I wrote a howto about encrypting your home and swap partition a while ago. One thing was missing in the last howto the login process with pam mount. Please be careful following this howto if you do anything wrong you may erase all of you data. You have been warned!
First install a few packages:
aptitude install cryptsetup libpam-mount
We will start of with the swap partition which is easy. First deactivate your swap partition you may need to remove it from /etc/fstab and reboot if it is in use.:
swapoff /dev/sda7
Then fill your swap with random data from /dev/urandom
dd if=/dev/urandom of=/dev/sda7 bs=1M
Configure encrypted swap in /etc/crypttab and /etc/fstab
cat /etc/crypttab
cryptoswap /dev/sda7 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
cat /etc/fstab
/dev/mapper/cryptoswap none swap sw 0 0
Okay thats it reboot to test. If you call top from a shell you should see a normal swap partition. Then try and run the follow command you should see something like this:
cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 0 sectors
size: 8401932 sectors
mode: read/write
Ok your swap partition is done lets move on to /home make sure you have an empty partition for this all data on the partition will be deleted. You’ve been warned
Fill your new home partition with random data.
dd if=/dev/urandom of=/dev/sda8
Initialize the partition and set initial key. Please make sure to use the same password to login and for the encrypted partition. Otherwise you will not be able to unlock your home partition when you login.
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda8
Create a device mapping
cryptsetup luksOpen /dev/sda8 cryptohome
Now you can create a file system on cryptohome
mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
Okay give your new home a test by closing it reopening it and finally the first mount
cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda8 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
mkdir -p /mnt/cryptohome
mount /dev/mapper/cryptohome /mnt/cryptohome
touch /mnt/cryptohome/linux
ls /mnt/cryptohome/
lost+found linux
We can also confirm that it works by issuing the command
cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda8
offset: 2056 sectors
size: 20978771 sectors
mode: read/write
Now would be a good time to move your current home data to this partition. And umount the partition:
umount /mnt/cryptohome
cryptsetup luksClose cryptohome
Automatically mount when logging in first edit pam_mount.conf.xml:
vi /etc/security/pam_mount.conf.xml
and add the following:
<volume user="User" fstype="crypt" path="/dev/disk/by-uuid/6d53f51f-7c25-4b3d-aa15-f3594f4f49e1" mountpoint="/home" options="fsck,relatime" />
Make sure to replace User with your user name. And you will also need to change the disk path. You can either add a path like /dev/sda6 or you can add a uuid the ubuntu way.
To find your uuid you use the following command:
blkid /dev/sda8
/dev/sda8: UUID="6d53f51f-7c25-4b3d-aa15-f3594f4f49e1" TYPE="crypto_LUKS"
After you have done that make sure to comment out the entry for your /home partition in /etc/fstab. Pam mount will deal with mounting your /home partition now.
vi /etc/fstab
# /home is on /dev/sda8
#UUID=6d53f51f-7c25-4b3d-aa15-f3594f4f49e1 /home ext4 defaults 0 2
Thats it you should be safe to reboot now. The login process will take slightly longer than before because your home partition gets mounted in the background. The only downside i see with this setup is you can’t use it in a multi-user environment. I am the only user on my laptop so that doesn’t really matter to me.
Okay, I went ahead and tried just the cryptswap part. It worked. Didn’t need to install any packages. In /etc/fstab I named the thing “/dev/mapper/cryptswap1” (not just “cryptswap” on the end), because that’s how I saw it in a setup that the Ubuntu installation routine had created.
Much obliged. I don’t quite grok the multiuser comments. I can switch to a second user, etc.
I have a couple of questions. Three, actually. Or five. First, how did you choose 256 as the size for the blocks? What is “aes-cbc-essiv” as a cipher? Why is your partition apparently so gargantuan (“riesig”) per your example output above? My 8-GB swap partition shows a much, much smaller result in the output from “status cryptoswap”: 16002 sectors.
I can’t remember the fourth question. But the 5th is most important of all: what happens if I reorder my hard drive and what is now /dev/sda7[1] changes, but I don’t think about that and reboot? Will my data be toast? I ask because I have all other partitions ID’d by UUID, but I can’t do that with this swap partition (it seems to change at every reboot).
[1] Mine really is also /dev/sda7, by coincidence.
Oh, now I remember the fourth question. 🙂 In GParted the encrypted swap partition shows up with an ugly big red exclamation mark, because GParted apparently doesn’t know what it is. And /dev/sda7 is missing from the output of blkid now, replaced with /dev/mapper/cryptoswap at the end. Well, okay, but that all seems kind of irritating to me.
Thanks again for the cool tips.
Hi,
sehr interessant für mich, dein swap-Eintrag.
I’ll switch to English now. I’m American but live in Wiesbaden.
I built a new Maverick yesterday, 64-bit, but did not create a swap file with the installation. Later I added one manually. But in the installation I chose to encrypt $HOME. So now I have an encrypted $HOME but an unprotected swap. If I just do the first part of your tutorial, will it work to get me to an encrypted swap as well? Do I still need to install the packages you mention, or are they likely already there since I have $HOME encrypted?
Best regards und ein frohes Neues Jahr[,]
Dallman
All the packages should be there if you already have an encrypted swap. You may still need libpam_mount if you want to mount the partition on system boot. If you suspend or hibernate your laptop someone could retrieve data from your swap partition if it is not encrypted. So if you just work through the swap bit of the tutorial it should be ok.
hey, i tested it, and removing the “user” parameter in the volume line of the pam_mount.conf.xml file does allow multiuser login.
BUT:
1- the password for the mount must be the same as for the user session
2- you can use different passwords for the volume, up to 8 with
cryptsetup luksAddKey /dev/sdXY
see here for more info: http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
you can also limit groups or a range of uid’s for the mount, see: man pam_mount.conf
i tested it with 2 users, both with the same password and using only 1 password for the volume. but it should to work… i only have 1 user, so no need for this; but you could update your tutorial.
reggards,
hackan
well, for some strange reason, the address for the mentioned site disapeared o.O
here it goes: http://ubuntuforums.org/showthread.php?t=483622
Hey dude, great tutorial 😀
look, you said “The only downside i see with this setup is you can’t use it in a multi-user environment.”, but in this site i found that in the pam_mount.conf.xml line they didn’t specify a user, so it might be possible, that way, to use it in a multiuser env:
tell me what you think
reggards,
HacKan