Install pam_mount:
# apt-get install libpam-mount
Configure Ubuntu to load the loop and cryptoloop kernel modules during boot or else pam_mount won’t be able to mount the cryptoloop devices:
# cat >> /etc/modules
loop
cryptoloop
Configure PAM to use pam_mount for authentication and session management. PAM authentication captures the user login password, while PAM session set ups the cryptoloop device and mounts it during log on, and unmounts the cryptoloop during log off.
# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session
Sets up some variables used to make the rest of the steps a little bit easier and more generic:
# USER=solana
# SIZE=2048
# KEYSIZE=128
The meaning of the previous variables is:
- USER defines the username.
- SIZE defines how much space to allocate for the file-based cryptoloop, as a quantity expressed in MiB.
- KEYSIZE defines the AES keysize used to encrypt the data. Valid keysizes are 128, 192 and 256.
Creates the loop file and fills it with random junk:
# dd if=/dev/urandom of=/home/${USER}.img bs=1M count=${SIZE}
Generate an AES random encryption key, encrypts it with the user log on password and stores it:
# dd if=/dev/urandom bs=1c count=$((${KEYSIZE}/8)) | openssl enc -aes-${KEYSIZE}-ecb > /home/${USER}.key
When prompted for the passphrase, enter the user’s log on password.
Loads the cryptoloop kernel driver (if not already):
# modprobe -q cryptoloop
Finds the first loopback device available:
# LOOP=$(losetup -f)
Make sure that ${LOOP} is something like /dev/loop0.
Sets up the cryptoloop device:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | losetup -e aes -k ${KEYSIZE} -p0 ${LOOP} /home/${USER}.img
When asked for the passphrase, just enter the user’s log on password.
Make a new ext3 filesystem on top of the cryptoloop device:
# mkfs.ext3 ${LOOP}
Frees the cryptoloop device:
# losetup -d ${LOOP}
Configure pam_mount:
# echo “volume ${USER} auto – /home/${USER}.img /home/${USER} loop,user,exec,encryption=aes,keybits=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf
felipe-alfaro.com 
Great Tutorial!! btw
# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session
should be:
# echo @include common-pammount >> /etc/pam.d/common-auth
# echo @include common-pammount >> /etc/pam.d/common-session
and:
echo “volume ${USER} auto – /home/${USER}.img /home/${USER} loop,user,exec,encryption=aes,keybits=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf
should be:
echo volume ${USER} auto – /home/${USER}.img /home/${USER} loop,user,exec,encryption=aes,keybits=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key >> /etc/security/pam_mount.conf
Also there is a bug with ubuntu and pam mount:
https://bugs.launchpad.net/ubuntu/ source/libpam-mount/ bug/117736
Without having tried, would it be possible to encrypt the file system with another password than the user password? Having the same password stored in two places, /etc/shadow and USER.key makes it more vulnerable.
Nice tutorial, was great help for me. I used it to complement a linuxmagazine tutorial (august 2003 : Implementing Encrypted Home Directories by Mike Petullo).
I was just wondering, Have you figured what to if the user change it’s password (which he does every 6-8 month, of course, isn’t it?).
If you suddenly cannot execute files on your encrypted disk anymore, remove the “user” option from /etc/security/pam_mount.conf.xml in the last few lines. It overrides the exec option, effectively mounting your drive as “noexec”. You will receive errors like:
bash: ./executable: Permission denied.
also, /usr/bin/env will fail to execute python and other scripts correctly.
This will be a fantastic blog, could you be involved in doing an interview about just how you developed it? If so e-mail me!
Hey, have suggestions on how to find a lost lizard? It got out last night and I still can’t find it!