Linux Mint - Free and powerful

Sunday, 2 January 2011

Mirror: Encrypted home and swap partition on Ubuntu 10.10 Maverick with auto logon

How utterly annoying. This weekend I decided to go back to two form factor encryption and looked for my favorite tutorial at mazeoflies only to find the site has been pulled and there are NO MIRRORS. I had to go and look for alternatives as this process is quite tricky. I found something at MKnowles but that is broken as well! Doh!!!

So, here is a unmolested mirror (no changes apart from this text) backup of the gentoo-blog entry that I currently use to encrypt my home partition and swap. I am doing a scratch install today so this tutorial is critical for me. Courtesy of Simon and kudos to Simon of course.

I wish more folks would do mirrors as sites get pulled at a moments notice. I know this as I had a very important site with thousand of hits a day that I just pulled when I left for Malaysia so I guess I also frustrated others. Sorry.

If in doubt go directly to the url below.


Encrypted home and swap partition on Ubuntu 10.10 Maverick with auto logon

Simon | September 6, 2010
I wrote a howto about encrypting your home and swap partition a while ago. One thing was missing in the last howto the login process with pam mount. Please be careful following this howto if you do anything wrong you may erase all of you data. You have been warned!
First install a few packages:
apt-get install cryptsetup libpam-mount
We will start of with the swap partition which is easy. First deactivate your swap partition you may need to remove it from /etc/fstab and reboot if it is in use.:
swapoff /dev/sda7
Then fill your swap with random data from /dev/urandom
dd if=/dev/urandom of=/dev/sda7 bs=1M
Configure encrypted swap in /etc/crypttab and /etc/fstab
cat /etc/crypttab
cryptoswap /dev/sda7 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
cat /etc/fstab
/dev/mapper/cryptoswap none swap sw 0 0
Okay thats it reboot to test. If you call top from a shell you should see a normal swap partition. Then try and run the follow command you should see something like this:
cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 0 sectors
size: 8401932 sectors
mode: read/write
Ok your swap partition is done lets move on to /home make sure you have an empty partition for this all data on the partition will be deleted. You’ve been warned
Fill your new home partition with random data.
dd if=/dev/urandom of=/dev/sda8
Initialize the partition and set initial key. Please make sure to use the same password to login and for the encrypted partition. Otherwise you will not be able to unlock your home partition when you login.
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda8
Create a device mapping
cryptsetup luksOpen /dev/sda8 cryptohome
Now you can create a file system on cryptohome
mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
Okay give your new home a test by closing it reopening it and finally the first mount
cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda8 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

mkdir -p /mnt/cryptohome
mount /dev/mapper/cryptohome /mnt/cryptohome
touch /mnt/cryptohome/linux
ls /mnt/cryptohome/
lost+found linux
We can also confirm that it works by issuing the command
cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda8
offset: 2056 sectors
size: 20978771 sectors
mode: read/write
Now would be a good time to move your current home data to this partition.

rsync -rptDuv /home/user/* /media/backup 
or even better
sudo cp -rp /home/user /home/user.backup 

And umount the partition:
umount /mnt/cryptohome
cryptsetup luksClose cryptohome
Automatically mount when logging in first edit pam_mount.conf.xml:
and add the following: (remove "<" and ">" as blogger interprets this hiding the line
"<" volume user="User" fstype="crypt" path="/dev/disk/by-uuid/6d53f51f-7c25-4b3d-aa15-f3594f4f49e1" mountpoint="/home" options="fsck,relatime" / ">"
Make sure to replace User with your user name. And you will also need to change the disk path. You can either add a path like /dev/sda6 or you can add a uuid the ubuntu way.
To find your uuid you use the following command:
blkid /dev/sda8
/dev/sda8: UUID="6d53f51f-7c25-4b3d-aa15-f3594f4f49e1" TYPE="crypto_LUKS"
After you have done that make sure to comment out the entry for your /home partition in /etc/fstab. Pam mount will deal with mounting your /home partition now.
vi /etc/fstab
# /home is on /dev/sda8
#UUID=6d53f51f-7c25-4b3d-aa15-f3594f4f49e1 /home ext4 defaults 0 2
Thats it you should be safe to reboot now. The login process will take slightly longer than before because your home partition gets mounted in the background. The only downside i see with this setup is you can’t use it in a multi-user environment. I am the only user on my laptop so that doesn’t really matter to me.

hey, i tested it, and removing the "user" parameter in

HacKan | November 24, 2010
hey, i tested it, and removing the “user” parameter in the volume line of the pam_mount.conf.xml file does allow multiuser login.
1- the password for the mount must be the same as for the user session
2- you can use different passwords for the volume, up to 8 with
cryptsetup luksAddKey /dev/sdXY
see here for more info:
you can also limit groups or a range of uid’s for the mount, see: man pam_mount.conf
i tested it with 2 users, both with the same password and using only 1 password for the volume. but it should to work… i only have 1 user, so no need for this; but you could update your tutorial.


Post a Comment

Thank you for taking the time to comment. Your opinion is important and of value and we appreciate the positive feedback! If you are "Negative Nancy" then please do us, and humanity, a favor, and piss off.

Total Pageviews

Google+ Followers


Blog Archive

Popular Posts

Recent Comments

Rays Twitter feed


Web sites come and go and information is lost and therefore some pages are archived. @rayd123. Powered by Blogger.