Encrypted home on Ubuntu using cryptoloop

Install pam_mount:

# apt-get install libpam-mount

Configure Ubuntu to load the loop and cryptoloop kernel modules during boot or else pam_mount won’t be able to mount the cryptoloop devices:

# cat >> /etc/modules

Configure PAM to use pam_mount for authentication and session management. PAM authentication captures the user login password, while PAM session set ups the cryptoloop device and mounts it during log on, and unmounts the cryptoloop during log off.

# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session

Sets up some variables used to make the rest of the steps a little bit easier and more generic:

# USER=solana
# SIZE=2048

The meaning of the previous variables is:

  • USER defines the username.
  • SIZE defines how much space to allocate for the file-based cryptoloop, as a quantity expressed in MiB.
  • KEYSIZE defines the AES keysize used to encrypt the data. Valid keysizes are 128, 192 and 256.

Creates the loop file and fills it with random junk:

# dd if=/dev/urandom of=/home/${USER}.img bs=1M count=${SIZE}

Generate an AES random encryption key, encrypts it with the user log on password and stores it:

# dd if=/dev/urandom bs=1c count=$((${KEYSIZE}/8)) | openssl enc -aes-${KEYSIZE}-ecb > /home/${USER}.key

When prompted for the passphrase, enter the user’s log on password.

Loads the cryptoloop kernel driver (if not already):

# modprobe -q cryptoloop

Finds the first loopback device available:

# LOOP=$(losetup -f)

Make sure that ${LOOP} is something like /dev/loop0.

Sets up the cryptoloop device:

# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | losetup -e aes -k ${KEYSIZE} -p0 ${LOOP} /home/${USER}.img

When asked for the passphrase, just enter the user’s log on password.

Make a new ext3 filesystem on top of the cryptoloop device:

# mkfs.ext3 ${LOOP}

Frees the cryptoloop device:

# losetup -d ${LOOP}

Configure pam_mount:

# echo “volume ${USER} auto – /home/${USER}.img /home/${USER} loop,user,exec,encryption=aes,keybits=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf


6 thoughts on “Encrypted home on Ubuntu using cryptoloop

  1. Great Tutorial!! btw

    # echo “@include common-pammount” >> /etc/pam.d/common-auth
    # echo “@include common-pammount” >> /etc/pam.d/common-session

    should be:

    # echo @include common-pammount >> /etc/pam.d/common-auth
    # echo @include common-pammount >> /etc/pam.d/common-session

    echo “volume ${USER} auto – /home/${USER}.img /home/${USER} loop,user,exec,encryption=aes,keybits=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf

    should be:
    echo volume ${USER} auto – /home/${USER}.img /home/${USER} loop,user,exec,encryption=aes,keybits=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key >> /etc/security/pam_mount.conf

    Also there is a bug with ubuntu and pam mount:
    https://bugs.launchpad.net/ubuntu/ source/libpam-mount/ bug/117736

  2. Without having tried, would it be possible to encrypt the file system with another password than the user password? Having the same password stored in two places, /etc/shadow and USER.key makes it more vulnerable.

  3. Nice tutorial, was great help for me. I used it to complement a linuxmagazine tutorial (august 2003 : Implementing Encrypted Home Directories by Mike Petullo).

    I was just wondering, Have you figured what to if the user change it’s password (which he does every 6-8 month, of course, isn’t it?).

  4. If you suddenly cannot execute files on your encrypted disk anymore, remove the “user” option from /etc/security/pam_mount.conf.xml in the last few lines. It overrides the exec option, effectively mounting your drive as “noexec”. You will receive errors like:
    bash: ./executable: Permission denied.
    also, /usr/bin/env will fail to execute python and other scripts correctly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s