Encrypt home directory with ecryptfs

From Gentoo-en
Jump to: navigation, search

About

Warning: Kernels from 2.6.39 to 3.1 on introduced a kernel bug with ecryptfs. Avoid using these kernels
Ecryptfs Kernel Bug

This will help you to create an ecryptfs encrypted home directory, the whole home, for <user>. The whole directory will be encrypted, not just ~/Private. Encrypted files will be stored in /home/.ecryptfs/<user>/.Private, which will be automounted on login over /home/<user>. Some configuration files will reside in the unencrypted /home/<user> and will become invisible after the mount of ecryptfs. This is by design and comes with no disadvantages.

Emerge the needed packages

We will need sys-auth/pam_mount and sys-fs/ecryptfs-utils. Also make sure that you have configured your kernel for use with ecryptfs.

emerge pam_mount ecryptfs-utils

Initial mount and encryption of the home directory

Create a directory for the encrypted files

mkdir /home/.ecryptfs/<user>/.Private

Initial mount

mount -t ecryptfs /home/.ecryptfs/<user>/.Private /home/<user>

Make sure to use passphrase mode. The passphrase can be different from your unix login password. It will later be wrapped in /home/<user>/.ecryptfs/wrapped-passphrase with the unix login password. Save the options for later use

mount |grep ecryptfs > /root/ecryptfs_mount_options

Unmount

umount /home/<user>

Prepare the users unencrypted home directory for automount on login

Copy the sig-cache into the users home directory

cp -r /root/.ecryptfs /home/<user>

Wrap the passphrase into a file. This will ask you for a passphrase, the one you told ecryptfs to encrypt your files, and your unix login password, for wrapping the passphrase with.

ecryptfs-wrap-passphrase /home/<user>/.ecryptfs/wrapped-passphrase

pam_ecryptfs.so flag

This will tell pam_ecryptfs to unwrap the passphrase with the unix login password on login. It does not really any auto-mount stuff, because we will later configure pam_ecryptfs withtout the session management. pam_mount will take care of the mount and umount.

touch /home/<user>/.ecryptfs/auto-mount

Give the user what (s)he needs :)

chown <user> /home/<user>/.ecryptfs

System file configuration

pam.d/system-auth

Add pam_ecryptfs and pam_mount to system-auth. pam_ecryptfs.so goes into the auth and password stack. pam_mount.so into auth and session. Make sure to add the unwrap parameter for pam_ecryptfs.so in auth.

File: /etc/pam.d/system-auth
[...]
auth		required	pam_unix.so [...]
auth		optional	pam_ecryptfs.so unwrap
auth		optional	pam_permit.so
auth		optional	pam_mount.so

[...]

password	required	pam_unix.so [...]
password	optional	pam_ecryptfs.so

[...]
session		required	pam_unix.so
[...]
session		optional	pam_mount.so

security/pam_mount.conf.xml

Allow a per user pam_mount.conf and the according mount options.

File: /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<pam_mount>

<debug enable="0" />

<luserconf name=".pam_mount.conf.xml" />

<mntoptions allow="verbosity,users,noauto,rw,exec,nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,ecryptfs_key_bytes,ecryptfs_cipher,ecryptfs_fnek_sig,ecryptfs_unlink_sigs,ecryptfs_sig" />

<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />

<lclmount>/bin/mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount>

</pam_mount>

~/.pam_mount.conf.xml

File: /home/<user>/.pam_mount.conf.xml
<pam_mount>
<!-- <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<user>/.Private" mountpoint="/home/<user>"/> -->
<volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<user>/.Private/"/>
</pam_mount>

Encrypting swap

Since your encryption key is saved in memory and is therefore a candidate for swaping, it's important to encrypt the swap space too. Fortunately, that's pretty simple with gentoo. Just edit /etc/conf.d/dmcrypt and comment out the swap section:

File: /etc/conf.d/dmcrypt
swap=crypt-swap-sdb5
source='/dev/sdb5'

Don't forget to update /etc/fstab:

File: /etc/fstab
/dev/mapper/crypt-swap-sdb5		none		swap		sw	0 0

Then add dmcrypt to the boot runlevel:

rc-update add dmcrypt boot

Gentoo's dmcrypt init.d script will encrypt your swap partition with an random key, which is always stored in memory.