Encrypt home directory with ecryptfs
- 1 About
- 2 Emerge the needed packages
- 3 Initial mount and encryption of the home directory
- 4 Prepare the users unencrypted home directory for automount on login
- 5 System file configuration
- 6 Encrypting swap
AboutEcryptfs Kernel Bug
This will help you to create an ecryptfs encrypted home directory, the whole home, for <user>. The whole directory will be encrypted, not just ~/Private. Encrypted files will be stored in /home/.ecryptfs/<user>/.Private, which will be automounted on login over /home/<user>. Some configuration files will reside in the unencrypted /home/<user> and will become invisible after the mount of ecryptfs. This is by design and comes with no disadvantages.
Emerge the needed packages
Initial mount and encryption of the home directory
Create a directory for the encrypted files
Make sure to use passphrase mode. The passphrase can be different from your unix login password. It will later be wrapped in /home/<user>/.ecryptfs/wrapped-passphrase with the unix login password. Save the options for later use
Prepare the users unencrypted home directory for automount on login
Copy the sig-cache into the users home directory
Wrap the passphrase into a file. This will ask you for a passphrase, the one you told ecryptfs to encrypt your files, and your unix login password, for wrapping the passphrase with.
This will tell pam_ecryptfs to unwrap the passphrase with the unix login password on login. It does not really any auto-mount stuff, because we will later configure pam_ecryptfs withtout the session management. pam_mount will take care of the mount and umount.
Give the user what (s)he needs :)
System file configuration
Add pam_ecryptfs and pam_mount to system-auth. pam_ecryptfs.so goes into the auth and password stack. pam_mount.so into auth and session. Make sure to add the unwrap parameter for pam_ecryptfs.so in auth.
Allow a per user pam_mount.conf and the according mount options.
Since your encryption key is saved in memory and is therefore a candidate for swaping, it's important to encrypt the swap space too. Fortunately, that's pretty simple with gentoo. Just edit /etc/conf.d/dmcrypt and comment out the swap section:
Don't forget to update /etc/fstab:
Then add dmcrypt to the boot runlevel:
Gentoo's dmcrypt init.d script will encrypt your swap partition with an random key, which is always stored in memory.