EncryptedHomeFolder

Differences between revisions 2 and 3
Revision 2 as of 2008-04-17 06:32:43
Size: 8160
Editor: 24-117-141-119
Comment: Formatting could still use work.
Revision 3 as of 2008-04-17 16:24:21
Size: 8903
Editor: 24-117-141-119
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
 sudo aptitude install libpam-encfs fuse  $ sudo aptitude install libpam-encfs fuse
Line 13: Line 13:
  sudo modprobe fuse
  sudo gedit /etc/modules
 $ sudo modprobe fuse
     $ sudo gedit /etc/modules
Line 23: Line 24:
  sudo gedit /etc/pam.d/common-auth   $ sudo gedit /etc/pam.d/common-auth
Line 30: Line 31:
/ect/security/pam_encfs.conf is the configuration file for the pam_encfs.so we just added to common-auth. Change "allow_other" to "allow_root,nonempty".
 sudo gedit /etc/security/pam_encfs.conf
/ect/security/pam_encfs.conf is the configuration file for the pam_encfs.so we just added to common-auth. Change "nonempty".
  $ sudo gedit /etc/security/pam_encfs.conf
Line 33: Line 34:
 - /home/.enc - -v allow_root,nonempty  - /home/.enc - -v nonempty
Line 36: Line 37:
 sudo mkdir /home/.enc  $ sudo mkdir /home/.enc
Line 42: Line 43:
 sudo mv /home/testuser /home/testuser.bak
 sudo mkdir /home/.enc/testuser
 sudo chown testuser:testuser /home/testuser /home/.enc/testuser
 $ sudo mv /home/testuser /home/testuser.bak

 $
sudo mkdir /home/.enc/testuser

 $
sudo chown testuser:testuser /home/testuser /home/.enc/testuser
Line 47: Line 50:
 sudo useradd testuser fuse  $ sudo useradd testuser fuse
Line 50: Line 53:
 su testuser  $ su testuser
Line 55: Line 58:
 encfs /home/.enc/testuser /home/testuser  $ encfs /home/.enc/testuser /home/testuser
Line 58: Line 61:
 passwd  $ passwd
Line 64: Line 67:
 cp -a /home/testuser.bak /home/testuser
 mv /home/testuser/testuser.bak/* /home/testuser
 mv /home/testuser/testuser.bak/.[a-zA-Z0-9]* /home/testuser
 rmdir /home/testuser/testuser.bak
 $ cp -a /home/testuser.bak /home/testuser

 $
mv /home/testuser/testuser.bak/* /home/testuser

 $
mv /home/testuser/testuser.bak/.[a-zA-Z0-9]* /home/testuser

 $
rmdir /home/testuser/testuser.bak
Line 88: Line 94:
cd /home
fusermount -u testuser
$ cd /home
$ fusermount -u testuser
Line 91: Line 97:
encfsctl passwd ~/encrypt $ encfsctl passwd ~/encrypt
Line 109: Line 115:
==== Bug Workaround ====
In the /etc/security/pam_encfs.conf file there is a variable "fusedefault" which sets the default fuse options. This is set to allow_root,nonempty by default. However, in the example config they set allow_other as a fuse option. One would expect this to override the default option. pam_encfs, however, simply joins the two together. This causes problems since allow_root and allow_other can't be used together. Either remove allow_root from your default and add it or allow_other (or neither) to each mount you want pam to make, or set something innocuous like nonempty as we did in the tutorial above. (Note: You need SOMETHING set as a fuse option or pam_encfs refuses to even attempt to mount.

Encrypted Home Folder

This HowTo shows how to use encfs and the pam-encfs.so pam module to automatically mount/unmount an encrypted volume for each user on login. This differs from dmcrypt/luks setups in 2 major ways:

  1. A separate partition is not needed. Encrypted shrinks and grows on the fly.
  2. It's possible for attackers to see the number and size of your encrypted files, though they won't know the name or contents.

This trade off makes it easy to coexist users with encrypted home folders with users with unecrypted home folders, though it might be somewhat less secure. In this howto, the username is "testuser". You will need to replace this with your own username.

Install the necessary programs. You will need universe enabled.
  • $ sudo aptitude install libpam-encfs fuse

Configure System Wide Settings

Load fuse and add "fuse" to /etc/modules so it loads on startup

  • $ sudo modprobe fuse $ sudo gedit /etc/modules

Setup the pam mounting Insert the line

  • auth sufficient pam_encfs.so

Somewhere before:

  • auth requisite pam_unix.so

and append "use_first_pass" to each line following pam_encfs.so.

  • $ sudo gedit /etc/pam.d/common-auth

Here's my common-auth as an example:

  • auth sufficient pam_encfs.so auth requisite pam_unix.so nullok_secure use_first_pass auth optional pam_smbpass.so migrate use_first_pass

/ect/security/pam_encfs.conf is the configuration file for the pam_encfs.so we just added to common-auth. Change "nonempty".

  • $ sudo gedit /etc/security/pam_encfs.conf

Here's my pam_encfs.conf as an example

  • - /home/.enc - -v nonempty

Make a folder to store encrypted home folders
  • $ sudo mkdir /home/.enc

Setup The Users (repeat this for each user you wish to apply this to).

You either need to login as another user with sudo rights OR log out of Gnome/KDE and hit Ctrl+Alt+F1 to login!! The former is recommended if your home foler is already full of files!

Backup your old home folder and make the directory structure

  • $ sudo mv /home/testuser /home/testuser.bak $ sudo mkdir /home/.enc/testuser $ sudo chown testuser:testuser /home/testuser /home/.enc/testuser

Add the user to the fuse group:

  • $ sudo useradd testuser fuse

If you logged into another user account, switch to the account your setting up:

  • $ su testuser

Create the encrypted folder and mount it: I recommend "Expert Mode" with AES, any encryption level, 64bit blocks, blockencoded filenames, and all the rest of the defaults. This provides good security with maximum compatibility and useability. Paranoid mode disables hardlinks and may cause additional trouble for some applications (mutt, pine...). Also, use a good password, such as a pass phrase longer than 14 characters.

  • $ encfs /home/.enc/testuser /home/testuser

If you set a more secure password, you need to update your account password or this won't work:

  • $ passwd

DO NOT FORGET YOUR PASSWORD. Seriously, there's no other way to decrypt the data. It might be a good idea to keep an unencrypted backup in a safe location.

Copy your files to the encrypted filesystem (Read Tips): We use two move commands. The latter gets your hidden files and folder, which contain all of your program settings. Alternatively, you could use 2 cp commands to copy.

  • $ cp -a /home/testuser.bak /home/testuser $ mv /home/testuser/testuser.bak/* /home/testuser $ mv /home/testuser/testuser.bak/.[a-zA-Z0-9]* /home/testuser $ rmdir /home/testuser/testuser.bak

Thats it! Log out and Ctrl+Alt+F7 back to your graphical environment and log in!

How it all works: Encfs creates an encrypted file/folder inside /home/.encfs/testuser for every file/folder you create inside /home/testuser. When the encrypted folder is "mounted" the files are decrypted on the fly and accessible at the mountpoint (/home/testuser).

With pam_encfs configured as it is, everytime a user tries to log in, it will attempt to execute "encfs /home/.enc/$USERNAME /home/$USERNAME" using your account password. For users you haven't setup encryption for, this will simply fail and everything is the same as normal. For users you setup, the empty /home/$USERNAME folder will suddenly provide access to their decrypted files and folders! Yay!

The pam.d/common-auth setting means pam_encfs.so will try to run before login completes. The use_first_pass lines mean this modules will attempt to use the first password entered without prompting for a new password even if pam_encfs.so fails. This is necessary so users without encrypted folders aren't prompted twice for their passwords.

Tips

Encrypt your swap partition.

Without an encrypted swap partition, its possible for unencrypted file parts, passwords, or even the encfs key to be written to your swap partition. If swap is not encrypted, this can all be read by an attacker. Downside of this is that hibernate will no longer function. explain setting up encrypted swap with dmcrypt/luks

Change your password

First, change your account password like normal. Then log out of Gnome/KDE and hit Ctrl+Alt+F1 to go to a virtual terminal. (Alternatively, log into any another user account, open a terminal window and issue 'su testuser')

You need to unmount your home folder: $ cd /home $ fusermount -u testuser Then you can change the encfs password: $ encfsctl passwd ~/encrypt

Logout and switch back to GDM: exit Ctrl+Alt+F7

Using Nautilus for copying the files

As stated below in the security notes, the you and the root user are the only accounts that can access your files while they're mounted. We can take advantage of this to make copying the unencrypted files to the encrypted space easier. In my case, I found the 'mv' command copies all files first and *then* deletes them. Unfortunately, I had a 30GB home folder and 10GB space, so mv kept running out of space and failing. With the GUI it's a lot easier to be selective about what your moving and to where.

  1. If necessary, create another account on the system and grant that user sudo privileges (add them to the admin group).
  2. Logout and log into this new account.
  3. Press Alt+F2 to access the Run Aplication dialog.
  4. Type in 'gksu nautilus' and enter the password for this new account when prompted.
  5. Open a terminal and issue 'su testuser'. This will log you into your main account within the terminal window and mount your home folder. MINIMIZE, do not close, this window. If you close it, pam will unmount your home folder.
  6. In the nautilus window, browse to \home
  7. You can right click on testuser.bak and choose open in new window. Now you have 2 windows running with root privileges. You can move/copy files from the old home folder to the new one. Press Ctrl+H to show hidden files so you can get all of your aplications settings as well.
  8. When everything's copied/moved, you can log into your normal account and delete the temporary user if you had to create one.

Bug Workaround

In the /etc/security/pam_encfs.conf file there is a variable "fusedefault" which sets the default fuse options. This is set to allow_root,nonempty by default. However, in the example config they set allow_other as a fuse option. One would expect this to override the default option. pam_encfs, however, simply joins the two together. This causes problems since allow_root and allow_other can't be used together. Either remove allow_root from your default and add it or allow_other (or neither) to each mount you want pam to make, or set something innocuous like nonempty as we did in the tutorial above. (Note: You need SOMETHING set as a fuse option or pam_encfs refuses to even attempt to mount.

Security Notes

Normally encfs only allows access to the user who mounted an encrypted share; this is irrespective of the filesystem permissions. Because we used allow_root, the root user will be able to access your decrypted mount point so long as your files are mounted. Unfortunately, this is necessary for the pam module as the mounting is done by the root user.

Sometimes pam fails to unmount your folder, leaving it open even though your logged out. As stated, root will have access, but other users won't be able to access the folder. So as long as you're the only user with sudo access, you're fine. Otherwise you should reboot after logout to be sure, or log in as the root user and check with the mount command. Truthfully, if your this concerned, you should probably be doing something like dmcrypt instead.

As stated in the TIPS, without encrypting the swap partition, it is possible for someone to find parts of--or even entire--files from your home folder in the swap partition.

EncryptedHomeFolder (last edited 2010-03-25 01:29:17 by d67-193-169-69)