Gentoo Archives: gentoo-security

From: Florian Philipp <lists@××××××××××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Encrypting a user home folder on a laptop
Date: Sat, 16 Feb 2008 22:09:48
Message-Id: 1203199745.27641.32.camel@NOTE_GENTOO64.PHHEIMNETZ
In Reply to: Re: [gentoo-security] Encrypting a user home folder on a laptop by Naga Toro
On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote:
> On Saturday 16 February 2008 10.04.30 Florian Philipp wrote: > [...] > > By the way, I use pam_mount and cryptsetup-luks to mount my encrypted > > home-partition with my login password on the fly. If you want a short > > howto and my configuration, just ask, I can answer again in 10 hours > > (Sat Feb 16 19:00:00 UTC). > > Please do, atleast I'm curious. > > /BR > Naga
Okay, I think I can skip the creation of a cryptsetup-luks partition (or whatever). It should be clear that you need to use your login password. The next step would be to emerge pam_mount. Then edit /etc/security/pam_mount.conf.xml The relevant part to add is: <volume user="dsl" fstype="crypt" path="/dev/vg/home_dsl" mountpoint="/home/dsl" options="async,noatime,exec" /> <volume user="dsl" fstype="reiserfs" path="/dev/mapper/_dev_mapper_vg-home_dsl" mountpoint="/home/dsl" options="defaults,async,noatime,exec" /> above </pam_mount> As you can see, "dsl" is my user name and /dev/vg/home_dsl my encrypted home volume. In case I've missed something in this file, I've attached it gzip-compressed. Then you need to edit /etc/pam.d/system-auth: #%PAM-1.0 auth required auth optional auth sufficient likeauth nullok use_first_pass auth required use_first_pass account required password required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient nullok md5 shadow use_authtok password required session required session required session optional (or something similar) I think the relevant parts are "use_first_pass" and "pam_mount" in "auth" and "session". I don't say that my setup is perfect. It was a huge trial and error phase to get it working. Of course, you need to use pam for it to work but that's the default setting on Gentoo. Please check your USE-flags for pam and your sshd_config for usage of pam. If it doesn't work, try it without XDM/KDM/GDM (I use XDM but all should work). pam should write some debug information. Then search /dev/mapper for something that looks like your home-partition's mapping.


File name MIME type
pam_mount.conf.xml.gz application/x-gzip
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] Encrypting a user home folder on a laptop Naga Toro <nagatoro@×××××.com>