woensdag 14 november 2007

Using encryption on your home folder (Debian; also usable for other distros)


Imagine someone boots your laptop with a bootable CD and just copies all your data.
The attacker can see whatever data on your home folder (most critical data for most users).

So what I wanted was:
- NO extra partitions (most people have all HDD space partitioned; backup of the encrypted image file is easy)
- NO compiling (I want to be able to quickly setup a system for rescue)

Now I read some stuff and cryptsetup seemed the best solution for this.
All is in the debian package manager and setup is really easy ... so let's go!


First install cryptsetup:
apt-get install cryptsetup

In this example we use AES encryption.
You can see the supported encryption types:
cat /proc/crypto

If you don't see AES then you (in Debian) you have to load the module (In other distributions it could be that you have to recompile your kernel):
modprobe aes

Now lets create the image file that will hold the filesystem.
This will create the image "cryptedhome" with a blocksize of 1024 bytes with 20000000 blocks (20GB)
dd if=/dev/urandom of=/home/username.crypto.img bs=1024 count=20000000

Now we need to create a loopback device file. This makes your image file transparent so Linux does see it as if it was a device (/dev/sda , /dev/hda, ...):
losetup /dev/loop0 /home/username.crypto.img

The following will setup encryption for this loopback device, so everything that is written to it, will be encrypted.
-c defines what encryption algorithm has to be used.
-s defines the size of the key
--verify-passphrase will make the program ask 2 times for your password before accepting it.
luksFormat tells cryptsetup what to do (others are: luksAddKey, luksDelKey, luksOpen, luksClose)
cryptsetup -c aes-cbc-essiv:sha256 -s 256 --verify-passphrase luksFormat /dev/loop0

The next step is making a device file that makes the encrypted device accessible.
After that we create a filesystem on it.
cryptsetup luksOpen /dev/loop0 cryptedhome

mkfs.ext3 /dev/mapper/cryptedhome

cryptsetup luksClose /dev/loop0 cryptedhome

Everytime you will want to use the encrypted image, you will need to do the following:
cryptsetup luksOpen /dev/loop0 cryptedhome
mount /dev/mapper/cryptedhome /home/username/

After use just unmount it and use luksClose.
cryptsetup luksOpen /dev/loop0 cryptedhome

Adding/Removing Keys
Adding key:
cryptsetup luksAddKey --verify-passphrase /dev/loop0

Removing key:
cryptsetup luksDelKey --verify-passphrase /dev/loop0

Getting it all automatically done
What we gonna do is for every user that has a ..img file mounting this encrypted filesystem to there home directory.

Install pam_mount. This library makes it possible to mount and unmount devices while authenticating.
apt-get install libpam-mount

Powered by ScribeFire.

2 opmerkingen:

Anoniem zei

I am trying to encrypt my home folder but i am getting following error
-bash:lt: command not found
-bash:username: command not found
dd: opening '/home/': Is a directory
-bash: .img: command not found

deadeyes zei

I updated the content.
Seems like greater than sign was not showing correctly.
Could you try again?