View previous topic :: View next topic |
Author |
Message |
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Tue Jan 04, 2005 12:52 pm Post subject: Automatically mount dm-crypt encrypted home with pam_mount |
|
|
Automatically mount dm-crypt encrypted home with pam_mount
1. Introduction & Goal
I've always wanted to have my personal data stored in a secure way. Using gpg would of course be possible, but cumbersome. Simply encrypting the home partition would have the (slight) disadvantage of having to type an additional passphrase. In this HOWTO I will show you how to solve this problem in an elegant way, that is without requiring an additional password at login.
This is my first HOWTO, so please don't kill me if something's not explained clearly. During the last year I did this whole thing four times, so I should have some experience with it. Nonetheless, I cannot guarantee that every single line is correct. That being said, I don't think there are that many errors in it.
Of course, any feedback is appreciated.
2. Overview
Since I didn't want to repartition I decided to use a file as encrypted loopback device. In the newer 2.6 kernels cryptoloop is deprecated in favour of dm-crypt. Therefore (and because I don't like to change my setup every few weeks) I'm using the cryptsetup utility to setup a device mapper-based encryption (dm-crypt). The problem is of course the automatic mounting.
Fortunately, there is the pam_mount module for PAM. At login the password is acquired by PAM which then sends it to pam_mount. Thereafter pam_mount uses this password to do the actual mounting. In fact, the login password isn't used directly since this would make it impossible to change the password at a later time. (The encryption key of the encrypted home cannot be changed.)
Therefore a master key, which is used to encrypt the home directory, is created and stored in a secure way on the harddisk. More information on how this works can be found at the pam_mount homepage.
Remark
After doing all the work I noticed that some scripts that come with pam_mount could be useful and automate some of the steps that I will present. However I didn't test these scripts. But I don't think Gentoo users will object to the manual (and more flexible) way in which the encryption will be set up in this HOWTO.
3. Installing the necessary software
First you'll have to compile your kernel with support for the device-mapper, the crypt target and some cipher modules. Details can be found in many other HOWTOs (e.g. this one), so I'll skip to the setup of pam_mount.
The pam_mount module is not yet in portage. Download the latest .tar.gz (see Bug 24213) containing the ebuild for 0.9.25 and additional files. Unpack it to /usr/local/portage/sys-libs/, activate portage overlay (uncomment the line in /etc/make.conf) and emerge it:
You'll have to edit your PAM-configuration to use pam_mount. In this example I'll only consider console and KDM logins.
Code: | # /etc/pam.d/login
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
# add the following line:
auth optional /lib/security/pam_mount.so use_first_pass
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
# add the following line:
session optional /lib/security/pam_mount.so |
Code: | # /etc/pam.d/kde
# replace the next line by the one with pam_stack:
#auth include system-auth
auth required /lib/security/pam_stack.so service=system-auth
auth required pam_nologin.so
# add the following line:
auth optional /lib/security/pam_mount.so use_first_pass
account include system-auth
password include system-auth
session include system-auth
# add the following line:
session optional /lib/security/pam_mount.so |
For the dm-crypt part we'll need cryptsetup. Just emerge it.
(or, perhaps better, cryptsetup-luks).
4. The encryption
You'll have to modprobe at least one crypto algorithm if you didn't compile them in your kernel. Put it also in your /etc/modules/autoload.d/kernel-2.6:
Code: | modprobe aes
echo aes >> /etc/modules.autoload.d/kernel-2.6 |
For the rest of this HOWTO the user "frodo" will be used as an example. Let's start by creating a 2 GiB file which will contain the encrypted home directory. (Creating the file will take some time.)
Code: | dd if=/dev/urandom of=/home/frodo_home bs=1M count=2048
# create loopback block device
losetup /dev/loop0 /home/frodo_home |
Since we won't have to type the master password it can (and should) be random data. A nice way to create it is the following:
Code: | KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79` |
This way, all non-graphical ASCII characters are discarded, leaving 94 possibilities left. In this example the keyspace corresponds to 512 bits. (512 * log(2) / log(94) = 78.1 digits to base 94)
cryptsetup will hash it to create a 256 bit key that can be used by AES. This method has the advantage that the key is plain ASCII which could be crucial in an emergency situation. Furthermore there won't be any problems with programs which cannot cope with full binary passwords.
In the next step we'll create the block device /dev/mapper/frodo and format it.
Code: | echo $KEY | cryptsetup create frodo /dev/loop0
mke2fs /dev/mapper/frodo
# remove the mapping:
cryptsetup remove frodo |
In the loop-AES README there are warnings against using a journaling filesystem on a loop-AES-encrypted file. I don't know if this also applies to dm-crypt on a loop device. If somebody could inform me about this I'd be very happy.
Now, we'll encrypt the master key and store it on the hard disk. Use your login password!
Code: | echo $KEY | openssl aes-256-ecb > /home/frodo.key |
To make it possible for the user to change his password later on, we'll have to create a backup file and set the correct permissions:
Code: | touch /home/frodo.key.old
chown frodo /home/frodo.key /home/frodo.key.old
chmod 600 /home/frodo.key /home/frodo.key.old |
This is necessary for the password changing script passwdehd to work. More on this later.
Let's create the mount point and set the permissions.
Code: | mkdir /home/frodo2
chown frodo /home/frodo2
chgrp users /home/frodo2
chmod 700 /home/frodo2 |
Now comes the crucial part: configuring pam_mount. You'll need to edit /etc/security/pam_mount.conf and replace the Gentoo example lines by the following one.
Code: | volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes aes-256-ecb /home/frodo.key |
Theoretically, the automatic mounting should work right now. Close all your sessions as frodo, switch to a VT and relogin as frodo. There should be quite a few informational messages but no errors. (As root you can try to copy some files to /home/frodo2 and delete them again.) If everything works fine, we'll move all the data to the new home directory.
5. Migrating the data
Code: | # In the same VT you're logged in as frodo!
# This ensures that /home/frodo2 is mounted.
su
# Change permissions for mounted filesystem
chown frodo /home/frodo2
chgrp users /home/frodo2
chmod 700 /home/frodo2
cd ~frodo
# copy everything (this will take some time)
tar cpf - . | tar -xpf - -C /home/frodo2
exit # Exit su
exit # Logout frodo. This should unmount frodo's new home.
RELOGIN as root!
# make backup copy of old home
mv /home/frodo /home/frodo3
mv /home/frodo2 /home/frodo
# Change frodo2 to frodo in pam_mount.conf
$EDITOR /etc/security/pam_mount.conf |
If you've done everything right, you can now login as frodo and the encrypted file is mounted at /home/frodo and is used as your home directory. As a last step remove the backup:
Code: | rm -rf /home/frodo3 |
(Warning: for optimal security you should consider overwriting the partition containing ~frodo3 with random data.)
6. Using a partition
Of course, it's also possible to use an encrypted partition with pam_mount. There are only minor modifications which need to be done:
- Make sure you've got a free partition (for example /dev/hda2) that's big enough.
- Prepare the partition:
Code: | dd if=/dev/urandom of=/dev/hda2 bs=1M |
Skip the losetup step.
Each time /dev/loop0 appears, replace it by the partition, e.g. /dev/hda2.
Don't use the loop option in pam_mount.conf:
Code: | volume frodo crypt - /dev/hda2 /home/frodo2 cipher=aes aes-256-ecb /home/frodo.key |
and after the migration change it to
Code: | volume frodo crypt - /dev/hda2 /home/frodo cipher=aes aes-256-ecb /home/frodo.key |
7. Choosing non-default ciphers
If you don't like AES and would prefer some other cipher, e.g. Blowfish, this can be done too. The command
Code: | echo $KEY | cryptsetup create frodo /dev/loop0 |
can be replaced by
Code: | cryptsetup -c blowfish-cbc-essiv:sha256 -h sha1 -s 192 |
to use Blowfish in ESSIV mode, a 192-bit key size, and SHA1 for hashing the passphrase.
In pam_mount.conf you'd then change the configuration line to
Code: | volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=blowfish-cbc-essiv:sha256 aes-256-ecb /home/frodo.key |
You could also change the OpenSSL cipher which is used to store the encrypted master key. (For example, you could use bf-cbc instead of aes-256-ecb.)
8. Remarks
- When changing the login password the master key must be reencrypted. This can be achieved with the script /usr/bin/passwdehd:
Code: | # as root:
passwd frodo
passwdehd frodo
# or as frodo:
passwd
passwdehd |
Only, after doing all the work I described above, I noticed that there came
some useful scripts with pam_mount:
- mkehd could be used to setup an eencrypted home directory
- mountehd and autoehd to mount an ehd.
I don't have any experience with them and I leave it to the reader to see if those scripts are useful and work with dm-crypt-based encryption.
The method I've presented has maximal flexibility since everything is done manually. For example, contrary to mkehd, the master key in my setup is plain ASCII, which could be useful sometimes.
Do not forget your regular backups (you do make backups, right?) since an encrypted filesystem might be a bit more fragile when it comes to crashes or power failure etc.
9. How secure is this?
Disclaimer: Although I'm interested in cryptography, I'm by no means an expert!
The block encryption algorithm itself, which in my case is AES, should be as secure as it can possibly get. The big problem is how to design a secure system around this block cipher. Therefore I'll give you some important information that you should be aware of when using this setup. Since the goal of this setup is to guard against theft (or seizure) of your computer, I won't consider online attacks or (hard- or software) keyloggers and so on.
The details on much of the following can be found on Clemens Fruhwirth's excellent page about Linux hard disk encryption settings.
- If your login password is weak, you're screwed.
- Since it's very difficult to reliably delete a file in your system (especially for journaling filesystems, cf. info shred) an old version of your encrypted master key could still be recovered after you've used passwdehd. Linux Unified Key Setup (LUKS) is designed to avoid this vulnerability by always storing the key(s) in a fixed position at the start of the partition. At this point, I don't know if and how it can be used in combination with pam_mount. I'll investigate this later.
- The "plain" IV generation that is used implicitly by cryptsetup when setting up the mapping is very weak and has some shortcomings. For example, it doesn't prevent watermarking. In other words, a specially crafted file that you're lured into storing on your partition would create patterns that are recognizable when analysing the encrypted partition. (However, this does not imply that your data could be decrypted.)
A better choice for IV generation has been introduced in Linux 2.6.10: ESSIV. (e.g. use "aes-cbc-essiv:sha256" as cipher when calling cryptsetup. More info on the dm-crypt homepage.)
- Your home directory is not the only place where user information can be found:
- Your swap could contain anything that you've worked on and should be encrypted.
- For complete security it's also necessary to have an encrypted /tmp, or better make it tmpfs. Of course, to be secure this requires that swap is encrypted!
- It's also necessary to take care of /var (especially /var/tmp and /var/spool).
- Don't forget that slocate could leak all of your filenames...
To sum up, if your password is reasonably strong, the encrypted data should be quite safe.
10. References
Of course, I used some other howtos to do all of this. What I did was simply combining different methods and implementing it on a Gentoo box. Here are some useful links in no particular order.
dm-crypt homepage
Linux hard disk encryption settings
dm-crypt wiki
Bug 24213: ebuild for pam_mount (new package)
HOWTO: Encrypt a filesystem in a loopback file via dm-crypt
dm-crypt looptutorial
pam_mount homepage
Encrypted home using pam_mount
Quick and painless: dm-crypt encrypted swap
Tip/Trick: using tmpfs for /tmp
11. Changelog
04.01.2005: initial post
04.01.2005: clarifications and additional details when using a partition
04.01.2005: added note about /var/tmp
09.01.2005: added 2 more references (tmpfs, swap)
10.01.2005: minor edit concerning /var, reminder to do backups
12.01.2005: added security information. fixed changelog dates (oops).
14.01.2005: updated instructions for pam_mount-0.9.21
23.01.2005: fixed mount.crypt
18.02.2005: pam_mount-0.9.22
12.03.2005: added note about slocate
26.09.2005: added section about non-default ciphers; general updates
29.09.2005: added "cryptsetup remove" step after mke2fs
Last edited by tuxophil on Wed Oct 19, 2005 3:27 pm; edited 9 times in total |
|
Back to top |
|
|
Archangel1 Veteran
Joined: 21 Apr 2004 Posts: 1212 Location: Work
|
Posted: Tue Jan 11, 2005 5:30 am Post subject: |
|
|
Great howto. Worked perfectly for me - exactly what I was looking for. _________________ What are you, stupid? |
|
Back to top |
|
|
repugnant Tux's lil' helper
Joined: 16 Apr 2003 Posts: 86
|
Posted: Fri Jan 14, 2005 1:11 am Post subject: |
|
|
I only had one problem. On my 64-bit (AMD) machine pam_mount 0.9.20 fails to compile, but 0.9.21 (the latest) works fine. |
|
Back to top |
|
|
lost+found Guru
Joined: 15 Nov 2004 Posts: 509 Location: North~Sea~Coa~s~~t~~~
|
Posted: Sat Jan 29, 2005 10:51 am Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou |
|
|
> 8. How secure...
>
In addition you should destroy RAM when finished, by overwriting it using Memtest86, or a specialized tool.
I read somewhere that broiling your RAM is even more secure. |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 5:12 am Post subject: |
|
|
a nice idea will be to add a clean up password : if get busted by FBI NSA ... and the gov agency that fit the following reg-exp [A-Z][A-Z][A-Z]
that will loop 4 ever:
Code: | dd if=/dev/urandom of=/dev/WHERE@home
|
into dm-crypt
any coder ? _________________ |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 5:19 am Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou |
|
|
lost+found wrote: | > 8. How secure...
>
In addition you should destroy RAM when finished, by overwriting it using Memtest86, or a specialized tool.
I read somewhere that broiling your RAM is even more secure. |
how the hell the ram (a pice of hardware that need refreshing at its own speed [me ddr 333] to keep data can steel have data after computer shutdown ?)
i know that crackers strings /dev/mem >worldlist.txt and pass text to progs like john the ripper
for totale ownage of the box and friendly hosts _________________ |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 5:21 am Post subject: |
|
|
Archangel1 wrote: | Great howto. Worked perfectly for me - exactly what I was looking for. |
i wishe sarha mitcheal gelar was my gf _________________ |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 6:35 am Post subject: |
|
|
easier install instruction for noobs in here :
install pam_mount the just past it to do it way
Code: |
mkdir -p /usr/local/portage/sys-libs/
wget http://bugs.gentoo.org/attachment.cgi?id=48486 -O-|tar xzvf - -C/usr/local/portage/sys-libs/
PORTDIR_OVERLAY="/usr/local/portage/" ACCEPT_KEYWORDS="~x86" emerge pam_mount && etc-update
| _________________ |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 7:51 am Post subject: |
|
|
still a prob : it will be wizer to encrypt the /home instead of /home/anUser
cause this will require to split ur hard disk or make static file size for each user and slipting the disk space btw users isnt wize : while /home allow more flexibility all the users can have all the space that remain on the /home device will .
Supose u have 3 users
can we make a BIG BIG key and plit it into 3 halves. mounting the encrypted can be done with any of the 3 litle keys since we are linux and file perm (rxw------) sharing and mounting the same home wont be a big prob. but the prob is users key leackage where u loose the benefit of a crypto fs
if u wanted a bit more privacy add a crypted file into ur crypted home mount /dev/maper/WHATEVER ~/mini-sec/ ...blalbla
be SURE to use the same password so it appear clear cause aes_crypt(...)=aes_decrypt(...) rolof _________________ |
|
Back to top |
|
|
lost+found Guru
Joined: 15 Nov 2004 Posts: 509 Location: North~Sea~Coa~s~~t~~~
|
Posted: Wed Feb 02, 2005 9:38 am Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou |
|
|
linux_girl wrote: | how the hell the ram (a pice of hardware that need refreshing at its own speed [me ddr 333] to keep data can steel have data after computer shutdown ?) | That's true in a working state. But I don't know it can be done, special equipment will be needed. I read somewherelse that gov. specialists are historically 10-20 years ahead of "us". Luckily low/medium-security is good enough for most people. |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Wed Feb 02, 2005 10:54 am Post subject: |
|
|
linux_girl wrote: | cause this will require to split ur hard disk or make static file size for each user and slipting the disk space btw users isnt wize : while /home allow more flexibility all the users can have all the space that remain on the /home device will . |
This is a deliberate choice: when user A is logged in, there's no need (in fact it's a security problem) for user B's home to be mounted too. If the system is hacked while A is logged in, only A's data will be compromised. Furthermore, nothing bad can happen to a filesystem when it's not mounted. Of course, you're free to do it as you like.
BTW, Konqueror has a nice built-in spell checker for text input fields. (Perhaps something similar exists for your browser of choice.) |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 10:30 pm Post subject: |
|
|
tuxophil wrote: | linux_girl wrote: | cause this will require to split ur hard disk or make static file size for each user and slipting the disk space btw users isnt wize : while /home allow more flexibility all the users can have all the space that remain on the /home device will . |
This is a deliberate choice: when user A is logged in, there's no need (in fact it's a security problem) for user B's home to be mounted too. If the system is hacked while A is logged in, only A's data will be compromised. Furthermore, nothing bad can happen to a filesystem when it's not mounted. Of course, you're free to do it as you like.
BTW, Konqueror has a nice built-in spell checker for text input fields. (Perhaps something similar exists for your browser of choice.) |
whamo i was looking for a speel checker for my firefox but i didnt find any.
LVM2 sound interesting . however if u are loged in or u leave the screensaver on . if u get hacked while ur nice home is mounted ur file are owed buy the hackers =that will then easly find passwords of others users .....
that means if FBI are againts u would better improve ur brain memory to remebre the binary content of ur porn movies,mp3z ..... so u dont need to store then on ur 120GB Hard Disk
+ if u want to setup scripts to miror or backu ur nice 5GB home
that will be a major pain in the ass to tells cron to use password .... and _________________
Last edited by linux_girl on Sun Feb 27, 2005 1:09 pm; edited 1 time in total |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Wed Feb 02, 2005 10:48 pm Post subject: |
|
|
linux_girl wrote: | whamo i was looking for a speel checker for my firefox but i didnt find any. |
What about the first result of this google query? Doesn't it work? |
|
Back to top |
|
|
linux_girl Apprentice
Joined: 12 Sep 2003 Posts: 287
|
Posted: Wed Feb 02, 2005 11:13 pm Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou |
|
|
lost+found wrote: | linux_girl wrote: | how the hell the ram (a pice of hardware that need refreshing at its own speed [me ddr 333] to keep data can steel have data after computer shutdown ?) | That's true in a working state. But I don't know it can be done, special equipment will be needed. I read somewherelse that gov. specialists are historically 10-20 years ahead of "us". Luckily low/medium-security is good enough for most people. |
10-20 ahead us that will cost $$$ to develop. knowing that they cant sell this nice teck pice . whil e druging the hacker to reveal the password or using a cluster to brut force will be the hell lot cheaper isnt ??? _________________ |
|
Back to top |
|
|
qwijibow n00b
Joined: 27 Dec 2004 Posts: 58
|
Posted: Fri Feb 04, 2005 4:22 pm Post subject: |
|
|
how can i modify
Code: | volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes aes-256-ecb /home/frodo.key |
to simply mount an encrypted partiton using cryptsetup with the login password.
storeing the encryption key of the partiton as an encrpyted file reduces the strength of the encrpyion significantly, why have a random key, when the random key is encrypted with a non random login password.
im trying to get pam mount to simply call "mount.crypt /deev/hda3 /home/chris" and passit the login password.
thanks. |
|
Back to top |
|
|
blujay n00b
Joined: 19 Mar 2004 Posts: 6
|
Posted: Tue Feb 08, 2005 10:26 am Post subject: |
|
|
Is there a way to increase the size of a loopback filesystem file after it's been created and used? Say I make one for a user and it gets almost full. Can I increase the size of the loopback image without copying the data into a new, larger loopback image? |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Tue Feb 08, 2005 2:58 pm Post subject: |
|
|
blujay wrote: | Is there a way to increase the size of a loopback filesystem file after it's been created and used? |
Well, I've never tried it, but it should be possible. Files, dm-crypt mappings and filesystems are all resizable. The only "difficulty" should be the order of the commands. I didn't test the following commands. Please don't try them on your real home. Use a test file instead. You have been warned.
Here's what I would try. (Of course, frodo should be logged out, the filesystem unmounted and the mapping removed.)
Code: | # Enlarge the file by 500 MiB.
dd if=/dev/urandom bs=1M count=500 >> /home/frodo_home
# Create the loopdevice.
losetup /dev/loop0 /home/frodo_home
# Create the mapping. (cryptsetup uses the whole, i.e. enlarged,
# block device)
openssl aes-256-cbc -d -in /home/frodo.key \
| cryptsetup create frodo /dev/loop0
# Resize the filesystem to fill up the device. Example for e2fs.
resize2fs /dev/mapper/frodo
# Clean up.
cryptsetup remove frodo
losetup -d /dev/loop0 |
Now you should be able to log in as frodo and enjoy your enlarged home.
Please post your results.
BTW can loop devices be resized? (That is, without removing the loop device first.) I don't think so, but it would allow to do the resizing while the filesystem is mounted: cryptsetup resize can safely be used, and some filesystems (e.g. Reiserfs, XFS) can be resized while they're mounted.
(For dm-crypt over LVM this is possible!) |
|
Back to top |
|
|
blujay n00b
Joined: 19 Mar 2004 Posts: 6
|
Posted: Tue Feb 08, 2005 6:13 pm Post subject: |
|
|
Thank you very much, tuxophil, for your kind reply. I did some more investigating after my post, and I found a way to do it! Here's what I did (on Debian at the moment):
(after creating the encrypted image file)
1. `umount` it.
2. `cryptsetup remove` it.
3. `losetup -d` it.
4. `dd if=/dev/zero of=/path/to/file ibs=1M obs=1M seek=1024 count=1024` (increases an exactly 1 GB [1024*1024] file by 1 GB, to a total of 2 GB).
5. `losetup` it.
6. `cryptsetup create` it.
7. `e2fsck -f /dev/mapper/whatever` it (if you don't, the next command will tell you to).
8. `resize2fs` (no parameters).
9. `mount` it.
10. That's it!
I tried creating a 1 GB AES-encrypted image with a simple, cryptsetup-prompted password, and filling it with ~180 MB of data. Then I unmounted and un-cryptsetup'ed and un-losetup'ed it. Then I increased the file to 2 GB, then losetup'ed and cryptsetup'ed, then e2fsck'ed and resize2fs'ed and mounted, and all the data was there. I've since added more to it, and it's working perfectly. I'm using the image as a home directory for a user (made the user and his homedir first, then logged out and copied files into the image, deleted homedir, mounted image as homedir).
Your `dd if=/dev/urandom bs=1M count=500 >> /home/frodo_home ` command looks great, and I will have to test it. If it works, it is much better, because it's much less likely that a typo or an early-return-hit would do damage.
I'm looking forward to trying Gentoo on my new hard drive.
Thanks again. |
|
Back to top |
|
|
blujay n00b
Joined: 19 Mar 2004 Posts: 6
|
Posted: Tue Feb 08, 2005 6:17 pm Post subject: |
|
|
Here's another quick question. I'm too tired to Google right now, so if you know, just tell me if it's possible and I'll research how later.
Can you set up pam_mount to mount an encrypted loopback image as a user's home directory so that it gets automatically setup and mounted when the user logs in? |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Wed Feb 09, 2005 12:45 pm Post subject: |
|
|
blujay wrote: | Can you set up pam_mount to mount an encrypted loopback image as a user's home directory so that it gets automatically setup and mounted when the user logs in? |
Well, considering the fact that this HOWTO's title is "Automatically mount dm-crypt encrypted home with pam_mount", I guess it's possible. |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Wed Feb 09, 2005 1:00 pm Post subject: |
|
|
qwijibow wrote: | how can i modify
Code: | volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes aes-256-ecb /home/frodo.key |
to simply mount an encrypted partiton using cryptsetup with the login password. |
Code: | volume frodo crypt - /home/frodo_home /home/frodo2 loop,cipher=aes - - |
This should do the job. If the last two parameters aren't specified pam_mount will use the login password.
qwijibow wrote: | storeing the encryption key of the partiton as an encrpyted file reduces the strength of the encrpyion significantly, why have a random key, when the random key is encrypted with a non random login password. |
You're right that this reduces the security to the strength of the password. The random password just makes sure that in every case the login password is the weakest link. You're free to store the key on a USB key instead of your hard disk. The reason for using a master key is to allow changing the login password (and not that it magically increases security). |
|
Back to top |
|
|
blujay n00b
Joined: 19 Mar 2004 Posts: 6
|
Posted: Fri Feb 11, 2005 9:07 am Post subject: |
|
|
tuxophil wrote: | blujay wrote: | Can you set up pam_mount to mount an encrypted loopback image as a user's home directory so that it gets automatically setup and mounted when the user logs in? |
Well, considering the fact that this HOWTO's title is "Automatically mount dm-crypt encrypted home with pam_mount", I guess it's possible. |
Bah, sorry...I got confused and thought this was just for partitions. My bad. |
|
Back to top |
|
|
blujay n00b
Joined: 19 Mar 2004 Posts: 6
|
Posted: Fri Feb 11, 2005 9:33 am Post subject: |
|
|
tuxophil wrote: | Code: | dd if=/dev/urandom bs=1M count=500 >> /home/frodo_home |
|
I just tried this, and it does indeed work fine. It's better in one way, because you don't have to calculate how far to seek with dd. However, if you left off one of the >'s, it'd overwrite the file instead of add on to it. Neither way is typo-proof, but they both work.
Thanks for your help. |
|
Back to top |
|
|
SilentShadow n00b
Joined: 25 Oct 2004 Posts: 36 Location: Italia
|
Posted: Wed Feb 23, 2005 2:32 pm Post subject: |
|
|
HI tuxophil,
I read your how to and I think I found what I'm looking for, but I want you ask some question:
If I gain access to the machine ( e.s. with a live cd) and I stole the encrypted file with the home page of frodo user (/home/frodo_home) and the key file of the user (/home/frodo.key) I will be able to mount on another machine the file?
In any case I search for a solution to crypt some directory installed on customers server (php apache postgres), the customer don't have console or remote access to the machine but can use live cd or open the box to stole the information. The dm-crypt is a sollution but the boot password is a big problem for a server on 24/7.
thank on advance for your help
Bye DArio |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Wed Feb 23, 2005 2:52 pm Post subject: |
|
|
SilentShadow wrote: | If I gain access to the machine ( e.s. with a live cd) and I stole the encrypted file with the home page of frodo user (/home/frodo_home) and the key file of the user (/home/frodo.key) I will be able to mount on another machine the file? |
Only if you know the password. The key file (frodo.key) is encrypted with the user's login password. (Using openssl with a cipher of your choice.) This makes automatic mounting by pam_mount possible, since normally the user does provide his login password, but with this method it's only required once.
SilentShadow wrote: | In any case I search for a solution to crypt some directory installed on customers server (php apache postgres), the customer don't have console or remote access to the machine but can use live cd or open the box to stole the information. The dm-crypt is a sollution but the boot password is a big problem for a server on 24/7. |
There is no boot password involved so I don't quite understand what you mean. In any case, when the machine is turned off it should be impossible to recover the encrypted data without the password. (Provided swap is encrypted etc.)
When the machine is running you'd have to acquire sufficient permissions to access the home directory. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|