Encrypted /home partition out of the box

Discuss all artwork and development - Suggestions needed

Moderator: Moderators

Encrypted /home partition out of the box

Postby chickpea » Mon Apr 23, 2007 17:55

Hey Devs:

As I am usually the last to know anything in the linux world, I recently discovered that Debian Etch gives you the option to set up an encrypted /home partition during the installation (using LUKS and dmcrypt).

It might be nice to include this functionality in an upcoming release of SL.

I am caught in an installation battle right now with an interesting program that may also be a candidate for such a setup pam_encfs. This permits mounting of the encrypted layover dir through a pam authentication during login (hence you only need to login once with one password).

Cheers

Chickpea
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Mon Apr 23, 2007 19:54

Hi Chickpea

I think this would be great for laptop users or even if someone broke into your house and stole your harddrive.

How far have you got with it yet?
I've just downloaded it, installed it and copied my pam_encfs.conf to /etc/security
I'm completely stuck now with the following two lines in the readme file that say the following:
modify your pam to load (for example):
auth required pam_encfs.so

and if you want to auto umount on logout:
session required pam_encfs.so


How do I modify my pam to enter these details?

I'm sure this could quite easily be written in to the next SabayonLinux. It could be an (on/off) option for users to add extra security to their personal home directory.

Any help would be appreciated.

Cheers

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby chickpea » Tue Apr 24, 2007 17:34

Hey dave:

you will need to

Code: Select all
nano -w /etc/pam.d/system-auth


BTW the developer has an example gentoo system-auth file at the bottom of the README. :D
Although I still haven't been able to get the pam module to work. :(

You will want to add

Code: Select all
auth      required     pam_encfs.so


underneath

Code: Select all
auth  required  pam_unix.so


Here is my system-auth:

Code: Select all
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_encfs.so
auth       sufficient   /lib/security/pam_encfs.so
auth       sufficient   /lib/security/pam_sha512.so pwdfile /etc/security/pam.sha
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_encfs.so
session    required     pam_limits.so
session    required     pam_unix.so

###########################old pam_auth#####################
#auth       required    pam_env.so
#auth       sufficient  pam_unix.so try_first_pass likeauth nullok
#auth       required    pam_deny.so

#account    required    pam_unix.so

#password   required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
#password   sufficient  pam_unix.so try_first_pass use_authtok nullok md5 shadow
#password   required    pam_deny.so

#session    required    pam_limits.so
#session    required    pam_unix.so
#############################################################


The above doesn't work, because I think pam_unix.so is set to "sufficient", where I think it should be "required". With pam_unix.so as "sufficient" it will log you in without testing the other modules with it as "required" will make pam require it to be passed, but will also require all other modules to be passed. CAUTION, untested, not sure if this will TOTALLY LOCK YOU OUT. I would test it with a test system and test user before applying to your production system.

Good luck.

FWIW I have switched my favorite encyption type now. eCryptfs (which has a similar pam module "pam_ecryptfs.so") is easier to use and was designed by Mike Halcrow at IBM. I have been told by its designer that it should work to encrypt the entire /home partition (even though previously the README said it would not, which has now been updated). It is a lot more lighweight as well on your system resources rather than a FUSE routine which has a lot of overhead.

Cheers
Bryan
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Wed Apr 25, 2007 1:12

Hi Bryan

Every time I change the option from "sufficient" to "required" it doesn't let me login at all. It just declines my password each time so I think I need to keep that line as "sufficient" for now. I'm just testing out ecryptfs as well and it does seem faster then encfs even though it takes up more harddrive space because it's minimum file size is 12.0 kb. Not sure if that can be changed or not.

All the best

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby chickpea » Wed Apr 25, 2007 2:33

Dave:

The file size is immutable. All files grow at specific rates. If you read around about ecryptfs it is much faster. I can't seem to find the pam modules pam_ecryptfs.so on my system though. I have no idea how to get it. I may have to download the tarball and build it from source to get it.

I am having trouble getting the keyring to keep/use my testusers password salt. It keeps giving me weird errors.

Yeah I figured that the pam_encfs.so has to be sufficient and not required.

Maybe it needs to be above pam_unix.so? I think that may be a bad idea for some reason. . .:(
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Wed Apr 25, 2007 5:11

Hi

I downloaded the kernel and userspace utils from their website anyway. The kernel driver is stored in /lib/modules/2.6.20-sabayon-r3/kernel/fs/ecryptfs on my system. Have to add "modprobe ecryptfs" manually so it loads on each boot.

I couldn't get the keyring to keep my passwords either. If I type "keyctrl show" it shows it there but If I log out and log back in then it has lost it. The fact that it keeps loosing it makes the command "mount -i /secret" fail each time. Also I noticed that the line you put in /etc/fstab needs to include the word "noauto" else it tries to mount the encrypted partition every time it boots up which is a pain.

In the end I didn't get it to work properly. I followed the README file in what I downloaded but it didn't really make any sense. It says to put the command "mount -i /secret" in to your .bash_profile file but then it can't access that file on logon because it is encrypted.

If you find anyway of getting it to work I would be interested. For the meantime I think I'm going to carry on with encfs/fuse to see if I can get that working with the pam module.

Good luck :)

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby chickpea » Wed Apr 25, 2007 18:26

In the end I didn't get it to work properly. I followed the README file in what I downloaded but it didn't really make any sense. It says to put the command "mount -i /secret" in to your .bash_profile file but then it can't access that file on logon because it is encrypted.


Glad I'm not the only one who thought that didn't make any sense. :lol:

Yeah I get precisely the same errors you are getting.

To get a module to autoload each boot you need to add the module to
/etc/modules.d (or something like that). Then it will load each boot automatically.
Weird though cause ecryptfs is built into the kernel already, not as a module. :?

Yeah I have to email Mike Halcrow about this because I keep getting the same errors and I don't seem to be able to make it work. Each time I want to mount with "mount -i /home/testuser" I always have to do a "ecryptfs-manager" and add the user password to the keyring before it will mount.
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Wed Apr 25, 2007 19:54

Hi

I'm fine with autoloading the module. I just put it into /etc/modules.autoload.d/kernel-2.6

Yes, we have exactly the same problem with having to do ecryptfs-manager each time before doing mount -i /secret.

If you email him can you also ask him about the .bash_profile and how it get's to read the contents before the file system is actually mounted. Also, does this .bash_profile need to be set as an executable file? and does SabayonLinux even use the .bash_profile file as it's not there by default?

I guess until we've got those issues sorted then we can't see whether the pam module actually works or not.

Cheers and good luck

Dave

p.s. I think they should put in their readme file that the line in /etc/fstab should have the parameter noauto added to it so that it doesn't try to mount the partition during boot. That was fun figuring that one out ;)
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby chickpea » Thu Apr 26, 2007 17:42

Yeah, I will email Mike to see what we may be doing wrong, or if that's a bug in the ecryptfs-manager that we are using.

I'll also note that noauto should be added to the README concerning /etc/fstab

Are you saying that without that option it tries to automount the encrypted partition no matter what user you try and log in as? Or that it tries to automount the encrypted partition before your user logsin (hence it will always fail as no user info has been added to the keyring? Not really sure as I never rebooted when I was setting this up, just logging in and out as a different user through Konsole (again cause Im lazy :lol: ).

Hopefully you or I can get the encfs pam module up and running so that at least that could be added to future SL editions :D. We can't let Debian be ahead of us for crying out loud!! :lol:
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Fri Apr 27, 2007 12:14

Hi

Concerning the noauto option in the fstab. When you boot up way before KDM is loaded the bootup sequence tries to mount anything it can in the fstab file. So an entry without noauto will get mounted half way through the boot sequence.

Cheers

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Next

Return to Artwork and Development Suggestions

Who is online

Users browsing this forum: No registered users and 1 guest