Using encryption on your home folder (Debian; also usable for other distros)

Introduction

Imagine someone boots your laptop with a bootable CD and just copies all your data.
The attacker can see whatever data on your home folder (most critical data for most users).

So what I wanted was:
- NO extra partitions (most people have all HDD space partitioned; backup of the encrypted image file is easy)
- NO compiling (I want to be able to quickly setup a system for rescue)

Now I read some stuff and cryptsetup seemed the best solution for this.
All is in the debian package manager and setup is really easy ... so let's go!

Setup

First install cryptsetup:

apt-get install cryptsetup

In this example we use AES encryption.
You can see the supported encryption types:

cat /proc/crypto

If you don't see AES then you (in Debian) you have to load the module (In other distributions it could be that you have to recompile your kernel):

modprobe aes

Now lets create the image file that will hold the filesystem.
This will create the image "cryptedhome" with a blocksize of 1024 bytes with 20000000 blocks (20GB)

dd if=/dev/urandom of=/home/username.crypto.img bs=1024 count=20000000

Now we need to create a loopback device file. This makes your image file transparent so Linux does see it as if it was a device (/dev/sda , /dev/hda, ...):

losetup /dev/loop0 /home/username.crypto.img

The following will setup encryption for this loopback device, so everything that is written to it, will be encrypted.
-c defines what encryption algorithm has to be used.
-s defines the size of the key
--verify-passphrase will make the program ask 2 times for your password before accepting it.
luksFormat tells cryptsetup what to do (others are: luksAddKey, luksDelKey, luksOpen, luksClose)

cryptsetup -c aes-cbc-essiv:sha256 -s 256 --verify-passphrase luksFormat /dev/loop0

The next step is making a device file that makes the encrypted device accessible.
After that we create a filesystem on it.

cryptsetup luksOpen /dev/loop0 cryptedhome

mkfs.ext3 /dev/mapper/cryptedhome

cryptsetup luksClose /dev/loop0 cryptedhome

Usage
Everytime you will want to use the encrypted image, you will need to do the following:

cryptsetup luksOpen /dev/loop0 cryptedhome
mount /dev/mapper/cryptedhome /home/username/

After use just unmount it and use luksClose.

cryptsetup luksOpen /dev/loop0 cryptedhome

Adding/Removing Keys
Adding key:

cryptsetup luksAddKey --verify-passphrase /dev/loop0

Removing key:

cryptsetup luksDelKey --verify-passphrase /dev/loop0

Getting it all automatically done
What we gonna do is for every user that has a ..img file mounting this encrypted filesystem to there home directory.

Install pam_mount. This library makes it possible to mount and unmount devices while authenticating.

apt-get install libpam-mount

Powered by ScribeFire.

PokerTH 0.6 on Debian Lenny AMD64(testing; x86_64)

I downloaded the installer and try to run it but I got the following error:

cd ~/PokerTH-0.6-beta
./pokerth.sh

/home/gvm/PokerTH-0.6-beta/./pokerth: error while loading shared libraries: libmikmod.so.2: cannot open shared object file: No such file or directory

Because of my problem with skype I thought that this is maybe the same problem.
So I copied the script and only changed the first line from:

lib=`skype 2>&1 | awk '{print $7}' | cut -d':' -f1`

to

lib=`./pokerth.sh 2>&1 | awk '{print $7}' | cut -d':' -f1`

For the full script: see my post about Skype

Skype on Debian Lenny AMD64 (testing; x86_64)

First I tried to install through the package manager:

apt-cache search skype

This didn't gave any result.

So I went to the skype website and looked for a debian package.
I found one, but it was for i386 architecture so installing it fails.
Still we can force it to install:

apt-get install --force-architecture skype-debian_1.4.0.118-1_i386.deb

Then I tried to run it but got an error saying that libsigc-2.0.so.0 is missing:

skype: error while loading shared libraries: libsigc-2.0.so.0: cannot open shared object file: No such file or directory

So I thought, I have an unmet dependecy, lets install libsigc package:

sudo apt-get install libsigc++-2.0-0c2a

Now I have the library but still the same error message so it seems that there is another problem.
After some googling I had an explanation why installing the libsigc package did not solve it: skype for i386 architecture needs the 32bit library, not the 64bit library.

Eventually I found a small script that solves these issues:


#!/bin/bash
lib=`skype 2>&1 | awk '{print $7}' | cut -d':' -f1`
echo "lib: $lib" pkg=`dpkg -S $lib | awk '{print $1}' | cut -d':' -f1 | sort -u`
url=`wget -qO- http://packages.debian.org/lenny/$pkg/i386/download | awk '/ftp\.br\.debian\.org/' | cut -d'"' -f2`
file=`echo $url | awk '{n=split($0,a,"/"); print a[n]}'`
if [ ! -f deb/$file ]; then
wget -q $url
mv $file deb
fi
ar -x deb
libfile=`tar ztf data.tar.gz | grep ${lib}$`
tar zxf data.tar.gz $libfile
sudo cp -d $libfile /usr/lib32/
if ls -l $libfile | grep -qF ' -> '; then
lnlib=`ls -l $libfile | awk '{print $10}' | cut -d':' -f1`
libfile2=`tar ztf data.tar.gz | grep ${lnlib}$`
tar zxf data.tar.gz $libfile2
sudo cp -d $libfile2 /usr/lib32/
fi

Source: http://www.debian-administration.org/users/figjam/weblog/1
Note that there is an error in the original script


Now after putting this into a file and making it executable:

chmod +x script

Lets run it:

./script
./script
lib: libQtGui.so.4

Now you will see that each time you run it, another library dependancy get solved (libQtGui will change).
You have to RUN IT MULTIPLE TIMES (this is in CAPITALS for copy-paste people who don't read).

If skype starts, then all librarys are available. From now on you can use "skype" on the command line or launch it from your favorite desktop environment.

Have fun!

Powered by ScribeFire.