Encrypt home directory with ecryptfs
Contents |
[edit] About
This will help you to create an ecryptfs encrypted home directory, the whole home, for <user>. The whole directory will be encrypted, not just ~/Private. Encrypted files will be stored in /home/.ecryptfs/<user>/.Private, which will be automounted on login over /home/<user>. Some configuration files will resits in the unencrypted /home/<user> and will become invisible after the mount of ecryptfs. This is by design and comes with no disadvantages.
[edit] Emerge the needed packages
We will need sys-auth/pam_mount and sys-fs/ecryptfs-utils. Also make sure that you have configured your kernel for use with ecryptfs.
[edit] Initial mount and encryption of the home directory
Create a directory for the encrypted files
Initial mount
Make sure to use passphrase mode. The passphrase can be different from your unix login password. It will later be wrapped in /home/<user>/.ecryptfs/wrapped-passphrase with the unix login password. Save the options for later use
Unmount
[edit] Prepare the users unencrypted home directory for automount on login
Copy the sig-cache into the users home directory
Wrap the passphrase into a file. This will ask you for a passphrase, the one you told ecryptfs to encrypt your files, and your unix login password, for wrapping the passphrase with.
[edit] pam_ecryptfs.so flag
This will tell pam_ecryptfs to unwrap the passphrase with the unix login password on login. It does not really any auto-mount stuff, because we will later configure pam_ecryptfs withtout the session management. pam_mount will take care of the mount and umount.
Give the user what (s)he needs :)
[edit] System file configuration
[edit] pam.d/system-auth
Add pam_ecryptfs and pam_mount to system-auth. pam_ecryptfs.so goes into the auth and password stack. pam_mount.so into auth and session. Make sure to add the unwrap parameter for pam_ecryptfs.so in auth.
[...] auth required pam_unix.so [...] auth optional pam_ecryptfs.so unwrap auth optional pam_permit.so auth optional pam_mount.so [...] password required pam_unix.so [...] password optional pam_ecryptfs.so [...] session required pam_unix.so [...] session optional pam_mount.so
[edit] security/pam_mount.conf.xml
Allow a per user pam_mount.conf and the according mount options.
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="0" /> <luserconf name=".pam_mount.conf.xml" /> <mntoptions allow="verbosity,users,noauto,rw,exec,nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,ecryptfs_key_bytes,ecryptfs_cipher,ecryptfs_fnek_sig,ecryptfs_unlink_sigs,ecryptfs_sig" /> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait="0" hup="0" term="0" kill="0" /> <lclmount>/bin/mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount> </pam_mount>
[edit] ~/.pam_mount.conf.xml
<pam_mount> <!-- <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<user>/.Private" mountpoint="/home/<user>"/> --> <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/<user>/.Private/"/> </pam_mount>
[edit] Encrypting swap
Since your encryption key is saved in memory and therefore be a candidate for swaping, it's important to encrypt the swap space too. Fortunately, that's pretty simple with gentoo. Just edit /etc/conf.d/dmcrypt and comment out the swap section:
swap=crypt-swap-sdb5 source='/dev/sdb5'
Don't forget to update /etc/fstab:
/dev/mapper/crypt-swap-sdb5 none swap sw 0 0
Then add dmcrypt to the boot runlevel:
Gentoo's dmcrypt init.d script will encrypt your swap partition with an random key, which is always stored in memory.
