This guide will lead thought the process of creating a encrypted container and automatically mount it as home partition.
This was tested with Ubuntu 20.04.
- Create a partition on a block device or add a new block device if you want to use it full.
- Consider save erasing the device before, if any sensible data was stored there before.
This guide will utilize cryptsetup to create a LUKS header on a given device.
⚠️ All data of the used partition or device will be lost.
Creation of the LUKS Header
Install ‘cryptsetup’ via APT.
sudo apt install cryptsetup
Use the command cryptsetup to setup the header. Replace the device with your block device or partition.
cryptsetup <options> luksFormat /dev/sdX
You can supply non standard options. See https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode for more information.
Create a Filesystem.
After creation of the header, the container can be encrypted.
cryptsetup open /dev/sdX <name>
The name can be chosen arbitrary for now. The service will create a block device on /dev/mapper/<name>. After that the file system can be created.
Note: The filesystem can be chosen freely.
Mount as Home Partition.
⚠️ At least one password of the above created container needs to match the password of the user that should login. If no password matches, the container cannot be unlocked!
Copy Content of Current Come Folder.
In order to mount the encrypted container as a home partition of a user, first the current data has to be copied:
mkdir /media/new_home mount /dev/mapper/<name> /media/new_home rsync -avx /home/<user>/ /media/new_home umount /media/new_home rm -rf /media/new_home
Note: In order to lock a container use cryptsetup close <name>.
Note: After the successful installation of the mounting process, delete /home/<user> via an admin account.
Automatically Mount the Container.
First the package libpam-mount-bin needs to be installed, enabling PAM to mount at login or other authentication actions.
sudo apt-get install libpam-mount-bin
Installing libpam-mount-bin creates a default configuration at /etc/security/pam_mount.conf.xml. Adding the following snipped after <!– Volume definitions –> will instruct PAM to unlock the given ‘path‘ with the user password from login and mount it to ‘mountpoint‘.
<volume user="<USER>" fstype="crypt" path="/dev/disk/by-uuid/<UUID>" mountpoint="/home/<USER>" options="fsck,relatime" />
To get the uuid, use ls and chose the device that was encrypted with the cryptsetup command from above.
ls /dev/disk/by-uuid/ -la
The Kernel might write data to the swap partition during system runtime. This data might not get erased and could be recoverable after shutdown or crash of the system.
During hibernation the password for the opened container will be written in plain text to disk. Therefore consider disabling hibernation or encrypt swap as well.
Note: Disabling swap completely on systems with more than 8 GB RAM can be considered safe.
TEMP Folder (/var/tmp)
The TEMP folder contains data that programs have usually currently in use. If a program opens data from the encrypted partition, the program can potentially have parts of the date stored to /var/tmp during execution. Intentionally or unintentionally this data can persist in /var/tmp after termination or a crash.
Usually the /var/tmp folder can be moved safely to RAM or can even be encrypted as well.
Note: Moving /var/tmp to RAM is commonly used by distributions and on single board computer and can be considered safe.
Note: Moving /var/tmp to RAM will cause a full data loss of temporary data during power failure or reboot.
Locate is a commonly used tool to quickly locate files in the file system. In order for this quick lookup, a database of the files is created and maintained.
Crawling and indexing the encrypted container during system run-time can pose a security risk. Consider therefor disabling crawling of the mounted container with correct configuration of /etc/updatedb.conf.