Encrypting /home directory and decrypting on login with pam_mount

Instead of encrypting your entire drive and operating system you can encrypt just the data that matters, /home/

Full disk encryption (FDE) vs. data only /home/ + swap
– FDE cannot survive a remote reboot because it asks for the password before the system is fully running.
– FDE is more secure in the sense that it encrypts any possible user data. Temporary or cached files in /tmp/ or /var/ and swap will be automatically encrypted. Meta data or sensitive file names can be leaked with programs like mlocate or databases stored under /var/.
– Data-only encrypting with pam_mount is seamless, allowing someone to use a single password to simultaneously login and decrypt their data. (Psssst, its two passwords. One for login and one for decrypting. If they match, two birds one stone).

This is a vast subject and I have barely touched on it. Check out some other resources that can help formulate a proper solution for your needs.
Lastly, if you just want simple file/directory encryption (as opposed to file system encryption as laid out here) you might like EncFS.
At the end of the day we all have no excuse for not using encryption so just go ahead and implement something reasonable. And don’t use non-free encryption!

1. Backup /home to external drive
2. Install cryptsetup, libpam-mount
3. Format home partition
4. Open encrypted partition, make a filesystem inside and copy data back
5. Edit /etc/security/pam_mount.conf.xml
6. Remove “/home” from /etc/fstab
7. Change your password to match the crypt password
8. Alternately, encrypt swap

rsync -av /home /backup

apt-get install cryptsetup libpam-mount

umount /home/
cryptsetup luksFormat /dev/sdaX

cryptsetup luksOpen /dev/sdaX home
mkfs.xfs -L home /dev/mapper/home
mount /dev/mapper/home /home/

rsync -av /backup/home/ /home

Backup the default config
cp /etc/security/pam_mount.conf.xml /root/
add the following after “Volume definitions”.
vi /etc/security/pam_mount.conf.xml

<!-- Volume definitions -->
<volume user="jason" fstype="crypt" path="/dev/disk/by-uuid/2a350c84-f047-4d17-a715-ddca5d9c0561" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>

Use blkid to determine the correct uuid for your path=

Remove /home from /etc/fstab. Comment it out with a little note that pam_mount is handling it.

Change your password to match the crypt password used in step 3.

Alternately, to be more secure you can encrypt swap.
Add the following to /etc/crypttab

sda3_crypt /dev/disk/by-id/ata-ST1000LM014-1EJ164_W7734HLY-part3 /dev/urandom cipher=aes-xts-plain64,size=256,swap

I use a clever program called cryptdisks_[start/stop] to start and stop these crypts. You need to stop your existing, unencrypted swap with swapoff -a
Now start the crypt
cryptdisks_start sda3_crypt
This creates /dev/mapper/sda3_crypt
Now replace your existing /etc/fstab swap line with something like the following:

/dev/mapper/sda3_crypt    none    swap    sw    0    0

swapon -a
this turns on the swap, now its encrypted!

swapon -s

Filename				Type		Size	Used	Priority
/dev/dm-0                              	partition	9769980	0	-1



Leave a Reply

Your email address will not be published. Required fields are marked *