Howto encrypt in Ubuntu the Home Directory and Swap

There are 2 ways to encrypt the Home Directory and Swap.

Option 1 linux native encryption

Prerequisites

Install required packages:
# sudo apt-get install cryptsetup libpam-mount

$ ls -l /dev/mapper/
total 0
crw-rw—- 1 root root 10, 61 2009-05-19 15:39 control

..with support for crypto:

# sudo dmsetup targets | grep crypt
crypt v1.6.0

The device-mapper should be active (if not, reboot):

Good. Now we’re ready.
Find out the partitions of your disk
# sudo fdisk -l

Disk /dev/sda: 8069 MB, 8069677056 bytes
255 heads, 63 sectors/track, 981 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0000cbe0

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1         632     5076508+  83  Linux
/dev/sda2             633         981     2803342+   5  Extended
/dev/sda5             633         717      682731   82  Linux swap / Solaris
/dev/sda6             718         981     2120548+  83  Linux


Part I: Setting up encrypted swap
Step 1: Disable your current swap partition.
# swapoff /dev/sda5

Step 2: Fill your swap with random data.
# dd if=/dev/urandom of=/dev/sda5 bs=1M
1954+0 records in
1953+0 records out
2048094208 bytes (2.0 GB) copied, 529.177 s, 3.9 MB/s

As you see, this might take some time depending on your swap size. So go grab a coffe.

Step 3: Configure encrypted swap.
Add this to your /etc/crypttab
# vi /etc/cryptab
cryptoswap /dev/sda5 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap

Why /dev/urandom and not /dev/random? The latter blocks until it got enough entropy to continue, urandom don’t. So if you use random instead urandom you might have to wait during boot until enough entropy is collected. (It does help to type your keyboard and move the mouse.) Use /dev/random if you’re really paranoid.

Next, change your swap entry in /etc/fstab to this:
# vi /etc/fstab
/dev/mapper/cryptoswap /tmp swap sw 0 0

For every time we boot, swap will be encrypted with a different encryption key.

Step 4: Test it.
Reboot to test.

We now have an encrypted swap:
# cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptoswap partition 2000084 0 -1

# cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda5
offset: 0 sectors
size: 4000185 sectors
mode: read/write

Good. Now we’re safe right?


Part II: Creating and setting up an encrypted home partition

Step 1: Fill your soon-to-be home partition with random data.
# dd if=/dev/urandom of=/dev/sda6
20481+0 records in
20480+0 records out
21474836480 bytes (21 GB) copied, 5554.23 s, 3.9 MB/s
This will take even longer than the swap partition. So go for lunch or something.

Step 2: Initialize the partition and set initial key.
Remember, if you use a weak password, your screwed. If you forget the password, its game over.
# cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda6

WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

We use cipher “aes-cbc-essi”, since the default is vulnerable to Watermarking attack.

Step 3: Create a device mapping.
# cryptsetup luksOpen /dev/sda6 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
This will create a device mapping, as can bee see under:
$ ls -l /dev/mapper/
total 0
crw-rw—- 1 root root 10, 61 2009-05-19 15:39 control
brw-rw—- 1 root disk 252, 4 2009-05-19 15:52 cryptohome
brw-rw—- 1 root disk 252, 1 2009-05-19 15:39 cryptoswap


Or, you can use the command dmsetup ls to list the mapped devices:
$ dmsetup ls
cryptoswap (252, 0)
cryptohome (252, 1)

Step 4: Create a filesystem.

We now have an encrypted partition. To use it, we need to create a filesystem on it:
# mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
132736 inodes, 529880 blocks
5298 blocks (1.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=545259520
17 block groups
32768 blocks per group, 32768 fragments per group
7808 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Step 6: Testing!
We start by closing and reopen the encrypted partition before we mount it:
# cryptsetup luksClose cryptohome
# cryptsetup luksOpen /dev/sda6 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
# mkdir -p /mnt/cryptohome
# mount /dev/mapper/cryptohome /mnt/cryptohome
# touch /mnt/cryptohome/testfile
# ls /mnt/cryptohome/
lost+found testfile
We can also confirm that it works by issuing the command:
# cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher:  aes-cbc-essiv:sha256
keysize: 256 bits
device:  /dev/sda6
offset:  2056 sectors
size:    4239041 sectors
mode:    read/write

Now would be a good time to move your current home to this partition.
Finally we umount:
# umount /mnt/cryptohome
# cryptsetup luksClose cryptohome

Step 7: Cryptohome mounted at boot

We want to enable mounting at boot time! Then update /etc/crypttab:
# vi /etc/crypttab
cryptohome /dev/sda6 none luks
And /etc/fstab:
# vi /etc/fstab
/dev/mapper/cryptohome /home/ ext4 relatime,errors=remount-ro 0 2

When you now reboot, the boot process is interrupted asking you for the LUKS password. If you type it correctly, the home partition is mounted. When you now log in, you will have an encrypted home partition ready waiting for you.

Now mount the Home Dir and move over the data

We start by closing and reopen the encrypted partition before we mount it:

# cryptsetup luksOpen /dev/sda6 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
# mount /dev/mapper/cryptohome /mnt/cryptohome

Now its mounted and you can move over the data with Krusader

first
# mkdir /mnt/cryptohome/andreas
# chown andreas:andreas /mnt/cryptohome/andreas

After the move immediadently reboot and after the boot the new hone should be mounted and started.


Congratulation, you now have an encrypted swap and home partition!
A final advice: Take regular backups.

Option 2: Truecrypt

I found the easiest way is using truecrypt. www.truecrypt.org
Prerequisit is that the Home directory is configured as a separate partition.  (ex. /dev/sda6)

  1. Install truecrypt from the Truecrypt website following the instructions there.

  2. If you never worked before with tryecrypt please read the Docs http://www.truecrypt.org/docs/ about truecrypt and howto encrypt a partition.In my case if I check with

    # sudo fidsk -l                         I’ll get the following output of my layout.

    Disk /dev/sda: 8069 MB, 8069677056 bytes
    255 heads, 63 sectors/track, 981 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Disk identifier: 0x0000cbe0
    Device Boot      Start         End      Blocks   Id  System
    /dev/sda1   *           1         632     5076508+  83  Linux
    /dev/sda2             633         981     2803342+   5  Extended
    /dev/sda5             633         717      682731   82  Linux swap / Solaris
    /dev/sda6             718         981     2120548+  83  Linux

    so my /home partition is /dev/sda6 and swap is /dev/sda5

  3. I have encrypted my /dev/sda6 and Truecrypt created a /dev/mapper/truecrypt1 device

  4. now I need to add this volume to be started at boot with the gui.

    # sudo gedit /etc/gdm/Init/Default     is the best place for this.

    here I added the following lines in line 2 after #!/bin sh

    mv /home /home2
    #this is to move the home data so it wont disappear and wast space on root. This needs to be removed before the next boot
    truecrypt /dev/sda6 /home
    (or any other mountpoint if you like to test it first. But you need to move the data before you can reboot the system)

    From now on at the boot you will be asked for your encryption password before it mounts the volume.

  5. I suggest before the reboot we now copy your original /home data
    for temporary mount the partition we use:
    # sudo mount /dev/mapper/truecrypt1 /mnt
    # cp /home /mnt
    check the data

    # ls -al /mnt
  6. Now we can reboot the system. After the reboot the system will move the /home to /home2 to be available and ask you before the login for your encryption password.
  7. Now we need to remove the entry for the move and the /home2 if you want to get rid of it.

    # sudo gedit /etc/gdm/Init/Default
    remove:

    mv /home /home2
    #this is to move the home data so it wont disappear and wast space on root. This needs to be removed before the next boot

    save and exit and

    rm -r /home2 if you want to delete the home2

    Thats the encrypted home with truecrypt.


Comments are closed.
%d bloggers like this: