Encrypted home partition for Ubuntu 9.04

Following the directions on Lars’ blog, I set up an encrypted home directory on Ubuntu 9.04 using LUKS.

The following commands were all executed with root permissions. Add “sudo” to the front of the commands if you are not running with root permissions.

apt-get install cryptsetup libpam-mount
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda7

The partition I used was /dev/sda7, replace that with the partition you created. It will ask you for a password, I suggest using the same password as your login.
Then, to map the encrypted partition to /dev/mapper/cryptohome, do this:

cryptsetup luksOpen /dev/sda7 cryptohome

Then create a (ext3) filesystem. You may substitute a file-system of your choice here, but ext3 is the most widely used, and therefore, tested.

mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
(-m 1 and sparse_super save space, and should be safe as this is not a root filesystem. Note that the O for options is capitalised, and you may NOT have spaces after the commas that separate the options.)

To test that everything is working, unmount it, try to mount it again and make sure you can write a file to the partition and unmount/close it!

cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda7 cryptohome
mkdir -p /mnt/test
sudo mount /dev/mapper/cryptohome /mnt/test
touch /mnt/test/testfile
ls /mnt/test
umount /mnt/test
cryptsetup luksClose cryptohome

To make it mount automatically when you log in:
Make sure you do not have a partition listed for your home directory in /etc/fstab.

Add a line in /etc/crypttab:
cryptohome /dev/sda7 noauto luks

And configure pam_mount in /etc/security/pam_mount.conf.xml to auto-load your encrypted home directory on login:
<volume user="summetj" fstype="crypt" path="/dev/sda7" mountpoint="/home/summetj" />

Note that initially the users home directory will be owned by root, and you will have to chown -R on the home directory to make things stop complaining. Doublecheck that the “testfile” you created earlier is in the users home directory.

If you get an error message that says: pam_mount(pam_mount.c:100): unknown pam_mount option “use_first_pass” you can get rid of it by editing the /etc/pam.d/common-pammount and /etc/pam.d/common-auth files and removing the “use_first_pass” option from both of them.

Leave a Reply

Your email address will not be published. Required fields are marked *