Home directory encryption++ under openSUSE

While setting up a new laptop I decided it’s finally time to encrypt my $HOME.

I don’t want to encrypt the whole /home partition, because I don’t like to watch the boot process of my computer waiting for the moment it wants to mount it and asks me for the disk encryption password. Then wait some more and enter the user password. I want to use just one password for both and let the login process do the magic for me.

how to set up Home directory encryption++ under openSUSE

Actually getting this setup under openSUSE is as easy as going to YaST -> User management -> Your user -> Edit -> Details and checking “Use encrypted home directory” checkbox. But I didn’t go this way for three reasons:

I wanted to have my encryption key on a separate device (explanation at the next paragraph)
I wanted to have a strong grip on what is going on under the hood in case of emergency (ie. system crash recovery)
The automagic GUI simply did not work in my case 😉

My laptop has an MMC reader, so I wanted to utilize Jaervosz idea of having disk encryption keys in my pocket every time I need to leave the computer unattended. This gives a very good physical keys analogy. Also might be useful in countries you are required by law to reveal your password to certain services. It’s easily verifiable that you gave the real password by logging to the machine. But you cannot be expected to reveal key file content of the MMC that got “damaged” or lost. (Of course it’s crucial to have a backup of the MMC content in some safe place.) I use a small (256MB) and quite fast (Class 4) MicroSD card I had spare left after a mobile phone.

Let’s start with an easy bit and encrypt swap first. I’m not that paranoid to fear of data leaking through swap, but this gives a nice checkpoint before following with putting your crucial $HOME data into a box you may be unable to open later. 😉

Install some packages you will need:

# zypper install cryptsetup cryptconfig pam_mount

Put one line in /etc/crypttab file:

swap /dev/sda5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

and replace swap device entry in your /etc/fstab with /dev/mapper/swap like this:

/dev/mapper/swap swap swap defaults 0 0

Add boot.crypto script to boot level:

# chkconfig –add boot.crypto
boot.crypto 0:off 1:off 2:off 3:off 4:off 5:off 6:off B:on

Now reboot. You should have a /dev/mapper/swap encrypted device being used as swap:

# ls /dev/mapper
control swap
# swapon -s
Filename Type Size Used Priority
/dev/mapper/swap partition 10490408 0 -1

Congratulations. You may now follow with encrypting your real data.

Setting up LUKS encrypted loop device, pam_mount configs, etc. may be a bit cumbersome while doing everything by hand. Fortunately there is a tool to ease the pain – enter cryptconfig. It has a lot of tools off which we need to use only few.

First mount MMC on /mmc directory:

# mkdir /mmc
# mount /dev/mmcblk0p1 /mmc

Next you need to create an encrypted disk image file with associated key file. Unfortunately when I wanted to create a properly big image, cryptconfig complained that it won’t fit on my partition so I ended up creating a small one and enlarging it after. (BTW, You may want to use your own username instead of “user” 😉 Use your user password when asked for.

# cryptconfig create-image –key-file /mmc/user-home.key /home/user.img 20000
# cryptconfig enlarge-image –key-file /mmc/user-home.key /home/user.img 200000

Next add pam_mount to PAM and create its configuration file:

# cryptconfig pm-enable –key-file /mmc/user-home.key user

Next you need to tweak pam_mount configuration. I don’t want to mount /mmc content via fstab because that would make my laptop unbootable with MMC removed. Instead I engage pam_mount to do this for me. Add the following line just before the last line mounting your home in /etc/security/pam_mount.conf.xml file:

<volume fstype=”auto” user=”user” path=”/dev/mmcblk0p1″ mountpoint=”/mmc”/>

But having a removable device connected and not present in fstab may cause that Volume Manager will want to mount it under removable /media. To mitigate this, add the following line to /etc/fstab:

/dev/mmcblk0p1 /mmc auto noauto 0 0

That’s it. You have completed the setup. Now you just need to fix your home directory image content permissions (it’s just an empty filesystem owned by root) and transfer your data.

Kill your current X session by tapping Ctrl-Alt-Backspace twice or reboot again. Log in to your account and you should see your desktop environment complaining it has no access to your home directory. Good – this means your encrypted home directory was mounted properly. Let’s fix it.

Switch to text mode console (Ctrl-Alt-F1), login as root and fix your home directory permissions:

# chown -R user:users ~user

Next the tricky part – transferring your data:

# mount -o bind /home /mnt
# rsync -rvaP /mnt/user/ /home/user/

After killing X again log in and verify that your desktop works correctly. After that you may cleanup by removing /mnt/user content:

# rm -rf /mnt/smoku/*
# rm -rf /mnt/smoku/.[a-zA-Z0-9]*
# umount /mnt

Congratulations. You have an encrypted home directory mounted on login, using a “physical key” in a form of a Memory Card. Reboot. 🙂

P.S. You may want to make some other areas like /tmp inaccessible to anyone getting hands on your computer. I solved it by mounting /tmp with tmpfs. But that’s something for a different article.