Partition Encryption


From Linuxconfig.org

Jump to: navigation, search

Contents

Scenario

In this Linux config we are going to create encrypted partition for user "linuxconfig" and use pam_mount to mount it under /home/linuxconfig directory. For this config we have used Debian Linux, however the very same principle for creating encrypted partitions can be applied also for any other Linux distributions such as SuSe, RedHat, Gentoo, Ubuntu.

Image:luks.png

Prerequisites

First and the most important one is to make sure that on partition on which you are going to encrypt, is empty. If you have some important data there move them NOW to some save place. When creating encrypted partition all data will be removed.

Secondly we need to satisfied software prerequisite so you need to install packages for:

- cryptsetup ( Ubuntu, Debian package: cryptsetup )
- pam_mount ( Ubuntu, Debian package: libpam-mount )

Create Encrypted Partition

This command will create Encrypted partition /dev/sdb1 by formating it with LUKS Encryption:

# cryptsetup luksFormat /dev/sdb1

Image:encrypted_partition1.gif

Open Encrypted partition:

This command will create entry in /dev/mapper for sdb1 partition.

# cryptsetup luksOpen /dev/sdb1 sdb1

Image:encrypted_partition2.gif

Create Filesystem

Now we can create filesystem as on any other partition. The only difference is that we create filesystem via mapper. If you try create filesystem on /dev/sdb1 you will get this error message:

mke2fs 1.40-WIP (14-Nov-2006)
/dev/sdb1 is apparently in use by the system; will not make a filesystem here!

Instead we will use command:

# mkfs.ext3 /dev/mapper/sdb1

Image:encrypted_partition3.gif

Edit pam_mount.conf

Because we want new encrypted partition to be mounted every time user "linuxconfig" log in we need to alter /etc/security/pam_mount.conf file and add this line:

volume linuxconfig crypt - /dev/sdb1 /home/linuxconfig - - -

Image:encrypted_partition4.gif

Configure pam authentication

On Debian or Ubuntu system you will need to edit two files:

/etc/pam.d/common-auth :

auth       optional     pam_mount.so

Image:encrypted_partition5.gif /etc/pam.d/common-session

session    optional     pam_mount.so

Image:encrypted_partition6.gif

Please NOTE:

Some distribution have only one file with both auth and session.

Testing

Lets try login as a "linuxconfig" user, please note that you will be prompted to enter password two times, first time it will be your UNIX password and second time it will be your passphrase for your encrypted partition:

Image:encrypted_partition7.gif


Now we need to confirm that we are using our new encrypted partition:

Image:encrypted_partition8.gif

Other Topics

External links

Personal tools