Encrypted File Systems, Part 3

As described earlier, I’ve been trying to set up an encrypted home directory for my Ubuntu Linux system on my notebook computer, to protect my data if the hardware is stolen. I finally got my TrueCrypt drive formatted to a proper Linux file system; next up was figuring out how to automatically mount it when I logged in.

I’d heard about something called the Pluggable Authentication Modules package (PAM) that could be used to mount an encrypted home directory automatically on login, so I set out to find it. It didn’t take long: it can be found here. Unfortunately, neither of the module pages (here and here) mention anything about TrueCrypt.

As it happens, I’d stumbled over a PAM TrueCrypt module while doing some other research a few days ago, so I knew one existed. I hadn’t thought to bookmark it, so I went hunting. It took several hours of searching, but persistence finally paid off — it’s available via Fabian Stäber’s TWiki page, here. (I’m also uploading it here, in case he shuts down his page at some point, since it looks like no one else has picked it up.) There are some limitations to it though… it apparently only works on encrypted partitions (as opposed to the file devices that TrueCrypt allows?), and the password for the drive has to be the same as the password for the login. Neither one is a problem in this case, so I went ahead with it.

I followed his installation directions (sudo apt-get install libpam0g-dev, unpacked the pam_truecrypt file, ran make in the file I unpacked it to, and copied the resulting pam_truecrypt.so file to the /lib/security/ directory). So far, so good, but I didn’t have an encrypted home directory to use with it yet.

Between Windows XP and the virtual Linux machine, the hard drive on this laptop is crammed full, so I hauled out one of my external drives (the one I’d previously made the JFS-formatted TrueCrypt test file on), mounted the encrypted drive that’s on it, and copied my home directory to it. For those of you following along at home, the command I used is from this page:

$cd /home/headgeek $find . -depth -print0 | cpio --null --sparse -pvd /mnt/newhome/headgeek

That took a while, it’s a slow drive. When it was done, I restarted the system in the GRUB “recovery mode” (the trick is to hit the ESCape key as soon as you see the GRUB message appear). In this mode, you have to log in with the root password — fortunately, I’d set it previously. After entering it, I was logged in under the root account — don’t try this at home, kids, or be darned careful when you do.

Creating the TrueCrypt partition, and formatting it to JFS as described in part 2, took about five minutes. Then I restarted again and tried to log in under my user account… which of course failed, because I no longer had a home directory and all of the files necessary for a standard GNOME login.

There’s something to be said for nosiness. 🙂 I’d long ago explored the “options” button in the lower-left corner of the log-in screen, and discovered that it was possible to get to a failsafe terminal mode via the “select session” option there. That let me log in, mount the new TrueCrypt partition and my copy of the home directory on the external drive, copy the latter to the former (much faster in this direction), and add a line to each of the two files in the /etc/pam.d directory. For completeness, and so there’s a record of it for my reference later, the files and lines were:

(in /etc/pam.d/common-auth) auth required pam_truecrypt.so headgeek /dev/hda7 /home/headgeek (in /etc/pam.d/common-session) session required pam_truecrypt.so headgeek /dev/hda7 /home/headgeek

With that done, I exited the failsafe terminal, logged in normally… and everything worked! To make sure that it was all good, I did a complete shutdown and restart of the machine… success!

My data is once again safe from hardware thieves, and all is right with the world. 🙂

One Comment

  1. One problem that I’ve discovered: when I log out, the encrypted drive stays mounted. I’m researching a solution to that.

Comments are closed.