Automatically mount dm-crypt encrypted home with pam_mount

[SilentShadow]

thanks,

so I need a user log-on to have the file decrypted?

I try you explain better my problem.

I'm new in a software house tha have a software based on php and postgres.
They newer think about the security of their sources so now I try to figure out how to protect the code.
The big issue with the crypt of partition or folder is the boot password.
I can't give the password to customers because with the password they are able to read the code, and also I can't run to the customers any time the machine reboot to write the password at the console.

I Think you solution don't resolve my personal problem, I have just scheduled to try as soon as is possible..... my laptoop need a litle bit of security too.

Thank Dario

[tuxophil]

so I need a user log-on to have the file decrypted?

So you want encryption that doesn't need any password, dongle, biometric and so on? Sorry, but that's just impossible. After all, there must be "something" that gives you (i.e. your company) and nobody else access to the data. This doesn't have to be a password, but it should be clear that some kind of authentication is necessary.

In any case, if you're really worried about your data, you'll also have to consider the possibility that your customer boots a LiveCD and modifies the system to log the password. This is far from impossible. The only way to guarantee the security of your data would be to never again mount the partition or to do a complete audit of the machine before mounting.

If you don't trust your customers, don't do business with them.

[SilentShadow]

I think I see the problem in the wrong side, I don't need to encrypt teh partition I probably need to encode and obscure the code.

I found on the net this two link (is out of topic, but for completing the discussion)

http://www.sourceguardian.com/index.html
http://www.zend.com/store/products/zend-encoder.php

thanks Dario

[linux_girl]

hehehe i found more usefull to encrypt the /home :

Code: Select all

.:[Managing 0/82 jobs.] [CPU Load: 0.24 Uptime: 0h13m]:.
.:[8 files using 1,1M] [root@localhost ~]:.
.:[21:09:35]:. $ cat /etc/conf.d/local.start 
# /etc/conf.d/local.start:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/local.start,v 1.4 2002/11/18 19:39:22 azarah Exp $

# This is a good place to load any misc.
# programs on startup ( 1>&2 )
                
cryptsetup -c aes create home /dev/hdb1
mount /dev/mapper/home /home

Code: Select all

.:[Managing 0/82 jobs.] [CPU Load: 0.24 Uptime: 0h13m]:.
.:[8 files using 1,1M] [root@HackXoR ~]:.
.:[21:09:36]:. $ cat /etc/conf.d/local.stop
# /etc/conf.d/local.stop:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/local.stop,v 1.4 2002/11/18 19:39:22 azarah Exp $

# This is a good place to unload any misc.
# programs you started above.
# For example, if you are using OSS and have
# "/usr/local/bin/soundon" above, put
# "/usr/local/bin/soundoff" here.

/etc/init.d/mldonkey stop
umount /home/john/nfs && echo nfs unmounted
umount /home &&echo HOME unmounted

i plan to make a SUID c prog that use system(2): && MODE xscrensaver src to umount it when i am idle for more safty to store ultra important info
in any case the RIA : wont be able to uncrypte my /home to find /home/p2p/.mldonkey/incoming/*.mp3 and my users files

Code: Select all

.:[Managing 0/81 jobs.] [CPU Load: 0.62 Uptime: 0h15m]:.
.:[53 files using 746k] [root@localhost /home/john/bin]:.
.:[21:11:54]:. $ cat secmount
#!/bin/bash
su -c 'cd ~john; /sbin/losetup /dev/loop2 /home/john/secret;/bin/cryptsetup create secret /dev/loop2;mount /dev/mapper/secret /home/john/nfs;mount -o,remount exec ~john/nfs/'

Code: Select all

.:[Managing 0/81 jobs.] [CPU Load: 0.57 Uptime: 0h15m]:.
.:[53 files using 746k] [root@localhost /home/john/bin]:.
.:[21:11:59]:. $ cat secumount
su -c 'umount /home/john/nfs;cryptsetup remove secret;/sbin/losetup -d /dev/loop2'

[ian!]

Nice How-To. I had to put some umount-foo into my local.stop so that the loop will be umounted when shutting down when the loop was mounted via kdm before.

/etc/conf.d/local.stop:

Code: Select all

/bin/umount /home/<foo> && echo "/home/<foo> unmounted"
/bin/cryptsetup remove /dev/mapper/<bar> && echo "/dev/mapper/<bar> removed"
/sbin/losetup -d /dev/loop<number> && echo "loopdevice removed"

[yem]

Great HOWTO! _b Hopefully pam_mount will make it into portage soon.

A couple of points:

1) Where it says that you can theoretically login now and try creating/deleting files. Might be worth noting that you need to chown the mount point to the user after it is mounted. Confused me for a few minutes because the mountpoint changed ownership to root:root when mounted.

2) | (cd /home/frodo2; tar xpf -) could be written more clearly as | tar -xpf - -C /home/frodo2

3) If you use a login manager (guessing most people do - particularly on laptops) you need to add the auth/session lines to /etc/pam.d/{xdm,gdm,kdm}. /etc/pam.d/login is not sufficient.

Did you find anything more about using journalled filesystems on dm-crypted block devices? I have the backing file stored on an ext3 partition, but its not the same. Quick google didn't turn anything up.

[tuxophil]

Nice How-To.

Thanks!

I had to put some umount-foo into my local.stop so that the loop will be umounted when shutting down when the loop was mounted via kdm before.

Yes, I should have added some lines about that problem. In fact there are still some processes left when you leave KDE, but only for a few ms. Adding a one second sleep to umount.crypt solves this problem. This should be more elegant.

[tuxophil]

1) Where it says that you can theoretically login now and try creating/deleting files. Might be worth noting that you need to chown the mount point to the user after it is mounted. Confused me for a few minutes because the mountpoint changed ownership to root:root when mounted.

I think if you follow the guide this is taken care of
(Have a closer look at the code in section 5.)

2) | (cd /home/frodo2; tar xpf -) could be written more clearly as | tar -xpf - -C /home/frodo2

Changed.

3) If you use a login manager (guessing most people do - particularly on laptops) you need to add the auth/session lines to /etc/pam.d/{xdm,gdm,kdm}. /etc/pam.d/login is not sufficient.

After emerge pam_mount you're advised to run etc-update which should point out the changes in the pam files.

Did you find anything more about using journalled filesystems on dm-crypted block devices? I have the backing file stored on an ext3 partition, but its not the same. Quick google didn't turn anything up.

I've recently read somewhere (IIRC some remarks by Hans Reiser) that in order to have a completely fail-safe (even unencrypted!) reiserfs partition it's in fact necessary to turn off the drive's write buffering. That sounds quite reasonable since the HDD's buffering does a reordering of the write operations.
In light of this I think that it would be somewhat irrealistic to have an absolutely fail-safe encrypted partition, but I'm by no means an expert and information seems to be scarce :-/.

Thanks for your feedback!

[yem]

I think if you follow the guide this is taken care of
(Have a closer look at the code in section 5.)

I see that, but the instuctions to "relogin as frodo. try copying some files" (paraphrasing) wont work without a chown first.

2) | (cd /home/frodo2; tar xpf -) could be written more clearly as | tar -xpf - -C /home/frodo2

hmm or even "rsync -arv /home/frodo/ /home/frodo2/" ?

After emerge pam_mount you're advised to run etc-update which should point out the changes in the pam files.

IIRC it modifies /etc/pam.d/login only, not the [xgk]dm profiles.

It's really a great HOWTO. These are just things that confused me. YMMV

[tuxophil]

I think if you follow the guide this is taken care of
(Have a closer look at the code in section 5.)

I see that, but the instuctions to "relogin as frodo. try copying some files" (paraphrasing) wont work without a chown first.

Crap! You're right I'll fix it later. Thanks.

hmm or even "rsync -arv /home/frodo/ /home/frodo2/" ?

I just had a look at man rsync, it seems that it should preserve everything (special files, attributes, etc.), but I'm not sure, since ACLs and extended attributes aren't mentioned. In man tar neither, but until somebody can confirm that rsync would work at least as good as tar, I'll stick to using tar.

IIRC it modifies /etc/pam.d/login only, not the [xgk]dm profiles.

Hmm, strange, on the two systems I did this kdm was also modified. Hopefully nothing's wrong with the ebuild...

[yem]

Hmm, strange, on the two systems I did this kdm was also modified. Hopefully nothing's wrong with the ebuild...

Ah I see what happened. The ebuild includes kde (but not kdm - are they the same thing?) and login. However, I don't use kde and thus the kde file was created by pam_login. Being a new file, etc-update didn't show any diff on that file.

I would suggest either modifying kde/m, gdm and xdm OR modify login only, and include an einfo in the ebuild to tell the user that they'll need to modify the file for their chosen *dm appropriately. Something like this:

Code: Select all

--- pam_mount-0.9.22.ebuild     2005-03-12 22:58:46.000000000 +1300
+++ pam_mount-0.9.22-r1.ebuild  2005-03-12 23:06:22.000000000 +1300
@@ -29,7 +29,7 @@
        insopts -m0644
        doins ${FILESDIR}/pam_mount.conf
        insinto /etc/pam.d
-       doins ${FILESDIR}/login ${FILESDIR}/kde
+       doins ${FILESDIR}/login
        # fixed mount.crypt
        #insinto /usr/bin
        #doins ${FILESDIR}/mount.crypt
@@ -38,3 +38,13 @@
        dosym /usr/bin/mount.crypt /sbin/mount.crypt
        dodoc README TODO AUTHORS ChangeLog FAQ INSTALL NEWS
 }
+
+pkg_postinst() {
+       einfo "This ebuild modifies /etc/pam.d/login to include pam_mount hooks."
+       einfo "If you use a graphical login manager such as xdm, kdm or gdm, you"
+       einfo "will need to add the following lines to the appropriate file"
+       einfo "in /etc/pam.d/:"
+       einfo
+       einfo "auth       optional     /lib/security/pam_mount.so use_first_pass"
+       einfo "session    optional     /lib/security/pam_mount.so"
+}

(untested!)

[thomash]

Hello everyone.

This looks like a really great guide, and I want to use a partition instead of a file.

I also want the entire /home directory encrypted, and not only the homedir of my regular user (thomas).
I have only two users on my laptop, and it's no problem to use the same password for both, if needed.

Anyone interested in giving me a step-by-step guide to achieve this (I'm pretty new to it)

I get stuck on where to store the key, and I'm not supposed to mkdir /home/home I assume?
Perimissions on various files would also be a problem =)

I appriciate any help!

Thanks.
Thomas Hoff

[thomash]

Before attempting to encrypt all of /home, I thought I should give this tutorial a try (setting up an encrypted homedir for a specific user, from a partition)

This is what I did:

Code: Select all

dd if=/dev/urandom of=/dev/sda4 bs=1M

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`

echo $KEY | cryptsetup create bleh /dev/sda4

mke2fs /dev/mapper/bleh

echo $KEY | openssl aes-256-ecb > /home/bleh.key

touch /home/bleh.key.old
chown bleh /home/bleh.key /home/bleh.key.old
chmod 600 /home/bleh.key /home/bleh.key.old

mkdir /home/bleh2
chown bleh /home/bleh2
chgrp users /home/bleh2
chmod 700 /home/bleh2

Then I added this line to my /etc/security/pam_mount.conf:

Code: Select all

volume bleh crypt - /dev/sda4 /home/bleh2 cipher=aes aes-256-ecb /home/bleh.key

Then I exited all sessions with "bleh" and logged in again. The messages i get after login looks good. No errors.
But I start in /home/bleh and not /home/bleh2

I did a 'ls /home' and got:
drwx------ 18 bleh users 1448 Apr 8 23:08 bleh
-rw------- 1 bleh root 112 Apr 8 22:52 bleh.key
-rw------- 1 bleh root 0 Apr 8 22:52 bleh.key.old
drwxr-xr-x 3 root root 4096 Apr 8 22:51 bleh2

It changes the owner, group and permission of /home/bleh2 when i login. I verified that it had the proper permissions before login.

Anyone know what the problem is? Can it be because I'm using an external USB HDD? Or am i missing something?

[thomash]

Sorry, ignore my last post.
After the partition is mounted, i su'd and changed the owner, group and permisssions of /home/bleh2 (as section 5 tells me to do)
I saw someone else were asking about this too, guess i shoul've looked more closely =)

I'd still like to see how someone encrypted all of /home though

[thomash]

Here is what i did to have all of /home encrypted, using a partition (on an external USB HDD):

bleh is my user.

Code: Select all

dd if=/dev/urandom of=/dev/sda4 bs=1M 

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`

echo $KEY | cryptsetup create bleh /dev/sda4

mke2fs /dev/mapper/bleh

echo $KEY | openssl aes-256-ecb > /etc/bleh.key

touch /etc/bleh.key.old
chown bleh /etc/bleh.key /etc/bleh.key.old
chmod 600 /etc/bleh.key /etc/bleh.key.old

Add the following line to /etc/security/pam_mount.conf:

Code: Select all

volume bleh crypt - /dev/sda4 /home cipher=aes aes-256-ecb /etc/bleh.key

Exit all sessions as bleh, login as root and do:

Code: Select all

mv /home /home2
mkdir /home
chown bleh /home
chgrp users /home
chmod 700 /home

Exit root, login as bleh and do:

Code: Select all

su
mkdir /home/bleh
chown bleh /home/bleh
chgrp users /home/bleh
chown 700 /home/bleh

Exit bleh and relogin. Now you should start in your new homedir in the encrypted /home.
You can now move all your files in /home2/bleh to your new homedir.

I haven't added a second user yet. Not sure how/if it would work. But i'll post more info as soon as i have it.

[kueka]

the setup works fine, only a little thing goes wrong.
i have tested the ssh login and it's fail with some errors.
after a little search on the web i have found the solution:
in /etc/ssh/sshd_conf set this parameters:
ChallengeResponseAuthentication no
PasswordAuthentication yes
and ssh login works.

so long

[gregory_bleiker]

Hi All

Thanks for the nice HOWTO. However, I am (unfortunately) not getting it completely to work with SSH. I'm trying to have encrypted directories in a user's home and the user logs in (exclusively) via SSH.
What I have done so far:

• Installed gentoo 2.6 kernel with LVM enabled (as in http://gentoo-wiki.com/SECURITY_Encrypt ... h_DM-Crypt)
  Followed this howto for setting up a loop device
  Read through all the /usr/share/docs on pam stuff
  Put pam_mount.so into the /etc/pam.d/sshd as described on http://www.flyn.org/projects/pam_mount/index.html

The problem is that the drive is not unmounted on logout. I have applied the patch of http://bugzilla.mindrot.org/show_bug.cgi?id=926 to OpenSSH and changed /etc/ssh/sshd_config to not use privilege separation, without success...
Mounting the drive is no problem, but I have so far not been able to unmount a drive through pam_mount.
If I have UsePrivilegeSeparation, the unmount doesn't even get called, if I have it on it gets called but with wrong uid, so it can't unmount the drive because it was mounted as root in the auth part of pam.d. (it tells me mount disagrees with fstab, or if I put the mount command into a local ~/.pam_mount.conf, it tells me I'm not root, which I know, but I still think I'm great...


Any thoughts or help is highly appreciated.

Gregi

[yem]

BTW: I just did a catchup emerge world and pam_mount broke. Turns out cryptsetup links against libdevmapper.so.1.00 exactly and it had been updated to 1.01. If you get an error about libdevmapper.so.x.xx not found (with debug turned on in /etc/security/pam_mount.conf) then try emerging cryptsetup again so that it will re-link with the current version of the lib.

[svf]

heya...

nice howto.. im going to try that tomorrow morning..

but two questions..

is there any other way to do this(mount cryptet home on login) because according to the webpage pam_mount is discontinued maybe there some other neat way with the new baselayout

and second.. are there any other howtos how i can secure some of my /var/spool files? (tmpfs and pgp on shutdown? and risking data loss on crash?)
any other ideas?

nico

[tuxophil]

is there any other way to do this(mount cryptet home on login) because according to the webpage pam_mount is discontinued maybe there some other neat way with the new baselayout

Unfortunately I don't think there's another way that doesn't require a second passphrase. If you want to enter your passphrase only once it must be passed by PAM to the mount command. I don't know of any other pam_mount-like program. It's a pity that it's discontinued. But then again, it works just fine. The only I thing I may try sometime is to hack LUKS-support into it. (But only if it doesn't require too much C code.)

and second.. are there any other howtos how i can secure some of my /var/spool files? (tmpfs and pgp on shutdown? and risking data loss on crash?)
any other ideas?

My setup is as follows: large enough swap, mount a 2GiB maximum tmpfs-filesystem as /tmp. Since tmpfs is handled by the VM, it always resides in RAM or swap. Just encrypt your swap and everything's fine.

/var/tmp is more problematic since these files should be persistent across reboots. Unfortunately the only solution I see is to make a system-wide encrypted partition for /var/tmp. But then you'll have to enter its passphrase at each startup.

[svf]

hi

everythings working fine - thanks again

so the weakest point in the chain is my user password... i think i do have a really strong password but.. how is it stored? whats the algorithm used for /etc/shadow
(blowfish? des?) somebody knows about that?

[tuxophil]

so the weakest point in the chain is my user password...

Normally yes. But don't forget about the unencrypted parts of your system...

i think i do have a really strong password but.. how is it stored? whats the algorithm used for /etc/shadow (blowfish? des?) somebody knows about that?

IIRC it's salted MD5. MD5 may not be the strongest hash around, but brute forcing it would still be quite a feat.

[Massimo B.]

Is there a way to do your setup also with the new baselayout and /etc/conf.d/cryptfs ? Encrypting the swap partition that way was terribly easy.

[tuxophil]

Is there a way to do your setup also with the new baselayout and /etc/conf.d/cryptfs ?

I don't think so. AFAIK conf.d/cryptfs requires the entry of a (system-level?) passphrase at boot time. To transparently mount a partition when the user logs in you'll have to use pam_mount.

[hippysurfer]

I have followed the HOWTO (many thanks to its author) but I have a problem with the encrypted filesystem not being unmounted on logout. I am logging in using 'su' so I have setup /etc/pam.d/su to use pam_mount and the mounting on login works fine. But when I logout I get the following log:

Code: Select all

pam_mount: received order to close things
pam_mount: real and effective user ID are 405 and 405.
pam_mount: user is guest
pam_mount: command: /usr/sbin/pmvarrun [-u] [guest] [-d] [-o] [-1]
pam_mount: could not open count file /var/run/pam_mount/guest
pam_mount: pmvarrun says login count is 0
pam_mount: going to unmount
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user:          guest
pam_mount: server:
pam_mount: volume:        /home/.guest.img
pam_mount: mountpoint:    /home/.guest
pam_mount: options:       loop,cipher=aes
pam_mount: fs_key_cipher: aes-256-ecb
pam_mount: fs_key_path:   /home/.guest.key
pam_mount: use_fstab:   0
pam_mount: --------
pam_mount: command: /usr/sbin/lsof [/home/.guest]
pam_mount: lsof output (should be empty)...
pam_mount: waiting for lsof
pam_mount: command: /usr/bin/umount.crypt [/home/.guest]
pam_mount: umount errors (should be empty):
pam_mount: pam_mount: error setting uid to 0

pam_mount: mlockall failed: Cannot allocate memory

pam_mount: WARNING!!! Possibly insecure memory. Are you root?

pam_mount: Command failed: Invalid argument

pam_mount: umount: /home/.guest is not in the fstab (and you are not root)

pam_mount: umount.crypt: error unmounting /home/.guest

pam_mount: waiting for umount
pam_mount: unmount of /home/.guest.img failed
pam_mount: pam_mount execution complete

For some reason pam_mount can't setuid to root so the unount fails.

I can su to root and run umount.crypt /home/.guest and it works fine.

hmm

Regards

Richard