Gentoo Archives: gentoo-security

From: Florian Philipp <lists@××××××××××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Encrypting a user home folder on a laptop
Date: Sat, 16 Feb 2008 22:09:48
Message-Id: 1203199745.27641.32.camel@NOTE_GENTOO64.PHHEIMNETZ
In Reply to: Re: [gentoo-security] Encrypting a user home folder on a laptop by Naga Toro
On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote:
> On Saturday 16 February 2008 10.04.30 Florian Philipp wrote: > [...] > > By the way, I use pam_mount and cryptsetup-luks to mount my encrypted > > home-partition with my login password on the fly. If you want a short > > howto and my configuration, just ask, I can answer again in 10 hours > > (Sat Feb 16 19:00:00 UTC). > > Please do, atleast I'm curious. > > /BR > Naga
Okay, I think I can skip the creation of a cryptsetup-luks partition (or whatever). It should be clear that you need to use your login password. The next step would be to emerge pam_mount. Then edit /etc/security/pam_mount.conf.xml The relevant part to add is: <volume user="dsl" fstype="crypt" path="/dev/vg/home_dsl" mountpoint="/home/dsl" options="async,noatime,exec" /> <volume user="dsl" fstype="reiserfs" path="/dev/mapper/_dev_mapper_vg-home_dsl" mountpoint="/home/dsl" options="defaults,async,noatime,exec" /> above </pam_mount> As you can see, "dsl" is my user name and /dev/vg/home_dsl my encrypted home volume. In case I've missed something in this file, I've attached it gzip-compressed. Then you need to edit /etc/pam.d/system-auth: #%PAM-1.0 auth required pam_env.so auth optional pam_mount.so auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so use_first_pass account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_mount.so (or something similar) I think the relevant parts are "use_first_pass" and "pam_mount" in "auth" and "session". I don't say that my setup is perfect. It was a huge trial and error phase to get it working. Of course, you need to use pam for it to work but that's the default setting on Gentoo. Please check your USE-flags for pam and your sshd_config for usage of pam. If it doesn't work, try it without XDM/KDM/GDM (I use XDM but all should work). pam should write some debug information. Then search /dev/mapper for something that looks like your home-partition's mapping.

Attachments

File name MIME type
pam_mount.conf.xml.gz application/x-gzip
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-security] Encrypting a user home folder on a laptop Naga Toro <nagatoro@×××××.com>