Encrypted home partition in Linux with DM_Crypt

[ Wednesday, 2 May 2007, lipiec ]


Have you ever wondered what would have happened if all the important data have been stolen from your mobile PC? For example the information about a confidential project you have been working on for the last 2 years in your company … A horrifying vision, isn’t it? If you don’t want it come true, please consider encrypting your home drive. Here is how to do this in Linux.

Author: Marcin Lipiec

This is what you will need to prepare your Linux computer for encrypting your home drive:

  • DM-Crypt — open-source tool for encryption the whole HDD partition. It encrypts data before writing them on HDD. Available for kernel 2.6.4 and later.
  • LUKS – (Linux Unified Key Setup) — standard HDD encryption system for Linux.
  • cryptsetup — enables simultaneous use of LUKS and DM-Crypt.

Necessary software download

The program you will need is cryptsetup with LUKS handling. In order to install it you may either use your distribution’s repositories or use the general method (compilation from sources).

The distro-specific method is recommended. In Ubuntu you only need to type apt-get install cryptsetup in the terminal windows (or use Synaptic Package Manager to do the same in a graphical interface.

If you prefer the source-based way, just open up a terminal and type wget http://luks.endorphin.org/source/cryptsetup-luks-1.0.4.tar.bz2. The installation proceeds as usual:

./configure
make
make install

Done. If all went right, the installation should be now finished and the encryption software ready to be used.

Key cryptsetup options

Cryptsetup enables you to perform different types of encryption and offers some additional options you may be interested in. Here is a brief overview of them.

root@host:~# cryptsetup OPTIONS action name device - general syntax

OPTIONS:
-c  - here enter a cipher algorithm, the default is AES with 256-bit key
-h - displays help menu 
-y - user verification, you will be prompted twice for the password
-d  - loads password from the file. This option is ignored when you 
use -y switch
-s  - you can enter the key size (in bits)

ACTIONS:
create - creates HDD map
remove - deletes HDD map
reload - reloads HDD map
size - increases or decreases map size
status - displays status

name - map name in /dev/mapper/[device] - [device] is the name of the 
HDD you want to encrypt

Now you know all the basic options, so you can get back to your main job — encrypt the home partition. Cryptsetup is a console program and there is no GUI layer available, so if you don’t like working with command line tools… you will have to give it a second chance :)

Initializing of /home directory

For the purpose of this article, let’s say that the partition which we want to encrypt is /dev/hdc6. Before you will be able to make the encrypted disc partition you have to initialize it first. This is how you do it:

root@host:~# cryptsetup luksFormat /dev/hdc6

WARNING!
=========
This will overwrite data on /dev/hdc6 irrevocably.

Are you sure? (Type uppercase yes): [YES]
Enter LUKS passphrase:

Verify passphrase:
Command successful.

You will be prompted for a password. You need to enter it twice. This password will be used for verification later on, so don’t forget it!

Choosing the encryption algorithm

Then you have to decide which algorithm you will use to encrypt the /home directory. The algorithm you use have to be supported by your kernel version. To check the available algorithms enter:

cat /proc/crypto

If there is no built-in crypto options (algorithms shouldn’t be loaded as modules) configure the kernel before you start the program (crypto options are in the Cryptographic options tab of the kernel configuration).

Next, you type:

root@host:~# cryptsetup -c chosen_algorithm -y luksFormat /dev/hdc6

If you don’t know what algorithm you want just skip -c switch. The default algorithm is AES.

Mapping the drive and creating a filesystem.

The next step is to create the mapping. Type:

root@host:~# cryptsetup luksOpen /dev/hdc6

You will be prompted to enter your password again to verify your identity. If there are no problems, the /home directory map should appear in /dev/mapper.

A good idea is to fill the new drive with random data. This may be a lengthy operation, so only do this when you have a modern computer. Here is an example command to perform this action:

dd if=/dev/urandom of=/dev/mapper/home

Then you should create a filesystem on your virtual directory's copy:

root@host:~# mkfs.ext2 -m 0 /dev/mapper/home

Here I've chosen ext2, but it can be any filesystem e.g. ext3 or reiserFS.

Now copy your current content of /home directory to the mapped drive:

root@host:~# cp -a /home /dev/mapper/home

You are almost done, already :)

Creating additional user passwords

LUKS has a very interesting feature. Namely, not only root can access the encrypted directory, but also the regular users can, which is very helpful when you want to use the encrypted drive as your home partition. To enable a non-root user the access to the directory you have to add some new passwords for those guys. To add those new passwords run cryptsetup with option luksAddKey:

root@host:~# cryptsetup luksAddKey /dev/hdc6
Enter any LUKS passphrase:
Verify passphrase:
key slot 0 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.

You will be prompted for your password which you have set at the beginning and then you enter the new password for the chosen user. Passwords can be the same as the user's account password of course. This is handy since it doesn't force users to remember another passphrase, but of course makes the system security a bit weaker because a hacker who knows the user's password can easily see the content of the encrypted partition.

To list all the added keys/passwords type the following:

root@host:~# cryptsetup luksDump /dev/hdc6

To remove a password type:

root@host:~# cryptsetup luksDelKey key_no

Mounting the encrypted drive

Finally you can mount your partition as a separate drive:

root@host:~# mount /dev/mapper/home /mnt/home/

And that's all. From now on your /home partition will be encrypted. But what about mounting after reboot? Well... then you will have to map the /home directory again by typing:

root@host:~# cryptsetup -y luksOpen /dev/hdc6
root@host:~# mount /dev/mapper/home /mnt/home

If this seems annoying, read on :)

Automatic mounting of encrypted drives

As you may suspect, manual mounting can become annoying, especially in case you often reboot or turn off the computer. But there is a way to avoid it. To automate mounting you will need these two programs:

  • PAM -- lets to combine a few crypto technologies, what's why the user isn't bothered by separate implementation of each key encrypted with different algorithm.
  • pam_mount -- this is a special layer for PAM which enables of mounting separate volumes for each user and what is most important -- it handles the crypt as well.

Pam_mount works almost seamlessly because mounting is invisible for the user. Installation of PAM and its plug-in proceeds as usual:

./configure
make
make install

When you have already installed both programs you have to check the content of /etc/security/pam_mount.conf file. I won't show whole the file because there is everything perfectly described inside. You have to add the following line at the end of this file:

volume * crypt - /dev/hdc6/home /mnt/home fstype=ext2,async,nodev,fsck - -

The general syntax looks like this:

volume username filesystem server volume mounting_point mounting_options \\
encryption_algorithm path_to_key

Next, you have to edit /etc/pam.d/pam_mount. Check if there are following lines (if not, add them):

auth required pam_mount.so use_first_pass
session required pam_mount.so use_first_pass

Eventually, open /etc/pam.d/login and right after the line:

@include common-session

Add this one:

@include common-pammount

And here is the (happy) end of the story. The encrypted partition should now be automatically mounted upon login and you should not worry anymore about potential stealth of your data. I strongly advice you to keep and eye on your laptop anyway since the thief may not be aware of the advanced technologies you just installed :)

Conclusion

Configuring the drive encryption in Linux isn't as easy as it should be. That's why if you don't have to do it, better leave it alone. Be aware that if -- during the encryption process -- you are cut off the power supply and you have no UPS, the situation won't be funny. This is because the encryption is being held on the fly. The files are encrypted before being written on HDD, so in such case you may lose the document you currently work on. But the advantages are also huge enough to consider such encryption. When your PC is stolen, the thieves won't have any access to your encrypted data (in this case, the whole user partition). This is just a HOWTO, the decision is yours :)

Bibliography

New AdTaily ads!

Are you a film buff?

film buffs community, movie recommendations and reviews

RSS: Comments

You can follow the comments to this article through a special channel RSS 2.0 .

Related articles: CLI

 more »

Related articles: HOWTOs

 more »

PolishLinux Top Content


Featured links

Its common practice of webmasters when they go for web host, mostly they don't care about the services provided by hosting company. Now many companies providing cheap hosting and provide dedicated server for hosting as well.

Become our fan on Facebook!

PolishLinux.org on Facebook

Follow PolishLinux on Twitter!

Follow polishlinux on Twitter

Google Ads