Encrypted home on Ubuntu using dmcrypt

Install crypsetup and dmsetup:

# apt-get install crypsetup dmsetup

Install pam_mount:

# apt-get install libpam-mount

Configure PAM to use pam_mount for authentication and session management. PAM authentication captures the user login password, while PAM session set ups the dmcrypt device and mounts it during log on, and unmounts the dmcrypt device during log off.

# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session

Sets up some variables used to make the rest of the steps a little bit easier and more generic:

# USER=solana
# DEVICE=/dev/whatever

The meaning of the previous variables is:

  • USER defines the username.
  • KEYSIZE defines the AES keysize used to encrypt the data. Valid keysizes are 128, 192 and 256.
  • DEVICE defines the device that will hold the crypted volume. This can be standard partition, a LVM volume, a NBD, etc..

Generate an AES random encryption key, encrypts it with the user log on password and stores it:

# dd if=/dev/urandom bs=1c count=$((${KEYSIZE}/8)) | openssl enc -aes-${KEYSIZE}-ecb > /home/${USER}.key

When prompted for the passphrase, enter the user’s log on password.

Sets up the dmcrypt device:

# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | cryptsetup -c aes -s ${KEYSIZE} create crypt-${USER} ${DEVICE}

When asked for the passphrase, just enter the user’s log on password.

Make a new ext3 filesystem on top of the cryptoloop device:

# mkfs.ext3 /dev/mapper/crypt-${USER}

Change the owner, so the user will be able to write to this volume:

# mkdir /mnt/crypt-${USER}
# mount /dev/mapper/crypt-${USER} /mnt/crypt-${USER}
# chown ${USER} /mnt/crypt-${USER}
# umount /dev/mapper/crypt-${USER}
# rmdir /mnt/crypt-${USER}

Frees the dmcrypt device:

# dmsetup remove crypt-${USER}

To test whether mount.crypt and mount the encrypted volume:

# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | mount.crypt ${DEVICE} /home/${USER} -o keysize=${KEYSIZE}

Frees the dmcrypt device after the test:

# dmsetup remove _dev_mapper_${DEVICE}

Configure pam_mount:

# echo “volume ${USER} crypt – ${DEVICE} /home/${USER} keysize=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf

14 thoughts on “Encrypted home on Ubuntu using dmcrypt

  1. pam_mount is quite cool, I enjoyed this how-to. 🙂
    The only observation I want to make about it is about home directory’s ownership. After creating the filesystem on the encrypted device the home directory has still “root” as owner, it has to be changed to ${USER} so you can write on your own directory (GDM will even refuse to log in without writing permissions… Luckly plain old console login worked and I fixed up the lil mess 😉 )

  2. You are right, blasnoff.

    I have updated the post to include specific instructions on how to change the owner so, hopefully, ${USER} will have write permissions.

    Thanks 🙂

  3. Pingback: Jay’s Technical Talk › Encrypted home directory under Ubuntu linux 7.04

  4. So, does this encrypt an in-place /home? There’s a dearth of explanatory writing in this article, and I want to know my /home directory will be encrypted, and not destroyed. It definitely is NOT clear from this article whether that’s the case or not. I.e., does $DEVICE need to be a totally new partition/LVM lv/etc.?

  5. Is this a JOKE?!?! You have commercials on TV & a Website BUT NO COUPONS!!!!! Along with Crissy- You guys are dumb. Just like Cash for Gold scammers. WE WANT COUPONS!!!!!!

  6. Wonderful work! That is the type of info that should be shared across the net. Disgrace on Google for now not positioning this put up upper! Come on over and consult with my site . Thanks =)

  7. Why does A&M need to leave for BYU and ND to come on board? Adding those 2 to the current mix would make for a fairly strong conference. ND >> Nebraskas, and BYU ~= CU, so I’d think the conference would actually be ahead.

  8. Thank you for the auspicious writeup. It in fact was a
    amusement account it. Look advanced to far added agreeable from you!
    However, how can we communicate?

  9. Write more, thats all I have to say. Literally,
    it seems as though you relied on the video to make your point.
    You clearly know what youre talking about, why throw away
    your intelligence on just posting videos to your
    weblog when you could be giving us something enlightening to read?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s