# encrypted /home?

## revo

hi!

for *one* user I#d like to have an encrypted /home/.

i would like to be asked for a password at boot, and the be able to work as the user after logging in.

which way do you suggest? shall i create a loop? i read the thread about encrypted /root, but that is not the way i would like to have it, as i do a lot of things like transcoding video, which seems to be very harddisc intensive and therefor i think it would slow down things a lot if this is done on an encrypted hd.

----------

## vicay

 *revo wrote:*   

> hi!
> 
> for *one* user I#d like to have an encrypted /home/.
> 
> i would like to be asked for a password at boot, and the be able to work as the user after logging in.
> ...

 

Hello,

i think, it should be no problem to use a partition or a 

containerfile for an encrypted loop-device. You can

create a little script, which asks for the passphrase and mounts

the loop-filesystem to /home/user.

This link might be helpful

http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html

best regards

vicay

----------

## slyzer

Hi,

do you think that it is possible to combine this decryption using the standard PAM login? So if I login correctly in the console it will automatically decrypt the home-dir.

cu

 slyzer

----------

## vicay

 *slyzer wrote:*   

> Hi,
> 
> do you think that it is possible to combine this decryption using the standard PAM login? So if I login correctly in the console it will automatically decrypt the home-dir.
> 
> cu
> ...

 

Hello,

AFAIK this is not implemented. Working with losetup requires 

root-privilege. You would need a pam-Module, which gets

the typed password, sets up the crypto-loop-device and mounts

the homedirectory of the user ( or something like this )

OTOH if somebody gets to know the login password of a user

he has access to his data too.  IMHO that's not a desireable effect.

Best regards

vicay

----------

## Chris W

http://www.kernel.org/pub/linux/libs/pam/modules.html

http://www.flyn.org/#id5426299

pam_mount may be of interest.

----------

## vicay

 *Chris W wrote:*   

> http://www.kernel.org/pub/linux/libs/pam/modules.html
> 
> http://www.flyn.org/#id5426299
> 
> pam_mount may be of interest.

 

Thanks for that one.

I think i will test it, but for my real-world notebook

i do it with a second password  :Smile: 

Best regards

vicay

----------

## slyzer

Hi,

sounds good, I will check it the next days.

cu

 slyzer

----------

## chadders

When I boot up I logon as root and run this script.  It asks for passphrase and mounts my /home.  It uses GPG and loop-AES and has keyfile on a floppy that i keep in my pocket so NOONE can get my /home without both ME and my passphrase:

mount /dev/fd0 /mnt/floppy

ln -s /mnt/floppy/.gnupg .gnupg

cd /mnt/floppy

gpg --decrypt < keyfile.asc | losetup -p 0 -e AES256 /dev/loop7 /dev/hda3

mount /dev/loop7 /home

cd

rm .gnupg

umount /mnt/floppy

Chad   :Very Happy: 

----------

## slyzer

Hi,

for all the paranoid people, like me, that is a great idea! Actually I don't know what to do with my floppy drive, so it get's a bigger meaning  :Smile: 

cu

 slyzer

----------

## revo

this is how i finally managed to set it up in a way i like it:

i enabled cryptoapi, loop and aes in my kernel, set it all up like in the encryption-howto from http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/Encryption-HOWTO-4.html

, added 

/opt/revo               /home/revo/privat               ext2    defaults,loop,en

cryption=aes,keybits=256,user   0 0

to my /etc/fstab. i did this because i decided that i'd like to dynamically mount and unmount my encrypted stuff while i am in kde.

that's very easy and elegant.

----------

## FishNiX

 *chadders wrote:*   

> When I boot up I logon as root and run this script.  It asks for passphrase and mounts my /home.  It uses GPG and loop-AES and has keyfile on a floppy that i keep in my pocket so NOONE can get my /home without both ME and my passphrase:
> 
> mount /dev/fd0 /mnt/floppy
> 
> ln -s /mnt/floppy/.gnupg .gnupg
> ...

 

How do you have this working?  It seems that I dont need to do the losetup on boot, just a mount will do the trick, but either way, you still need the passphrase for the mount, right?

i'm trying to do something similar so this would be great to know.

thanks!

----------

## mmealman

 *slyzer wrote:*   

> Hi,
> 
> do you think that it is possible to combine this decryption using the standard PAM login? So if I login correctly in the console it will automatically decrypt the home-dir.
> 
> 

 

Bleh, just hack /bin/login to mount the loop device and /home dir if the user isn't root  :Smile: 

----------

## FishNiX

 *FishNiX wrote:*   

>  *chadders wrote:*   When I boot up I logon as root and run this script.  It asks for passphrase and mounts my /home.  It uses GPG and loop-AES and has keyfile on a floppy that i keep in my pocket so NOONE can get my /home without both ME and my passphrase:
> 
> mount /dev/fd0 /mnt/floppy
> 
> ln -s /mnt/floppy/.gnupg .gnupg
> ...

 

i just figured this out... use --pass-fd 0  in mount  :Wink: 

----------

## fu_fish

 *revo wrote:*   

> hi!
> 
> for *one* user I#d like to have an encrypted /home/.
> 
> i would like to be asked for a password at boot, and the be able to work as the user after logging in.
> ...

 

Take a look at the August 2003 Linux Journal.

----------

