Encrypted home and swap partition on Ubuntu 10.10 Maverick with auto logon

I wrote a howto about encrypting your home and swap partition a while ago. One thing was missing in the last howto the login process with pam mount. Please be careful following this howto if you do anything wrong you may erase all of you data. You have been warned!

First install a few packages:

aptitude install cryptsetup libpam-mount

We will start of with the swap partition which is easy. First deactivate your swap partition you may need to remove it from /etc/fstab and reboot if it is in use.:

swapoff /dev/sda7

Then fill your swap with random data from /dev/urandom

dd if=/dev/urandom of=/dev/sda7 bs=1M

Configure encrypted swap in /etc/crypttab and /etc/fstab

cat /etc/crypttab

cryptoswap /dev/sda7 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap

cat /etc/fstab

/dev/mapper/cryptoswap none swap sw 0 0

Okay thats it reboot to test. If you call top from a shell you should see a normal swap partition. Then try and run the follow command you should see something like this:

cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 0 sectors
size: 8401932 sectors
mode: read/write

Ok your swap partition is done lets move on to /home make sure you have an empty partition for this all data on the partition will be deleted. You’ve been warned

Fill your new home partition with random data.

dd if=/dev/urandom of=/dev/sda8

Initialize the partition and set initial key. Please make sure to use the same password to login and for the encrypted partition. Otherwise you will not be able to unlock your home partition when you login.

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda8

Create a device mapping

cryptsetup luksOpen /dev/sda8 cryptohome

Now you can create a file system on cryptohome

mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome

Okay give your new home a test by closing it reopening it and finally the first mount

cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda8 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

mkdir -p /mnt/cryptohome
mount /dev/mapper/cryptohome /mnt/cryptohome
touch /mnt/cryptohome/linux
ls /mnt/cryptohome/
lost+found linux

We can also confirm that it works by issuing the command

cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda8
offset: 2056 sectors
size: 20978771 sectors
mode: read/write

Now would be a good time to move your current home data to this partition. And umount the partition:

umount /mnt/cryptohome
cryptsetup luksClose cryptohome

Automatically mount when logging in first edit pam_mount.conf.xml:

vi /etc/security/pam_mount.conf.xml

and add the following:

<volume user="User" fstype="crypt" path="/dev/disk/by-uuid/6d53f51f-7c25-4b3d-aa15-f3594f4f49e1" mountpoint="/home" options="fsck,relatime" />

Make sure to replace User with your user name. And you will also need to change the disk path. You can either add a path like /dev/sda6 or you can add a uuid the ubuntu way.

To find your uuid you use the following command:

blkid /dev/sda8

/dev/sda8: UUID="6d53f51f-7c25-4b3d-aa15-f3594f4f49e1" TYPE="crypto_LUKS"

After you have done that make sure to comment out the entry for your /home partition in /etc/fstab. Pam mount will deal with mounting your /home partition now.

vi /etc/fstab

# /home is on /dev/sda8
#UUID=6d53f51f-7c25-4b3d-aa15-f3594f4f49e1 /home ext4 defaults 0 2

Thats it you should be safe to reboot now. The login process will take slightly longer than before because your home partition gets mounted in the background. The only downside i see with this setup is you can’t use it in a multi-user environment. I am the only user on my laptop so that doesn’t really matter to me.

6 thoughts on “Encrypted home and swap partition on Ubuntu 10.10 Maverick with auto logon

  1. Dallman Ross

    Okay, I went ahead and tried just the cryptswap part. It worked. Didn’t need to install any packages. In /etc/fstab I named the thing “/dev/mapper/cryptswap1” (not just “cryptswap” on the end), because that’s how I saw it in a setup that the Ubuntu installation routine had created.

    Much obliged. I don’t quite grok the multiuser comments. I can switch to a second user, etc.

    I have a couple of questions. Three, actually. Or five. First, how did you choose 256 as the size for the blocks? What is “aes-cbc-essiv” as a cipher? Why is your partition apparently so gargantuan (“riesig”) per your example output above? My 8-GB swap partition shows a much, much smaller result in the output from “status cryptoswap”: 16002 sectors.

    I can’t remember the fourth question. But the 5th is most important of all: what happens if I reorder my hard drive and what is now /dev/sda7[1] changes, but I don’t think about that and reboot? Will my data be toast? I ask because I have all other partitions ID’d by UUID, but I can’t do that with this swap partition (it seems to change at every reboot).

    [1] Mine really is also /dev/sda7, by coincidence.

    Oh, now I remember the fourth question. 🙂 In GParted the encrypted swap partition shows up with an ugly big red exclamation mark, because GParted apparently doesn’t know what it is. And /dev/sda7 is missing from the output of blkid now, replaced with /dev/mapper/cryptoswap at the end. Well, okay, but that all seems kind of irritating to me.

    Thanks again for the cool tips.

    Reply
  2. Dallman Ross

    Hi,

    sehr interessant für mich, dein swap-Eintrag.

    I’ll switch to English now. I’m American but live in Wiesbaden.

    I built a new Maverick yesterday, 64-bit, but did not create a swap file with the installation. Later I added one manually. But in the installation I chose to encrypt $HOME. So now I have an encrypted $HOME but an unprotected swap. If I just do the first part of your tutorial, will it work to get me to an encrypted swap as well? Do I still need to install the packages you mention, or are they likely already there since I have $HOME encrypted?

    Best regards und ein frohes Neues Jahr[,]
    Dallman

    Reply
    1. Simon

      All the packages should be there if you already have an encrypted swap. You may still need libpam_mount if you want to mount the partition on system boot. If you suspend or hibernate your laptop someone could retrieve data from your swap partition if it is not encrypted. So if you just work through the swap bit of the tutorial it should be ok.

      Reply
  3. HacKan

    hey, i tested it, and removing the “user” parameter in the volume line of the pam_mount.conf.xml file does allow multiuser login.
    BUT:
    1- the password for the mount must be the same as for the user session
    2- you can use different passwords for the volume, up to 8 with
    cryptsetup luksAddKey /dev/sdXY
    see here for more info: http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS

    you can also limit groups or a range of uid’s for the mount, see: man pam_mount.conf

    i tested it with 2 users, both with the same password and using only 1 password for the volume. but it should to work… i only have 1 user, so no need for this; but you could update your tutorial.

    reggards,
    hackan

    Reply
  4. HacKan

    Hey dude, great tutorial 😀
    look, you said “The only downside i see with this setup is you can’t use it in a multi-user environment.”, but in this site i found that in the pam_mount.conf.xml line they didn’t specify a user, so it might be possible, that way, to use it in a multiuser env:

    tell me what you think

    reggards,
    HacKan

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *