In preparation for yet another cross continent travel plan I finally decided to encrypt my home partition on myX61s laptop. I had to mess a bit with the pam_mount configuration file to make it work so I thought I would share my notes. In the following I will briefly describe how I'm going to use a password protected key stored on an external media to encrypt my home partition. I'll use the same password used for Xorg login to protect the key. So when you get asked to type in a password in the following examples use your normal user password and we'll use pam_mount to pass the password to LUKS once you log in.

First start out by preparing a key:

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb > verysekrit.key

Then create an LVM volume for the home directory and subsitute home with what you like to name the logical volume:

lvcreate -L30G -nhome vg

Then we initialize the volume with our secret key and LUKS:

openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v –cipher aes-cbc-plain –key-size 256 luksFormat /dev/vg/home

Now lets test that we can open the encrypted volume and format it:

openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen /dev/vg/home myh_crypt mkfs.ext3 /dev/mapper/myh_crypt

You can not mount it and sync over your old home like this:

mount /dev/mapper/myh_crypt /mnt/gentoo rsync -va /home/username/* /mnt/gentoo/

Once everything is synced over we'll close the LUKS volume again:

cryptsetup luksClose myh_crypt

Now unmask and emerge pam_mount:

echo „sys-auth/pam_mount“ » /etc/portage/package.keywords emerge -v pam_mount

Now configure pam_mount to first mount the SD card (/dev/mmcblo0p1) and then use the key to unlock the home partition by editing /etc/security/pam_mount.conf.xml. Note that if you store your secret key somewhere else the first volume statement may be omitted.

<volume user=„username“ path=„/dev/mmcblk0p1“ mountpoint=„/mnt/mmc“ fstype=„auto“ />

<volume user=„username“ path=„/dev/mapper/vg-username“ mountpoint=„/home/username“ fstype=„crypt“ options=„data=journal,commit=15“ cipher=„aes-cbc-plain“ fskeypath=„/mnt/mmc/verysekrit.key“ fskeycipher=„aes-256-ecb“ fskeyhash=„md5“ />

Then configure PAM to use pam_mount by editing /etc/pam.d/system-auth. Add pam_mount to the auth section like this:

auth required pam_env.so auth optional pam_mount.so auth required pam_unix.so try_first_pass likeauth nullok

And to the sessions section like this:

session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so session optional pam_mount.so

References:

http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS http://blog.infion.de/archives/2007/05/15/Full-disk-encryption-with-LUKS-on-new-notebook/