Install crypsetup and dmsetup:
# apt-get install crypsetup dmsetup
Install pam_mount:
# apt-get install libpam-mount
Configure PAM to use pam_mount for authentication and session management. PAM authentication captures the user login password, while PAM session set ups the dmcrypt device and mounts it during log on, and unmounts the dmcrypt device during log off.
# echo “@include common-pammount” >> /etc/pam.d/common-auth
# echo “@include common-pammount” >> /etc/pam.d/common-session
Sets up some variables used to make the rest of the steps a little bit easier and more generic:
# USER=solana
# KEYSIZE=128
# DEVICE=/dev/whatever
The meaning of the previous variables is:
- USER defines the username.
- KEYSIZE defines the AES keysize used to encrypt the data. Valid keysizes are 128, 192 and 256.
- DEVICE defines the device that will hold the crypted volume. This can be standard partition, a LVM volume, a NBD, etc..
Generate an AES random encryption key, encrypts it with the user log on password and stores it:
# dd if=/dev/urandom bs=1c count=$((${KEYSIZE}/8)) | openssl enc -aes-${KEYSIZE}-ecb > /home/${USER}.key
When prompted for the passphrase, enter the user’s log on password.
Sets up the dmcrypt device:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | cryptsetup -c aes -s ${KEYSIZE} create crypt-${USER} ${DEVICE}
When asked for the passphrase, just enter the user’s log on password.
Make a new ext3 filesystem on top of the cryptoloop device:
# mkfs.ext3 /dev/mapper/crypt-${USER}
Change the owner, so the user will be able to write to this volume:
# mkdir /mnt/crypt-${USER}
# mount /dev/mapper/crypt-${USER} /mnt/crypt-${USER}
# chown ${USER} /mnt/crypt-${USER}
# umount /dev/mapper/crypt-${USER}
# rmdir /mnt/crypt-${USER}
Frees the dmcrypt device:
# dmsetup remove crypt-${USER}
To test whether mount.crypt and mount the encrypted volume:
# openssl enc -d -aes-${KEYSIZE}-ecb -in /home/${USER}.key | mount.crypt ${DEVICE} /home/${USER} -o keysize=${KEYSIZE}
Frees the dmcrypt device after the test:
# dmsetup remove _dev_mapper_${DEVICE}
Configure pam_mount:
# echo “volume ${USER} crypt – ${DEVICE} /home/${USER} keysize=${KEYSIZE} aes-${KEYSIZE}-ecb /home/${USER}.key” >> /etc/security/pam_mount.conf
felipe-alfaro.com 
pam_mount is quite cool, I enjoyed this how-to. 🙂
The only observation I want to make about it is about home directory’s ownership. After creating the filesystem on the encrypted device the home directory has still “root” as owner, it has to be changed to ${USER} so you can write on your own directory (GDM will even refuse to log in without writing permissions… Luckly plain old console login worked and I fixed up the lil mess 😉 )
You are right, blasnoff.
I have updated the post to include specific instructions on how to change the owner so, hopefully, ${USER} will have write permissions.
Thanks 🙂
quiere poner este programa para que mi con putador este en buen estado
# echo “@include common-pammount”
??
Pingback: Jay’s Technical Talk › Encrypted home directory under Ubuntu linux 7.04
So, does this encrypt an in-place /home? There’s a dearth of explanatory writing in this article, and I want to know my /home directory will be encrypted, and not destroyed. It definitely is NOT clear from this article whether that’s the case or not. I.e., does $DEVICE need to be a totally new partition/LVM lv/etc.?
Is this a JOKE?!?! You have commercials on TV & a Website BUT NO COUPONS!!!!! Along with Crissy- You guys are dumb. Just like Cash for Gold scammers. WE WANT COUPONS!!!!!!
Wonderful work! That is the type of info that should be shared across the net. Disgrace on Google for now not positioning this put up upper! Come on over and consult with my site . Thanks =)
Why does A&M need to leave for BYU and ND to come on board? Adding those 2 to the current mix would make for a fairly strong conference. ND >> Nebraskas, and BYU ~= CU, so I’d think the conference would actually be ahead.
Thank you for the auspicious writeup. It in fact was a
amusement account it. Look advanced to far added agreeable from you!
However, how can we communicate?
If you are going for finest contents like I do,
only pay a visit this website every day as it provides feature contents,
thanks
Thanks for sharing your thoughts on netent casino. Regards
Write more, thats all I have to say. Literally,
it seems as though you relied on the video to make your point.
You clearly know what youre talking about, why throw away
your intelligence on just posting videos to your
weblog when you could be giving us something enlightening to read?