原始出处:
http://polishlinux.org/howtos/encrypted-home-partition-in-linux/
Have you ever wondered what would have happened if all the important data have been stolen from your mobile PC? For example the information about a confidential project you have been working on for the last 2 years in your company … A horrifying vision, isn’t it? If you don’t want it come true, please consider encrypting your home drive. Here is how to do this in Linux.
Author: Marcin Lipiec
This is what you will need to prepare your Linux computer for encrypting your home drive:
[li]DM-Crypt — open-source tool for encryption the whole HDD partition. It encrypts data before writing them on HDD. Available for kernel 2.6.4 and later. [/li][li]LUKS - (Linux Unified Key Setup) — standard HDD encryption system for Linux. [/li][li]cryptsetup — enables simultaneous use of LUKS and DM-Crypt. [/li]
Necessary software download
The program you will need is
cryptsetup with
LUKS handling. In order to install it you may either use your distribution’s repositories or use the general method (compilation from sources).
The distro-specific method is recommended. In Ubuntu you only need to type
apt-get install cryptsetup in the terminal windows (or use Synaptic Package Manager to do the same in a graphical interface.
If you prefer the source-based way, just open up a terminal and type
wget http://luks.endorphin.org/source/cryptsetup-luks-1.0.4.tar.bz2. The installation proceeds as usual:
[pre]./configuremakemake install[/pre]Done. If all went right, the installation should be now finished and the encryption software ready to be used.
Key cryptsetup options
Cryptsetup enables you to perform different types of encryption and offers some additional options you may be interested in. Here is a brief overview of them.
[pre]root@host:~# cryptsetup OPTIONS action name device - general syntaxOPTIONS:-c - here enter a cipher algorithm, the default is AES with 256-bit key-h - displays help menu-y - user verification, you will be prompted twice for the password-d - loads password from the file. This option is ignored when youuse
-y switch-s - you can enter the key size (in bits)ACTIONS:create - creates HDD mapremove - deletes HDD mapreload - reloads HDD mapsize - increases or decreases map sizestatus - displays statusname - map name in
/dev/mapper/[device] - [device] is the name of theHDD you want to encrypt[/pre]Now you know all the basic options, so you can get back to your main job — encrypt the home partition.
Cryptsetup is a console program and there is no GUI layer available, so if you don’t like working with command line tools… you will have to give it a second chance
Initializing of /home directory
For the purpose of this article, let’s say that the partition which we want to encrypt is
/dev/hdc6. Before you will be able to make the encrypted disc partition you have to initialize it first. This is how you do it:
[pre]root@host:~# cryptsetup luksFormat /dev/hdc6WARNING!=========This will overwrite data on /dev/hdc6 irrevocably.Are you sure? (Type uppercase yes): [YES]Enter LUKS passphrase:Verify passphrase:Command successful.[/pre]You will be prompted for a password. You need to enter it twice. This password will be used for verification later on, so don’t forget it!
Choosing the encryption algorithm
Then you have to decide which algorithm you will use to encrypt the
/home directory. The algorithm you use have to be supported by your kernel version. To check the available algorithms enter:
[pre]cat /proc/crypto[/pre]If there is no built-in crypto options (algorithms shouldn’t be loaded as modules) configure the kernel before you start the program (crypto options are in the
Cryptographic options tab of the kernel configuration).
Next, you type:
[pre]root@host:~# cryptsetup -c
chosen_algorithm -y luksFormat /dev/hdc6[/pre]If you don’t know what algorithm you want just skip
-c switch. The default algorithm is
AES.
Mapping the drive and creating a filesystem.
The next step is to create the mapping. Type:
[pre]root@host:~# cryptsetup luksOpen /dev/hdc6[/pre]
You will be prompted to enter your password again to verify your identity. If there are no problems, the
/home directory map should appear in
/dev/mapper.
A good idea is to fill the new drive with random data. This may be a lengthy operation, so only do this when you have a modern computer. Here is an example command to perform this action:
[pre]dd if=/dev/urandom of=/dev/mapper/home[/pre]Then you should create a filesystem on your virtual directory’s copy:
[pre]root@host:~# mkfs.ext2 -m 0 /dev/mapper/home[/pre]Here I’ve chosen
ext2, but it can be any filesystem e.g. ext3 or reiserFS.
Now copy your current content of /home directory to the mapped drive:
[pre]root@host:~# cp -a /home /dev/mapper/home[/pre]
You are almost done, already
Creating additional user passwords
LUKS has a very interesting feature. Namely, not only
root can access the encrypted directory, but also the regular users can, which is very helpful when you want to use the encrypted drive as your home partition. To enable a non-root user the access to the directory you have to add some new passwords for those guys. To add those new passwords run
cryptsetup with option
luksAddKey:
[pre]root@host:~# cryptsetup luksAddKey /dev/hdc6Enter any LUKS passphrase:Verify passphrase:key slot 0 unlocked.Enter new passphrase for key slot:Verify passphrase:Command successful.[/pre]You will be prompted for your password which you have set at the beginning and then you enter the new password for the chosen user. Passwords can be the same as the user’s account password of course. This is handy since it doesn’t force users to remember another passphrase, but of course makes the system security a bit weaker because a hacker who knows the user’s password can easily see the content of the encrypted partition.
To list all the added keys/passwords type the following:
[pre]root@host:~# cryptsetup luksDump /dev/hdc6[/pre]To remove a password type:
[pre]root@host:~# cryptsetup luksDelKey
key_no[/pre]
Mounting the encrypted drive
Finally you can mount your partition as a separate drive:
[pre]root@host:~# mount /dev/mapper/home /mnt/home/[/pre]And that’s all. From now on your
/home partition will be encrypted. But what about mounting after reboot? Well… then you will have to map the
/home directory again by typing:
[pre]root@host:~# cryptsetup -y luksOpen /dev/hdc6root@host:~# mount /dev/mapper/home /mnt/home[/pre]If this seems annoying, read on
Automatic mounting of encrypted drives
As you may suspect, manual mounting can become annoying, especially in case you often reboot or turn off the computer. But there is a way to avoid it. To automate mounting you will need these two programs:
[li]PAM — lets to combine a few crypto technologies, what’s why the user isn’t bothered by separate implementation of each key encrypted with different algorithm. [/li][li]pam_mount — this is a special layer for PAM which enables of mounting separate volumes for each user and what is most important — it handles the crypt as well. [/li]
Pam_mount works almost seamlessly because mounting is invisible for the user. Installation of
PAM and its plug-in proceeds as usual:
[pre]./configuremakemake install[/pre]When you have already installed both programs you have to check the content of
/etc/security/pam_mount.conf file. I won’t show whole the file because there is everything perfectly described inside. You have to add the following line at the end of this file:
[pre]volume * crypt - /dev/hdc6/home /mnt/home fstype=ext2,async,nodev,fsck - -[/pre]The general syntax looks like this:
[pre]
volume username filesystem server volume mounting_point mounting_options \encryption_algorithm path_to_key[/pre]Next, you have to edit
/etc/pam.d/pam_mount. Check if there are following lines (if not, add them):
[pre]auth required pam_mount.so use_first_passsession required pam_mount.so use_first_pass[/pre]Eventually, open
/etc/pam.d/login and right after the line:
[pre]@include common-session[/pre]Add this one:
[pre]@include common-pammount[/pre]And here is the (happy) end of the story. The encrypted partition should now be automatically mounted upon login and you should not worry anymore about potential stealth of your data. I strongly advice you to keep and eye on your laptop anyway since the thief may not be aware of the advanced technologies you just installed
Conclusion
Configuring the drive encryption in Linux isn’t as easy as it should be. That’s why if you don’t have to do it, better leave it alone. Be aware that if — during the encryption process — you are cut off the power supply and you have no UPS, the situation won’t be funny. This is because the encryption is being held on the fly. The files are encrypted before being written on HDD, so in such case you may lose the document you currently work on. But the advantages are also huge enough to consider such encryption. When your PC is stolen, the thieves won’t have any access to your encrypted data (in this case, the whole user partition). This is just a HOWTO, the decision is yours
