Differences between revisions 2 and 3
Revision 2 as of 2012-02-22 00:01:16
Size: 10909
Editor: PhilipJensen
Comment:
Revision 3 as of 2012-03-02 01:25:31
Size: 10911
Editor: PhilipJensen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 245: Line 245:
- Can you read /etc/fuse.conf without sudo? If not, then run "sudo chgrp fuse /etc/fuse.conf"
- Can you run fusermount (or /bin/fusermount) as normal user? You should test this before logging off by running encfs to mount your encrypted home directory manually. If not, run `sudo chgrp fuse /bin/fusermount` and `sudo chmod 4750 /bin/fusermount`
   * Can you read /etc/fuse.conf without sudo? If not, then run "sudo chgrp fuse /etc/fuse.conf"
   * Can you run fusermount (or /bin/fusermount) as normal user? You should test this before logging off by running encfs to mount your encrypted home directory manually. If not, run `sudo chgrp fuse /bin/fusermount` and `sudo chmod 4750 /bin/fusermount`

{X} 2012-02-21: Document currently in draft, process to be re-tested on separate machine to ensure it is repeatable.

Transparent Encryption for a Home folder

The following steps have been completed on a Debian Squeeze setup to allow users on a desktop to encrypt their Home directory.

Problem Statement

Many organisations are requesting users encrypt their laptop to protect confidential information (customer names, internal contact details, etc). On many Windows systems this is problematic and intrusive. This procedure is to help Debian users configure their systems to encrypt/decrypt their Home folder auto-magically.

Process

On an up to date Debian system, install the following packages:-

aptitude install encfs libpam-encfs libpam-mount

Update configuration files

I have pasted the contents of my configuration files as the order of the insertions into the files is important and when I set this up the articles I referred to only had the file additions.

/etc/security/pam_encfs.conf

#Note that I dont support spaces in params
#So if your for example gonna specify idle time use --idle=X not -i X.

#If this is specified program will attempt to drop permissions before running encfs.
# (will not work with --public for example)
drop_permissions

#This specifies default encfs options
#encfs_default --idle=1
encfs_default

#Same for fuse, note that allow_root (or allow_other, or --public in encfs) is needed to run gdm/X.
fuse_default allow_root,nonempty

#- means match all, put any overrides over it.
#if - is in username it will take source path + "/$USER", and mount to $HOME

#USERNAME       SOURCE          TARGET PATH     ENCFS Options                   FUSE Options
#user           /home/.enc/user /home/user      -v,--idle=1,-test,-test2        allow_root
#-              /home/.enc      -               -v                              allow_other
#-              /home/.enc      -               -v                              allow_root
-               /home/.encfs    -       -v      -

/etc/security/pam_env.conf

This change is required to remove the annoying message "Cannot update ICEauthority /home/(user)/.ICEauthority. The last line of this example contains the change.

#
# This is the configuration file for pam_env, a PAM module to load in 
# a configurable list of environment variables for a 
# 
# The original idea for this came from Andrew G. Morgan ...
#<quote>
#   Mmm. Perhaps you might like to write a pam_env module that reads a
#   default environment from a file? I can see that as REALLY
#   useful... Note it would be an "auth" module that returns PAM_IGNORE
#   for the auth part and sets the environment returning PAM_SUCCESS in
#   the setcred function...
#</quote>
#
# What I wanted was the REMOTEHOST variable set, purely for selfish
# reasons, and AGM didn't want it added to the SimpleApps login
# program (which is where I added the patch). So, my first concern is
# that variable, from there there are numerous others that might/would
# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
#
# Of course, these are a different kind of variable than REMOTEHOST in
# that they are things that are likely to be configured by
# administrators rather than set by logging in, how to treat them both
# in the same config file?
#
# Here is my idea: 
#
# Each line starts with the variable name, there are then two possible
# options for each variable DEFAULT and OVERRIDE. 
# DEFAULT allows and administrator to set the value of the
# variable  to some default value, if none is supplied then the empty
# string is assumed. The OVERRIDE option tells pam_env that it should
# enter in its value (overriding the default value) if there is one
# to use. OVERRIDE is not used, "" is assumed and no override will be
# done. 
#
# VARIABLE   [DEFAULT=[value]]  [OVERRIDE=[value]]
#
# (Possibly non-existent) environment variables may be used in values
# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
# be used in values using the @{string} syntax. Both the $ and @
# characters can be backslash escaped to be used as literal values
# values can be delimited with "", escaped " not supported.
# Note that many environment variables that you would like to use
# may not be set by the time the module is called.
# For example, HOME is used below several times, but 
# many PAM applications don't make it available by the time you need it.
#
#
# First, some special variables
#
# Set the REMOTEHOST variable for any hosts that are remote, default
# to "localhost" rather than not being set at all
#REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
#
# Set the DISPLAY variable if it seems reasonable 
#DISPLAY                DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
#
#
#  Now some simple variables
#
#PAGER          DEFAULT=less
#MANPAGER       DEFAULT=less
#LESS           DEFAULT="M q e h15 z23 b80"
#NNTPSERVER     DEFAULT=localhost
#PATH           DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
#
# silly examples of escaped variables, just to show how they work.
#
#DOLLAR         DEFAULT=\$
#DOLLARDOLLAR   DEFAULT=        OVERRIDE=\$${DOLLAR}
#DOLLARPLUS     DEFAULT=\${REMOTEHOST}${REMOTEHOST}
#ATSIGN         DEFAULT=""      OVERRIDE=\@
#
# set the ICEAUTHORITY file location to allow GNOME to start on encfs $HOME
ICEAUTHORITY DEFAULT=/tmp/.ICEauthority_@{PAM_USER}

/etc/fuse.conf

# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#
#mount_max = 1000

# Allow non-root users to specify the 'allow_other' or 'allow_root'
# mount options.
#
#user_allow_other
user_allow_other

/etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required        pam_encfs.so 
session required        pam_unix.so 
session optional        pam_mount.so 
session optional                        pam_ck_connector.so nox11
# end of pam-auth-update config

/etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

auth    sufficient      pam_encfs.so
auth    [success=1 default=ignore]      pam_unix.so use_first_pass nullok_secure
#auth   required        pam_unix.so use_first_pass nullok_secure
#auth   required        pam_unix.so nullok_secure use_first_pass
# here are the per-package modules (the "Primary" block)
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_mount.so 
# end of pam-auth-update config

Create the encrypted Home folder

! Don't reboot until you're sure everything's working!

Make the following changes from a standard command line (outside of a Gnome/X-session). Log off from your Gnome Session (Quit | Log out) and switch to a VT (Ctrl-Alt-F1)

Create necessary directories and set permissions (replace "username" with your username)

sudo mv /home/username /home/username.original
sudo mkdir -p /home/.encfs/username /home/username
sudo chown username.username /home/username /home/.encfs/username

Create encrypted folder (Problems with Permissions? See next section)

encfs -v /home/.encfs/username /home/username

Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.

{i} SET THE PASSWORD TO BE THE SAME AS YOUR LOGIN PASSWORD

Copy or move your home folder into the encrypted folder. Check your disk space first as you will need to have enough free space to copy the files.

rsync -a --progress /home/username.original/ /home/username/

If things go wrong here you can be stuck with a system you cannot log in. You must test it before doing anything else. First, check you can run encfs /home/.encfs/username /home/username as a normal user (not sudo), as well as /bin/fusermount -u /home/username. If it does, use Ctrl-Alt-F2 to change to another VT and see if you can log in without any problems (make sure you're in the encrypted home directory!). Use Ctrl-Alt-F7 to go back to Gnome and test it there.

If you're extra-paranoid, consider adding another user and test it with that user first (you'll have to manually add him to the admin and fuse groups).

OK, if you're sure it works, you can reboot. If it does, log in and delete your username.original folder.

Permissions

If you get problems with permission, you might want to check this:

  • Can you read /etc/fuse.conf without sudo? If not, then run "sudo chgrp fuse /etc/fuse.conf"
  • Can you run fusermount (or /bin/fusermount) as normal user? You should test this before logging off by running encfs to mount your encrypted home directory manually. If not, run sudo chgrp fuse /bin/fusermount and sudo chmod 4750 /bin/fusermount

ref: http://wiki.geteasypeasy.com/Transparent_Encryption_for_home_folder