Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Florian Philipp <lists@...>
Subject: Re: Encrypting a user home folder on a laptop
Date: Sat, 16 Feb 2008 23:09:05 +0100
On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote:
> On Saturday 16 February 2008 10.04.30 Florian Philipp wrote:
> [...]
> > By the way, I use pam_mount and cryptsetup-luks to mount my encrypted
> > home-partition with my login password on the fly. If you want a short
> > howto and my configuration, just ask, I can answer again in 10 hours
> > (Sat Feb 16 19:00:00 UTC).
> 
> Please do, atleast I'm curious.
> 
> /BR
> Naga

Okay,

I think I can skip the creation of a cryptsetup-luks partition (or
whatever). It should be clear that you need to use your login password.

The next step would be to emerge pam_mount.

Then edit /etc/security/pam_mount.conf.xml

The relevant part to add is:

        <volume
        user="dsl"
        fstype="crypt"
        path="/dev/vg/home_dsl"
        mountpoint="/home/dsl"
        options="async,noatime,exec"
    />
        <volume
        user="dsl"
        fstype="reiserfs"
        path="/dev/mapper/_dev_mapper_vg-home_dsl"
        mountpoint="/home/dsl"
        options="defaults,async,noatime,exec"
    />

 above </pam_mount>

As you can see, "dsl" is my user name and /dev/vg/home_dsl my encrypted
home volume. In case I've missed something in this file, I've attached
it gzip-compressed.

Then you need to edit /etc/pam.d/system-auth:

#%PAM-1.0

auth       required     pam_env.so
auth       optional     pam_mount.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so use_first_pass

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_mount.so

(or something similar)

I think the relevant parts are "use_first_pass" and "pam_mount" in
"auth" and "session".

I don't say that my setup is perfect. It was a huge trial and error
phase to get it working.

Of course, you need to use pam for it to work but that's the default
setting on Gentoo. Please check your USE-flags for pam and your
sshd_config for usage of pam.

If it doesn't work, try it without XDM/KDM/GDM (I use XDM but all should
work). pam should write some debug information. Then search /dev/mapper
for something that looks like your home-partition's mapping. 
Attachment:
pam_mount.conf.xml.gz (GNU Zip compressed data)
Attachment:
signature.asc (This is a digitally signed message part)
Replies:
Re: Encrypting a user home folder on a laptop
-- Naga Toro
References:
Encrypting a user home folder on a laptop
-- Randy Barlow
Re: Encrypting a user home folder on a laptop
-- Florian Philipp
Re: Encrypting a user home folder on a laptop
-- Naga Toro
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Encrypting a user home folder on a laptop
Next by thread:
Re: Encrypting a user home folder on a laptop
Previous by date:
Re: Encrypting a user home folder on a laptop
Next by date:
Re: Encrypting a user home folder on a laptop


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.