Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Automatically mount dm-crypt encrypted home with pam_mount
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Tue Jan 04, 2005 12:52 pm    Post subject: Automatically mount dm-crypt encrypted home with pam_mount Reply with quote

Automatically mount dm-crypt encrypted home with pam_mount

1. Introduction & Goal

I've always wanted to have my personal data stored in a secure way. Using gpg would of course be possible, but cumbersome. Simply encrypting the home partition would have the (slight) disadvantage of having to type an additional passphrase. In this HOWTO I will show you how to solve this problem in an elegant way, that is without requiring an additional password at login.

This is my first HOWTO, so please don't kill me if something's not explained clearly. During the last year I did this whole thing four times, so I should have some experience with it. Nonetheless, I cannot guarantee that every single line is correct. That being said, I don't think there are that many errors in it.

Of course, any feedback is appreciated.

2. Overview

Since I didn't want to repartition I decided to use a file as encrypted loopback device. In the newer 2.6 kernels cryptoloop is deprecated in favour of dm-crypt. Therefore (and because I don't like to change my setup every few weeks) I'm using the cryptsetup utility to setup a device mapper-based encryption (dm-crypt). The problem is of course the automatic mounting.

Fortunately, there is the pam_mount module for PAM. At login the password is acquired by PAM which then sends it to pam_mount. Thereafter pam_mount uses this password to do the actual mounting. In fact, the login password isn't used directly since this would make it impossible to change the password at a later time. (The encryption key of the encrypted home cannot be changed.)
Therefore a master key, which is used to encrypt the home directory, is created and stored in a secure way on the harddisk. More information on how this works can be found at the pam_mount homepage.

Remark
After doing all the work I noticed that some scripts that come with pam_mount could be useful and automate some of the steps that I will present. However I didn't test these scripts. But I don't think Gentoo users will object to the manual (and more flexible) way in which the encryption will be set up in this HOWTO.


3. Installing the necessary software

First you'll have to compile your kernel with support for the device-mapper, the crypt target and some cipher modules. Details can be found in many other HOWTOs (e.g. this one), so I'll skip to the setup of pam_mount.

The pam_mount module is not yet in portage. Download the latest .tar.gz (see Bug 24213) containing the ebuild for 0.9.25 and additional files. Unpack it to /usr/local/portage/sys-libs/, activate portage overlay (uncomment the line in /etc/make.conf) and emerge it:
Code:
emerge pam_mount

You'll have to edit your PAM-configuration to use pam_mount. In this example I'll only consider console and KDM logins.
Code:
# /etc/pam.d/login
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
# add the following line:
auth       optional     /lib/security/pam_mount.so use_first_pass

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
# add the following line:
session    optional     /lib/security/pam_mount.so

Code:
# /etc/pam.d/kde
# replace the next line by the one with pam_stack:
#auth       include      system-auth
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     pam_nologin.so
# add the following line:
auth       optional     /lib/security/pam_mount.so use_first_pass

account    include      system-auth

password   include      system-auth

session    include      system-auth
# add the following line:
session    optional     /lib/security/pam_mount.so

For the dm-crypt part we'll need cryptsetup. Just emerge it.
Code:
emerge cryptsetup

(or, perhaps better, cryptsetup-luks).


4. The encryption

You'll have to modprobe at least one crypto algorithm if you didn't compile them in your kernel. Put it also in your /etc/modules/autoload.d/kernel-2.6:
Code:
modprobe aes
echo aes >> /etc/modules.autoload.d/kernel-2.6


For the rest of this HOWTO the user "frodo" will be used as an example. Let's start by creating a 2 GiB file which will contain the encrypted home directory. (Creating the file will take some time.)
Code:
dd if=/dev/urandom of=/home/frodo_home bs=1M count=2048
# create loopback block device
losetup /dev/loop0 /home/frodo_home


Since we won't have to type the master password it can (and should) be random data. A nice way to create it is the following:
Code:
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`

This way, all non-graphical ASCII characters are discarded, leaving 94 possibilities left. In this example the keyspace corresponds to 512 bits. (512 * log(2) / log(94) = 78.1 digits to base 94)
cryptsetup will hash it to create a 256 bit key that can be used by AES. This method has the advantage that the key is plain ASCII which could be crucial in an emergency situation. Furthermore there won't be any problems with programs which cannot cope with full binary passwords.

In the next step we'll create the block device /dev/mapper/frodo and format it.
Code:
echo $KEY | cryptsetup create frodo /dev/loop0
mke2fs /dev/mapper/frodo
# remove the mapping:
cryptsetup remove frodo

In the loop-AES README there are warnings against using a journaling filesystem on a loop-AES-encrypted file. I don't know if this also applies to dm-crypt on a loop device. If somebody could inform me about this I'd be very happy.

Now, we'll encrypt the master key and store it on the hard disk. Use your login password!
Code:
echo $KEY | openssl aes-256-ecb > /home/frodo.key

To make it possible for the user to change his password later on, we'll have to create a backup file and set the correct permissions:
Code:
touch /home/frodo.key.old
chown frodo /home/frodo.key /home/frodo.key.old
chmod 600 /home/frodo.key /home/frodo.key.old

This is necessary for the password changing script passwdehd to work. More on this later.

Let's create the mount point and set the permissions.
Code:
mkdir /home/frodo2
chown frodo /home/frodo2
chgrp users /home/frodo2
chmod 700 /home/frodo2


Now comes the crucial part: configuring pam_mount. You'll need to edit /etc/security/pam_mount.conf and replace the Gentoo example lines by the following one.
Code:
volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes aes-256-ecb /home/frodo.key


Theoretically, the automatic mounting should work right now. Close all your sessions as frodo, switch to a VT and relogin as frodo. There should be quite a few informational messages but no errors. (As root you can try to copy some files to /home/frodo2 and delete them again.) If everything works fine, we'll move all the data to the new home directory.


5. Migrating the data

Code:
# In the same VT you're logged in as frodo!
# This ensures that /home/frodo2 is mounted.
su
# Change permissions for mounted filesystem
chown frodo /home/frodo2
chgrp users /home/frodo2
chmod 700 /home/frodo2
cd ~frodo
# copy everything (this will take some time)
tar cpf - . | tar -xpf - -C /home/frodo2
exit   # Exit su
exit   # Logout frodo. This should unmount frodo's new home.

RELOGIN as root!
# make backup copy of old home
mv /home/frodo /home/frodo3
mv /home/frodo2 /home/frodo

# Change frodo2 to frodo in pam_mount.conf
$EDITOR /etc/security/pam_mount.conf


If you've done everything right, you can now login as frodo and the encrypted file is mounted at /home/frodo and is used as your home directory. As a last step remove the backup:
Code:
rm -rf /home/frodo3

(Warning: for optimal security you should consider overwriting the partition containing ~frodo3 with random data.)


6. Using a partition

Of course, it's also possible to use an encrypted partition with pam_mount. There are only minor modifications which need to be done:
  • Make sure you've got a free partition (for example /dev/hda2) that's big enough.
  • Prepare the partition:
    Code:
    dd if=/dev/urandom of=/dev/hda2 bs=1M

  • Skip the losetup step.
  • Each time /dev/loop0 appears, replace it by the partition, e.g. /dev/hda2.
  • Don't use the loop option in pam_mount.conf:
    Code:
    volume frodo crypt - /dev/hda2 /home/frodo2 cipher=aes aes-256-ecb /home/frodo.key

    and after the migration change it to
    Code:
    volume frodo crypt - /dev/hda2 /home/frodo cipher=aes aes-256-ecb /home/frodo.key



7. Choosing non-default ciphers

If you don't like AES and would prefer some other cipher, e.g. Blowfish, this can be done too. The command
Code:
echo $KEY | cryptsetup create frodo /dev/loop0

can be replaced by
Code:
cryptsetup -c blowfish-cbc-essiv:sha256 -h sha1 -s 192

to use Blowfish in ESSIV mode, a 192-bit key size, and SHA1 for hashing the passphrase.
In pam_mount.conf you'd then change the configuration line to
Code:
volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=blowfish-cbc-essiv:sha256 aes-256-ecb /home/frodo.key

You could also change the OpenSSL cipher which is used to store the encrypted master key. (For example, you could use bf-cbc instead of aes-256-ecb.)


8. Remarks
  • When changing the login password the master key must be reencrypted. This can be achieved with the script /usr/bin/passwdehd:
    Code:
    # as root:
    passwd frodo
    passwdehd frodo
    # or as frodo:
    passwd
    passwdehd

  • Only, after doing all the work I described above, I noticed that there came
    some useful scripts with pam_mount:
    • mkehd could be used to setup an eencrypted home directory
    • mountehd and autoehd to mount an ehd.
    I don't have any experience with them and I leave it to the reader to see if those scripts are useful and work with dm-crypt-based encryption.
  • The method I've presented has maximal flexibility since everything is done manually. For example, contrary to mkehd, the master key in my setup is plain ASCII, which could be useful sometimes.
  • Do not forget your regular backups (you do make backups, right?) since an encrypted filesystem might be a bit more fragile when it comes to crashes or power failure etc.



9. How secure is this?

Disclaimer: Although I'm interested in cryptography, I'm by no means an expert!

The block encryption algorithm itself, which in my case is AES, should be as secure as it can possibly get. The big problem is how to design a secure system around this block cipher. Therefore I'll give you some important information that you should be aware of when using this setup. Since the goal of this setup is to guard against theft (or seizure) of your computer, I won't consider online attacks or (hard- or software) keyloggers and so on.
The details on much of the following can be found on Clemens Fruhwirth's excellent page about Linux hard disk encryption settings.
  • If your login password is weak, you're screwed.
  • Since it's very difficult to reliably delete a file in your system (especially for journaling filesystems, cf. info shred) an old version of your encrypted master key could still be recovered after you've used passwdehd. Linux Unified Key Setup (LUKS) is designed to avoid this vulnerability by always storing the key(s) in a fixed position at the start of the partition. At this point, I don't know if and how it can be used in combination with pam_mount. I'll investigate this later.
  • The "plain" IV generation that is used implicitly by cryptsetup when setting up the mapping is very weak and has some shortcomings. For example, it doesn't prevent watermarking. In other words, a specially crafted file that you're lured into storing on your partition would create patterns that are recognizable when analysing the encrypted partition. (However, this does not imply that your data could be decrypted.)
    A better choice for IV generation has been introduced in Linux 2.6.10: ESSIV. (e.g. use "aes-cbc-essiv:sha256" as cipher when calling cryptsetup. More info on the dm-crypt homepage.)
  • Your home directory is not the only place where user information can be found:
    • Your swap could contain anything that you've worked on and should be encrypted.
    • For complete security it's also necessary to have an encrypted /tmp, or better make it tmpfs. Of course, to be secure this requires that swap is encrypted!
    • It's also necessary to take care of /var (especially /var/tmp and /var/spool).
    • Don't forget that slocate could leak all of your filenames...
To sum up, if your password is reasonably strong, the encrypted data should be quite safe.


10. References

Of course, I used some other howtos to do all of this. What I did was simply combining different methods and implementing it on a Gentoo box. Here are some useful links in no particular order.
dm-crypt homepage
Linux hard disk encryption settings
dm-crypt wiki
Bug 24213: ebuild for pam_mount (new package)
HOWTO: Encrypt a filesystem in a loopback file via dm-crypt
dm-crypt looptutorial
pam_mount homepage
Encrypted home using pam_mount
Quick and painless: dm-crypt encrypted swap
Tip/Trick: using tmpfs for /tmp


11. Changelog

04.01.2005: initial post
04.01.2005: clarifications and additional details when using a partition
04.01.2005: added note about /var/tmp
09.01.2005: added 2 more references (tmpfs, swap)
10.01.2005: minor edit concerning /var, reminder to do backups
12.01.2005: added security information. fixed changelog dates (oops).
14.01.2005: updated instructions for pam_mount-0.9.21
23.01.2005: fixed mount.crypt
18.02.2005: pam_mount-0.9.22
12.03.2005: added note about slocate
26.09.2005: added section about non-default ciphers; general updates
29.09.2005: added "cryptsetup remove" step after mke2fs


Last edited by tuxophil on Wed Oct 19, 2005 3:27 pm; edited 9 times in total
Back to top
View user's profile Send private message
Archangel1
Veteran
Veteran


Joined: 21 Apr 2004
Posts: 1212
Location: Work

PostPosted: Tue Jan 11, 2005 5:30 am    Post subject: Reply with quote

Great howto. Worked perfectly for me - exactly what I was looking for.
_________________
What are you, stupid?
Back to top
View user's profile Send private message
repugnant
Tux's lil' helper
Tux's lil' helper


Joined: 16 Apr 2003
Posts: 86

PostPosted: Fri Jan 14, 2005 1:11 am    Post subject: Reply with quote

I only had one problem. On my 64-bit (AMD) machine pam_mount 0.9.20 fails to compile, but 0.9.21 (the latest) works fine.
Back to top
View user's profile Send private message
lost+found
Guru
Guru


Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~

PostPosted: Sat Jan 29, 2005 10:51 am    Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou Reply with quote

> 8. How secure...
>

In addition you should destroy RAM when finished, by overwriting it using Memtest86, or a specialized tool.

I read somewhere that broiling your RAM is even more secure. ;-)
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 5:12 am    Post subject: Reply with quote

a nice idea will be to add a clean up password : if get busted by FBI NSA ... and the gov agency that fit the following reg-exp [A-Z][A-Z][A-Z]

that will loop 4 ever:
Code:
 dd if=/dev/urandom of=/dev/WHERE@home


into dm-crypt

any coder ?
_________________
:D :D
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 5:19 am    Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou Reply with quote

lost+found wrote:
> 8. How secure...
>

In addition you should destroy RAM when finished, by overwriting it using Memtest86, or a specialized tool.

I read somewhere that broiling your RAM is even more secure. ;-)


how the hell the ram (a pice of hardware that need refreshing at its own speed [me ddr 333] to keep data can steel have data after computer shutdown ?)

i know that crackers strings /dev/mem >worldlist.txt and pass text to progs like john the ripper
for totale ownage of the box and friendly hosts
_________________
:D :D
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 5:21 am    Post subject: Reply with quote

Archangel1 wrote:
Great howto. Worked perfectly for me - exactly what I was looking for.

i wishe sarha mitcheal gelar was my gf
_________________
:D :D
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 6:35 am    Post subject: Reply with quote

easier install instruction for noobs in here :

install pam_mount the just past it to do it way
Code:

mkdir -p /usr/local/portage/sys-libs/
wget http://bugs.gentoo.org/attachment.cgi?id=48486 -O-|tar xzvf - -C/usr/local/portage/sys-libs/
PORTDIR_OVERLAY="/usr/local/portage/"  ACCEPT_KEYWORDS="~x86" emerge pam_mount && etc-update
:lol:
_________________
:D :D
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 7:51 am    Post subject: Reply with quote

still a prob : it will be wizer to encrypt the /home instead of /home/anUser

cause this will require to split ur hard disk or make static file size for each user and slipting the disk space btw users isnt wize : while /home allow more flexibility all the users can have all the space that remain on the /home device will .

Supose u have 3 users
can we make a BIG BIG key and plit it into 3 halves. mounting the encrypted can be done with any of the 3 litle keys since we are linux and file perm (rxw------) sharing and mounting the same home wont be a big prob. but the prob is users key leackage where u loose the benefit of a crypto fs

if u wanted a bit more privacy add a crypted file into ur crypted home mount /dev/maper/WHATEVER ~/mini-sec/ ...blalbla


be SURE to use the same password :lol: :lol: :lol: :lol: :lol: :lol: :lol: :lol: :lol: so it appear clear cause aes_crypt(...)=aes_decrypt(...) rolof
_________________
:D :D
Back to top
View user's profile Send private message
lost+found
Guru
Guru


Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~

PostPosted: Wed Feb 02, 2005 9:38 am    Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou Reply with quote

linux_girl wrote:
how the hell the ram (a pice of hardware that need refreshing at its own speed [me ddr 333] to keep data can steel have data after computer shutdown ?)
That's true in a working state. But I don't know it can be done, special equipment will be needed. I read somewherelse that gov. specialists are historically 10-20 years ahead of "us". Luckily low/medium-security is good enough for most people. :)
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Wed Feb 02, 2005 10:54 am    Post subject: Reply with quote

linux_girl wrote:
cause this will require to split ur hard disk or make static file size for each user and slipting the disk space btw users isnt wize : while /home allow more flexibility all the users can have all the space that remain on the /home device will .

This is a deliberate choice: when user A is logged in, there's no need (in fact it's a security problem) for user B's home to be mounted too. If the system is hacked while A is logged in, only A's data will be compromised. Furthermore, nothing bad can happen to a filesystem when it's not mounted. Of course, you're free to do it as you like.

BTW, Konqueror has a nice built-in spell checker for text input fields. (Perhaps something similar exists for your browser of choice.)
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 10:30 pm    Post subject: Reply with quote

tuxophil wrote:
linux_girl wrote:
cause this will require to split ur hard disk or make static file size for each user and slipting the disk space btw users isnt wize : while /home allow more flexibility all the users can have all the space that remain on the /home device will .

This is a deliberate choice: when user A is logged in, there's no need (in fact it's a security problem) for user B's home to be mounted too. If the system is hacked while A is logged in, only A's data will be compromised. Furthermore, nothing bad can happen to a filesystem when it's not mounted. Of course, you're free to do it as you like.

BTW, Konqueror has a nice built-in spell checker for text input fields. (Perhaps something similar exists for your browser of choice.)

whamo i was looking for a speel checker for my firefox but i didnt find any.

LVM2 sound interesting . however if u are loged in or u leave the screensaver on . if u get hacked while ur nice home is mounted ur file are owed buy the hackers =that will then easly find passwords of others users .....

that means if FBI are againts u would better improve ur brain memory to remebre the binary content of ur porn movies,mp3z ..... so u dont need to store then on ur 120GB Hard Disk :lol: :lol:


+ if u want to setup scripts to miror or backu ur nice 5GB home

that will be a major pain in the ass to tells cron to use password .... and
_________________
:D :D


Last edited by linux_girl on Sun Feb 27, 2005 1:09 pm; edited 1 time in total
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Wed Feb 02, 2005 10:48 pm    Post subject: Reply with quote

linux_girl wrote:
whamo i was looking for a speel checker for my firefox but i didnt find any.

What about the first result of this google query? Doesn't it work?
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 11:13 pm    Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou Reply with quote

lost+found wrote:
linux_girl wrote:
how the hell the ram (a pice of hardware that need refreshing at its own speed [me ddr 333] to keep data can steel have data after computer shutdown ?)
That's true in a working state. But I don't know it can be done, special equipment will be needed. I read somewherelse that gov. specialists are historically 10-20 years ahead of "us". Luckily low/medium-security is good enough for most people. :)

10-20 ahead us that will cost $$$ to develop. knowing that they cant sell this nice teck pice . whil e druging the hacker to reveal the password or using a cluster to brut force will be the hell lot cheaper isnt ???
_________________
:D :D
Back to top
View user's profile Send private message
qwijibow
n00b
n00b


Joined: 27 Dec 2004
Posts: 58

PostPosted: Fri Feb 04, 2005 4:22 pm    Post subject: Reply with quote

how can i modify
Code:
volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes aes-256-ecb /home/frodo.key


to simply mount an encrypted partiton using cryptsetup with the login password.

storeing the encryption key of the partiton as an encrpyted file reduces the strength of the encrpyion significantly, why have a random key, when the random key is encrypted with a non random login password.

im trying to get pam mount to simply call "mount.crypt /deev/hda3 /home/chris" and passit the login password.

thanks.
Back to top
View user's profile Send private message
blujay
n00b
n00b


Joined: 19 Mar 2004
Posts: 6

PostPosted: Tue Feb 08, 2005 10:26 am    Post subject: Reply with quote

Is there a way to increase the size of a loopback filesystem file after it's been created and used? Say I make one for a user and it gets almost full. Can I increase the size of the loopback image without copying the data into a new, larger loopback image?
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Tue Feb 08, 2005 2:58 pm    Post subject: Reply with quote

blujay wrote:
Is there a way to increase the size of a loopback filesystem file after it's been created and used?

Well, I've never tried it, but it should be possible. Files, dm-crypt mappings and filesystems are all resizable. The only "difficulty" should be the order of the commands. I didn't test the following commands. Please don't try them on your real home. Use a test file instead. You have been warned. ;)

Here's what I would try. (Of course, frodo should be logged out, the filesystem unmounted and the mapping removed.)
Code:
# Enlarge the file by 500 MiB.
dd if=/dev/urandom bs=1M count=500 >> /home/frodo_home
# Create the loopdevice.
losetup /dev/loop0 /home/frodo_home
# Create the mapping. (cryptsetup uses the whole, i.e. enlarged,
# block device)
openssl aes-256-cbc -d -in /home/frodo.key \
| cryptsetup create frodo /dev/loop0
# Resize the filesystem to fill up the device. Example for e2fs.
resize2fs /dev/mapper/frodo
# Clean up.
cryptsetup remove frodo
losetup -d /dev/loop0

Now you should be able to log in as frodo and enjoy your enlarged home.

Please post your results.

BTW can loop devices be resized? (That is, without removing the loop device first.) I don't think so, but it would allow to do the resizing while the filesystem is mounted: cryptsetup resize can safely be used, and some filesystems (e.g. Reiserfs, XFS) can be resized while they're mounted.
(For dm-crypt over LVM this is possible!)
Back to top
View user's profile Send private message
blujay
n00b
n00b


Joined: 19 Mar 2004
Posts: 6

PostPosted: Tue Feb 08, 2005 6:13 pm    Post subject: Reply with quote

Thank you very much, tuxophil, for your kind reply. I did some more investigating after my post, and I found a way to do it! Here's what I did (on Debian at the moment):

(after creating the encrypted image file)

1. `umount` it.
2. `cryptsetup remove` it.
3. `losetup -d` it.

4. `dd if=/dev/zero of=/path/to/file ibs=1M obs=1M seek=1024 count=1024` (increases an exactly 1 GB [1024*1024] file by 1 GB, to a total of 2 GB).

5. `losetup` it.
6. `cryptsetup create` it.

7. `e2fsck -f /dev/mapper/whatever` it (if you don't, the next command will tell you to).
8. `resize2fs` (no parameters).

9. `mount` it.

10. That's it!

I tried creating a 1 GB AES-encrypted image with a simple, cryptsetup-prompted password, and filling it with ~180 MB of data. Then I unmounted and un-cryptsetup'ed and un-losetup'ed it. Then I increased the file to 2 GB, then losetup'ed and cryptsetup'ed, then e2fsck'ed and resize2fs'ed and mounted, and all the data was there. I've since added more to it, and it's working perfectly. I'm using the image as a home directory for a user (made the user and his homedir first, then logged out and copied files into the image, deleted homedir, mounted image as homedir).

Your `dd if=/dev/urandom bs=1M count=500 >> /home/frodo_home ` command looks great, and I will have to test it. If it works, it is much better, because it's much less likely that a typo or an early-return-hit would do damage.

I'm looking forward to trying Gentoo on my new hard drive. :)

Thanks again.
Back to top
View user's profile Send private message
blujay
n00b
n00b


Joined: 19 Mar 2004
Posts: 6

PostPosted: Tue Feb 08, 2005 6:17 pm    Post subject: Reply with quote

Here's another quick question. I'm too tired to Google right now, so if you know, just tell me if it's possible and I'll research how later. :)

Can you set up pam_mount to mount an encrypted loopback image as a user's home directory so that it gets automatically setup and mounted when the user logs in?
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Wed Feb 09, 2005 12:45 pm    Post subject: Reply with quote

blujay wrote:
Can you set up pam_mount to mount an encrypted loopback image as a user's home directory so that it gets automatically setup and mounted when the user logs in?

Well, considering the fact that this HOWTO's title is "Automatically mount dm-crypt encrypted home with pam_mount", I guess it's possible. ;-)
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Wed Feb 09, 2005 1:00 pm    Post subject: Reply with quote

qwijibow wrote:
how can i modify
Code:
volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes aes-256-ecb /home/frodo.key


to simply mount an encrypted partiton using cryptsetup with the login password.

Code:
volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes - -

This should do the job. If the last two parameters aren't specified pam_mount will use the login password.
qwijibow wrote:
storeing the encryption key of the partiton as an encrpyted file reduces the strength of the encrpyion significantly, why have a random key, when the random key is encrypted with a non random login password.

You're right that this reduces the security to the strength of the password. The random password just makes sure that in every case the login password is the weakest link. You're free to store the key on a USB key instead of your hard disk. The reason for using a master key is to allow changing the login password (and not that it magically increases security).
Back to top
View user's profile Send private message
blujay
n00b
n00b


Joined: 19 Mar 2004
Posts: 6

PostPosted: Fri Feb 11, 2005 9:07 am    Post subject: Reply with quote

tuxophil wrote:
blujay wrote:
Can you set up pam_mount to mount an encrypted loopback image as a user's home directory so that it gets automatically setup and mounted when the user logs in?

Well, considering the fact that this HOWTO's title is "Automatically mount dm-crypt encrypted home with pam_mount", I guess it's possible. ;-)


Bah, sorry...I got confused and thought this was just for partitions. My bad. :(
Back to top
View user's profile Send private message
blujay
n00b
n00b


Joined: 19 Mar 2004
Posts: 6

PostPosted: Fri Feb 11, 2005 9:33 am    Post subject: Reply with quote

tuxophil wrote:
Code:
dd if=/dev/urandom bs=1M count=500 >> /home/frodo_home


I just tried this, and it does indeed work fine. It's better in one way, because you don't have to calculate how far to seek with dd. However, if you left off one of the >'s, it'd overwrite the file instead of add on to it. Neither way is typo-proof, but they both work. :)

Thanks for your help.
Back to top
View user's profile Send private message
SilentShadow
n00b
n00b


Joined: 25 Oct 2004
Posts: 36
Location: Italia

PostPosted: Wed Feb 23, 2005 2:32 pm    Post subject: Reply with quote

HI tuxophil,

I read your how to and I think I found what I'm looking for, but I want you ask some question:

If I gain access to the machine ( e.s. with a live cd) and I stole the encrypted file with the home page of frodo user (/home/frodo_home) and the key file of the user (/home/frodo.key) I will be able to mount on another machine the file?

In any case I search for a solution to crypt some directory installed on customers server (php apache postgres), the customer don't have console or remote access to the machine but can use live cd or open the box to stole the information. The dm-crypt is a sollution but the boot password is a big problem for a server on 24/7.

thank on advance for your help

Bye DArio
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Wed Feb 23, 2005 2:52 pm    Post subject: Reply with quote

SilentShadow wrote:
If I gain access to the machine ( e.s. with a live cd) and I stole the encrypted file with the home page of frodo user (/home/frodo_home) and the key file of the user (/home/frodo.key) I will be able to mount on another machine the file?

Only if you know the password. The key file (frodo.key) is encrypted with the user's login password. (Using openssl with a cipher of your choice.) This makes automatic mounting by pam_mount possible, since normally the user does provide his login password, but with this method it's only required once.

SilentShadow wrote:
In any case I search for a solution to crypt some directory installed on customers server (php apache postgres), the customer don't have console or remote access to the machine but can use live cd or open the box to stole the information. The dm-crypt is a sollution but the boot password is a big problem for a server on 24/7.

There is no boot password involved so I don't quite understand what you mean. In any case, when the machine is turned off it should be impossible to recover the encrypted data without the password. (Provided swap is encrypted etc.)
When the machine is running you'd have to acquire sufficient permissions to access the home directory.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum