Transparent Encryption for home folder
From EasyPeasy Wiki
Tested under Ubuntu EEE 8.04.1 Difficulty: medium
required packages:
- encfs
- libpam-encfs
Don't install libpam-encfs from the default Ubuntu repos because it's broken. Add this repo instead:
/etc/apt/sources.list.d/andreratto.list
deb http://ppa.launchpad.net/andrearatto/ubuntu hardy main deb-src http://ppa.launchpad.net/andrearatto/ubuntu hardy main
Update
sudo apt-get update
then install the packages
sudo apt-get install encfs libpam-mount libpam-encfs
Common way of encrypting your system is using cryptsetup, but there are a few advantages to using EncFS instead which I think are particularly relevant for the EEEpc.
- You can keep the splash screen and not be prompted for a password during boot.
- You can keep a single partition rather than dividing your encrypted and unencrypted sections.
Contents |
[edit] /etc/security/pam_encfs.conf
The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and Allow_root is set in the automatic encfs mount per user. These two options cannot be specified together! fuse_default also cannot be empty I think, so we fix that by specifying non_empty in the defaults, and allow_root explicitly in the automount section:
#Note that I dont support spaces in params #So if your for example gonna specify idle time use --idle=X not -i X. #If this is specified program will attempt to drop permissions before running encfs. (will not work with --public for example) drop_permissions #This specifies default encfs options encfs_default --idle=1 #Same for fuse, note that allow_root (or allow_other, or --public in encfs) is needed to run gdm/X. fuse_default nonempty #- means match all, put any overrides over it. #if - is in username it will take source path + "/$USER", and mount to $HOME #USERNAME SOURCE TARGET PATH ENCFS Options FUSE Options #user /home/.enc/user /home/user -v,--idle=1,-test,-test2 allow_root - /home/.encfs - -v allow_root
[edit] /etc/fuse.conf
Uncomment or add the following line to /etc/fuse.conf.
user_allow_other
Make sure the user is in the group "fuse" as well, or else they won't be able to use fuse mounts like encfs.
[edit] /etc/pam.d
[edit] common-auth
pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options.
auth requisite pam_encfs.so auth requisite pam_unix.so nullok_secure use_first_pass
[edit] common-session
Add in common_session to automatically unmount the user's encfs directory on logout.
session required pam_unix.so session required pam_encfs.so
[edit] Create encrypted folder
- First: don't reboot until you're sure everything's working!
- To do this, you must log off from your Gnome Session (Quit | Log out) and switch to a VT (Ctrl-Alt-F1)
- Create necessary directories and set permissions (replace "username" with your username)
sudo mv /home/username /home/username.original sudo mkdir -p /home/.encfs/username /home/username sudo chown username.username /home/username /home/.encfs/username
- Create encrypted folder (Problems with Permissions? See next section)
encfs -v /home/.encfs/username /home/username
- Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.
- SET THE PASSWORD TO BE THE SAME AS YOUR LOGIN PASSWORD
- Copy your home folder into the encrypted folder
rsync -a --progress /home/username.original/ /home/username/
Now, if things go wrong here you can be stuck with a system you cannot log in. You must test it before doing anything else. First, check you can run "encfs /home/.encfs/username /home/username" as a normal user (not sudo), as well as "/bin/fusermount -u /home/username". If it does, use Ctrl-Alt-F2 to change to another VT and see if you can log in without any problems (make sure you're in the encrypted home directory!). You can use Ctrl-Alt-F7 to go back to Gnome and test it there.
If you're extra-paranoid, consider adding another user and test it with that user first (you'll have to manually add him to the admin and fuse groups).
OK, if you're sure it works, you can reboot. If it does, log in and delete your username.original folder.
[edit] Permissions
If you get problems with permission, you might want to check this:
- Can you read /etc/fuse.conf without sudo? If not, then run "sudo chgrp fuse /etc/fuse.conf"
- Can you run fusermount (or /bin/fusermount) as normal user? You should test this before logging off by running encfs to mount your encrypted home directory manually. If not, run "sudo chgrp fuse /bin/fusermount" and "sudo chmod 4750 /bin/fusermount"
