| « 24 hours with the HTC Magic Android phone | The joy of proprietary software » |
Encrypted /home partition using LUKS, pam_mount and LVM
In preparation for yet another cross continent travel plan I finally decided to encrypt my home partition on my X61s laptop. I had to mess a bit with the pam_mount configuration file to make it work so I thought I would share my notes. In the following I will briefly describe how I'm going to use a password protected key stored on an external media to encrypt my home partition. I'll use the same password used for Xorg login to protect the key. So when you get asked to type in a password in the following examples use your normal user password and we'll use pam_mount to pass the password to LUKS once you log in.
First start out by preparing a key:
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-ecb > verysekrit.key
Then create an LVM volume for the home directory and subsitute home with what you like to name the logical volume:
lvcreate -L30G -nhome vg
Then we initialize the volume with our secret key and LUKS:
openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher aes-cbc-plain --key-size 256 luksFormat /dev/vg/home
Now lets test that we can open the encrypted volume and format it:
openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen /dev/vg/home myh_crypt
mkfs.ext3 /dev/mapper/myh_crypt
You can not mount it and sync over your old home like this:
mount /dev/mapper/myh_crypt /mnt/gentoo
rsync -va /home/username/* /mnt/gentoo/
Once everything is synced over we'll close the LUKS volume again:
cryptsetup luksClose myh_crypt
Now unmask and emerge pam_mount:
echo "sys-auth/pam_mount" >> /etc/portage/package.keywords
emerge -v pam_mount
Now configure pam_mount to first mount the SD card (/dev/mmcblo0p1) and then use the key to unlock the home partition by editing /etc/security/pam_mount.conf.xml. Note that if you store your secret key somewhere else the first volume statement may be omitted.
<volume user="username"
path="/dev/mmcblk0p1"
mountpoint="/mnt/mmc"
fstype="auto" /><volume user="username"
path="/dev/mapper/vg-username"
mountpoint="/home/username"
fstype="crypt"
options="data=journal,commit=15"
cipher="aes-cbc-plain"
fskeypath="/mnt/mmc/verysekrit.key"
fskeycipher="aes-256-ecb"
fskeyhash="md5" />
Then configure PAM to use pam_mount by editing /etc/pam.d/system-auth. Add pam_mount to the auth section like this:
auth required pam_env.so
auth optional pam_mount.so
auth required pam_unix.so try_first_pass likeauth nullok
And to the sessions section like this:
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_mount.so
References:
http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick
http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS
http://blog.infion.de/archives/2007/05/15/Full-disk-encryption-with-LUKS-on-new-notebook/
Trackback address for this post
4 comments
???
@foo, I love XKCD wisdom:) However my primary concern is just randomly loosing my laptop. I guess after 9/11 you cannot trust authorities not to just use XKCD wisdom:-(
editing /etc/security/pam_mount.conf.xml as you stated (that's also the logical way for key using) doesn't work.
I think is related to Debian Bug report logs - #528366 for libpam-mount .
Cryptsetup works fine with my user.key on line input, so the problem is in pam mount.
Anyone experienced this issue or can help? thanks in advance :-)
Comment feed for this postLeave a comment
