Encrypting your swap, tmp, and per user's home directory on Fedora 9

Brace yourself, this isn't going to be an easy task but I will dumb it down as much as possible :). As a general rule, ALWAYS BACKUP IMPORTANT FILES before attempting any of the steps below. A mistake could potentially ruin your data.

This guide uses LUKS which is included by default with Fedora 9

1. Creating The Partitions

First thing you need is 3 empty partitions on your disk. One will be for the swap, another for /tmp and another for your user's encrypted home directory. If you already have a swap partition you can use it without having to create a new partition. You can add more partitions if you're going to create more encrypted home directory

To do all of that you can use your favorite disk partitioner. I personally prefer gParted which you can install simply by

yum install gparted

Start Gparted and create 3 "unformatted" partitions. The size of the partition depends on your requirements and setup but as a general rule the swap should be at least as much as your ram so for the swap we allocated 1 GB. There isn't a recommended size for the /tmp folder but i gave it a 1 GB space although you will hardly ever reach 10% of that size. For the user's home partition we used 30GB

gparted-thumb

The picture above shows a partitioned disk

/dev/sdc2	will be the swap partition (1GB)
/dev/sdc3	will be the encrypted home partition (30GB)
/dev/sdc4	will be the tmp partition (1GB)

2. Encrypting swap and /tmp

Securing swap and the /tmp folder are often overlooked even though they can potentially hold temporary data about your usage after you logoff.

Encrypting the swap is as simple as creating a /etc/crypttab entry and another /etc/fstab entry. However, for the /tmp folder. There is a little more work needed to get it to work.

Start a console and switch to root then create the /etc/crypttab with the following contents:

swap	/dev/UR_SWAP_PARTITION	/dev/urandom	swap,cipher=aes-cbc-essiv:sha256
tmp	/dev/UR_TMP_PARTITION	/dev/urandom	tmp,cipher=aes-cbc-essiv:sha256

This will create a random password for your swap and tmp partitions and recreate them on every boot - (cool eh? :D)

Next, edit /etc/fstab and add the following line

/dev/mapper/swap	swap	swap	defaults	0 0

If you already have a swap partion (and this is probably the case) remove the line that mounts it. This is all there is to securing the swap! But we need to auto mount the tmp partition :( so create a new script in /etc/init.d called cryptotmp with the following contents

#!/bin/bash
#
# cryptotmp setup
#
# chkconfig: 2345 01 80
# description: adds crypted tmp partition

. /etc/init.d/functions

case "$1" in 
	start)
		mount /dev/mapper/tmp /tmp
		restorecon /tmp
		action "Adding encrypted tmp"
		touch /var/lock/subsys/cryptotmp
		;;
	stop)
		rm -f /var/lock/subsys/cryptotmp
		;;
	*)
		echo $"Usage: $0 {start|stop}"
		exit 1
esac
exit 0

And chmod +x it as so

[root@yousif ~]$ chmod +x /etc/init.d/cryptotmp

We use chkconfig to automatically start the script on boot

[root@yousif ~]$ chkconfig --add cryptotmp

That's it! On the next restart we will have an encrypted swap and tmp

3. Encrypting The User's Home Directory and Attaching pam_mount

There are two scenarios here. A) You want to encrypt an existing users' home directory or B) You want to create and encrypt a new user's directory.

You will have to have a separate partition for every user's encrypted home.

If you want to create a new user simply add it using adduser or in GNOME navigate to System -> Administration -> Users and Groups. Due to an apparent bug in GNOME or possibly pam_mount you must log in at least once using GDM after creating a new user account before being able to login using pam_mount on an encrypted user's home. So if you are creating a new user logoff and login before continuing with the next steps

Before we do anything we backup the user's home directory so switch to root and run the following command

[yousif@yousif ~]$ su -
[root@yousif ~]$ cp -r -f -p -a /home/YOUR_USERNAME/. /root/YOUR_USERNAME

next we make sure that pam_mount is installed so run

[root@yousif ~]$ yum -y install pam_mount

now we create the encrypted partition. The next command will ask for a password. MAKE SURE IT MATCHES THE USER'S PASSWORD. If you don't like the user's password change it before going through with the next step

[root@yousif ~]$ cryptsetup --verbose --verify-passphrase luksFormat /dev/UR_USER_PARTITION

After formatting the encrypted partition we need to create a filesystem on it. You can use whatever filesystem you prefer. We will use ext3. So we open the encrypted partition using cryptsetup, and then format it using mke2fs and close it in preparation for later steps

[root@yousif ~]$ cryptsetup luksOpen /dev/UR_USER_PARTITION randomName
[root@yousif ~]$ mke2fs -j /dev/mapper/randomName
[root@yousif ~]$ cryptsetup luksClose randomName

We now need to attach pam_mount so that the encrypted home directory is mounted whenever we login and dismounted when we logoff.

We edit /etc/pam.d/system-auth and change the file so it looks like this

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth	    optional	  pam_mount.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mount.so

Notice that we added the second and the last lines to the file (the auth optional pam_mount.so and the session optional pam_mount.so).

we then edit /etc/security/pam_mount.conf.xml and add the following line right before the </pam_mount> closing tag

<volume user="YOUR_USERNAME" fstype="crypt" path="/dev/UR_USER_PARTITION" mountpoint="/home/YOUR_USERNAME" />

Finally our setup is complete! One final step remains which is copying the home directory we backed up to the new location on the encrypted partition and deleting the old files.

First delete the contents of your /home/YOUR_USERNAME directory. As root do the following

[root@yousif ~]$ rm -r -f /home/YOUR_USERNAME/*

switch to your username. This should ask for a password and mount the encrypted partition on /home/YOUR_USERNAME. Then immediatly switch to root and copy the contents of the backed up home to the mounted encrypted home directory like so

[root@yousif ~]$ su YOUR_USERNAME
[YOUR_USERNAME@yousif ~]$ su -
[root@yousif ~]$ cp -r -f -p -a /root/YOUR_USERNAME/. /home/YOUR_USERNAME

Don't forget to delete the backup if everything went as expected but don't do it too soon just in case!

Exit the console, restart your computer, and enjoy your encrypted swap, /tmp, and your user's home directory!

IMPORTANT Notes:
  • Due to a known bug with pam_mount, logging off using GDM won't unmount the encrypted partition leaving it available for access by anyone with root privileges. Restart instead of logging off. If you use the terminal (i.e via ssh or simply the console) pam_mount successfully unmounts the encrypted partition.
  • Sources:

    a few questions

    very nice howto!

    however, i think i found a small error:
    "cryptsetup luksClose /dev/UR_USER_PARTITION"
    should be:
    "cryptsetup luksClose randomName"

    (since you don't close the device but the mapping.)

    anyway,
    i tried this on a fedora 9 usb stick with the persistent option.

    it seems to work, but...
    after i log out from gnome with my new user account, mount tells me that the mapping still exists.
    is this correct?

    is there also some option to dismount the encrypted volume automagically after log out?

    and what happens if you login directly to a shell with the encrypted account instead of loging in with gdm? (didnt dare try yet ;) )

    Thanks for pointing out the

    Thanks for pointing out the error :)

    I can confirm that logging off using GDM doesn't umount the encrypted partition. I did some googling and found out that this is a known bug with pam_mount. As a workaround you'd have to execute

    umount -l /home/UR_USERNAME && /sbin/cryptsetup luksClose _dev_sdc3 
    

    Ofcourse replacing UR_USERNAME and _dev_sdc3 with the appropriate names. You can place that in a script and put it in /etc/gdm/PostSession or whereever, not the best way but it works.

    I did log in using the shell and via ssh and pam_mount unmounted the encrypted volume on logoff so there is definitely something wrong with the combination of pam_mount and GDM.

    new version of pam different?

    Do the newer versions of pam not even have teh system-auth file?

    I tried searching for a file that has a configuration similar to the one in system-auth, but failed.

    So where is one supposed to make the changes in the newer versions? /etc/pam.d/login?

    Does the /etc/pam.d/

    Does the /etc/pam.d/ directory exist? Are you sure pam_mount is installed?

    try /etc/pam.d/system-auth-ac instead of /etc/pam.d/system-auth (they are the same file symbolically linked).

    Yes. said folder exists. And

    Yes. said folder exists. And I would have checked the file you suggest had it been there.
    I have libpam-mount installed. Debian unstable.

    Ahha! I haven't been on a

    Ahha! I haven't been on a Debian based system for ages and the instructions posted here are for Fedora. You could check this excellent and similar guide for Debian based systems. The relevant section for attaching pam_mount is right before the end of the article starting with @include common-pammount.

    --Yousif

    Recent comments