p2af98918 Key Slot 0: ENABLED Iterations: 70156 Salt: 08 e1 75 0e d1 1b 92 d1 f1 5f bd 50 9c ec a0 a2 b9 ea f8 da 1a 62 5d 4b 15 f3 4c a3 f3 49 12 83 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
Lot’s of nice information, don’t you feel super-geek ? You can see there that you have 8 spaces for pass-phrases, you have 8 slots of which you are using one, the 0.
To be able to access the encrypted partition you have to open it… and to do it you’ll need a key of course (your pass-phrase). We’ll see the mappings on /dev/mapper/, which should be empty by now (except for a control file… I wouldn’t name a mapping control, just in case):
root@pulab:~# ls /dev/mapper/ control
Ok! Now open it:
root@pulab:~# cryptsetup luksOpen /dev/sda3 home Enter LUKS passphrase: key slot 0 unlocked. Command successful.
Great! We have opened it. The last parameter, “home”, is the name of the mapping. Let’s take a look at the mappings:
root@pulab:~# ls /dev/mapper/ control home
Good. This device file is like a partition itself. So, we’ll make a file-system in there in the same way you’d make it in sda3 (from now on, don’t do anything with sda3 except opening and other luks operations, your partition is /dev/mapper/home now). In my case I’ve picked reiserfs, but you can use whatever you want:
root@pulab:~# mkfs.reiserfs -l home /dev/mapper/home . lot's of geeky output . root@pulab:~#
and we are done. We can mount it:
root@pulab:~# mount /dev/mapper/home /media/
copy the current data (the home of a user and a couple of files):
root@pulab:~# cp -a /home/* /media/
root@pulab:~# umount /media/
and close it:
cryptsetup luksClose home
There are various ways to open and mount the encrypted file-system but after trying many different ones, this is the best one from my point of view. I like that it is not intrusive: when you log in, your user password will be used to open the file-system and it’ll be mounted automatically. Of course then the password of your user should match the pass-phrase in some of the slots of the encrypted device.
You need to modify /etc/pam.d/common-auth adding, at the end:
And /etc/pam.d/common-session to add that same line:
In /etc/security/pam_mount.conf, around line 174 you have a list of “Linux encrypted home directory examples”, since what we are going to do is related to that it makes sense to put this line:
volume pupeno crypt - /dev/sda3 /home cipher=aes - -
there changing “pupeno” with your username and “/dev/sda3” with your device. And that is the line that will make the magical mount happen.
Now just try it. It is very simple, log out, log in again and that’s it. You should have you newly super-encrypted home partition mounted. To check it out issue a mount command and among a huge amount of cryptic information you should see:
/dev/mapper/_dev_sda3 on /home type reiserfs (rw)
You can also list the files on /dev/mapper to find the _dev_sda3 mapping.
And that’s it, it wasn’t so hard, was it ?
More users, more pass-phrases
If there are more users add more lines to /etc/security/pam_mount.conf, I haven’t tested it but it should work. Also just add more passphrases to the device using cryptsetup in this way:
cryptsetup luksAddKey /dev/sda3
It’ll ask you for a current pass-phrase as well. This is also useful if you are changing pass-phrases, while you work on remembering the new one, don’t delete the old one, so if you forget the new one you should still be able to access your information with the old one. After you are confident of the new one, you can delete the old one with:
cryptsetup luksDelKey /dev/sda3 0
where “0” is the slot where you have your old pass-phrase (hint: use luksDump). And here I want to remind you that if you lost the password you won’t be able to access the information. There’s no password recovery here: it is gone, forever, as scrambled, processed and destroyed as the dinner of Tuesday of the last week. Be very careful and always make backups.
Comments on the original blog
Two more articles describing the same: