Paranoia at home.

2006/06/02 16:40:00

I carry my laptop around all over the place and on it I store loads of stuff; website logins, passwords, photos etc. None of it really that important but I do worry that if I were to be relieved of my laptop that some idiot could make my life a little more uncomfortable.
I do steal some satisfaction from the fact that I run Linux and your average laptop thief probably would just have to reformat and put XP on before he could use it and in doing so delete all my data anyway.
But today my paranoia got the better of me so I decided to encrypt the whole of my home directory ( Yes in Unix all my personal data is stored in one directory and that is my home directory.) and below I am going to jot down how I did this.

******* MAKE A BACKUP OF YOUR DATA NOW *******************

Step one: Make a backup of you home directory.

Step two: No really copy everything from your home directory even those .rc files to another machine

Step Three: Look there is nothing so soul destroying as realising that you have just lost the contents of your home directory, a simple rsync to a server somewhere is all that is required.

Step Four: Encrypt your home directory using encfs.

Now follows a little more detail on step four.

Note: I use the term $USER and $HOME here, just replace them with your login name and directory.

Take a back of you entire home directory as you will probably end up overwriting it at some point while following my instructions.

I have moved all the common things like videos and music to /home/share and created symbolic links back to my home directory as these do not need to be encrypted.

# mkdir /home/share/
# chown $USER:$USER /home/share
# mv $HOME/Music /home/share
# ln -s /home/share/Music $HOME

Now we need to install some packages to make it all work I am using debain so this is simple.

# apt-get install encfs libpam-encfs

Next we need add encfs to the pam setup you can find more info in /usr/share/doc/libpam-encfs/README.Debian
I normally open up a terminal and login as root and leave that to one side so that I can jump back and correct mistakes if I bugger up pam. The pam system lets you login so if you mess up this config it’s boot disk time!
Basically you should edit the file /etc/pam.d/common-auth to look like this

auth sufficient pam_encfs.so

auth required pam_unix.so nullok_secure use_first_pass

Note: The use_first_pass will stop it prompting you for two passwords, but if you want to you can leave that out and have different passwords for the encryption and login.

Next if you want to make it unmount as you logout then add the following to /etc/pam.d/common-session

session required pam_encfs.so

Now check that you can still login.

Now setup a default so that it will all play nice with gdm.

# echo “user_allow_other” >/etc/fuse.conf

Next edit /etc/pam_encfs.conf and change the the last line to be allow_root rather than allow_other

- /home/.enc - -v allow_root

Next up is to create an new encrypted directory. The default in /etc/pam_encfs.conf sets the raw encrypted partition to be /home/.enc/$USER so I am going to use that.

# encfs /home/,enc/$USER /var/tmp/$USER — -o allow_root

Accept the defaults then enter your usual login password as the encryption password.
This should now have created a new encrypted mount in /var/tmp called $USER and now you want to copy the contents of you home directory into this. I recommend you logout now and do this from the console logged in as root.

# rsync -av $HOME/ /var/tmp/$USER/

When this has finished unmount the encrypted filesystem and move your old home directory out of the way.

# fusermount -u /var/tmp/$USER
# mv $HOME $HOME.orig

Now create a new mount point for your encrypted home directory.

# mkdir $HOME
# chown $USER:$USER $HOME

Clean up

# rm -rf /var/tmp/$USER

And that’s it.

Now login to another console and all should run as usual but now when you logout your home directory will look empty and all your data will be nicely encrypted.

I have only been running this for a couple of hours but it does feel a little slower. I will give it a week to settle in and see how I feel!

Tip: For backups why not just backup /home/.enc then that is also encryped on the backup so that the backup data is all encrypted, not so good for individual restores but should still work with differential backups. (Note: You must be able to get back all the .encfs5 file or the filesystem will not work as far as I know!)

Listen to this podcast Listen to this podcast