Transparently Decrypt Your Home Directory on Login

Update: This all works really well. I now encrypt my entire home directory on all of my machines, plus usually add other encrypted partitions for things I do not think need to be backed up so rigorously as my home directory.

Laptops are easily stolen. And these days, if you travel internationally, it is not uncommon for the thief to be Customs / Immigration agents who have the power to permanently seize your laptop on little or no grounds. Some thought should be given to protecting personal data, especially if setup seems easy.

In the title, I say "transparently" in the sense that once this is setup, login should work just like before. Under the hood, though, you will have an encrypted home directory, which is automatically mounted when you login, and unmounted when you logout.

First step: Make a good backup. Messing with the partition table is risky business. Now use gparted to make space for an empty partition. Be warned that this might take a while on a really big disk, and making changes to your partitions is a process you really do not want to interrupt. So if you have a laptop, make sure your battery is charged to guard against power failures. Also note that changing the size of the encrypted partition later may not be easy, so be generous....

In Debian, install packages cryptsetup and libpam-mount, and then next we will create an encrypted volume out of the just-created empty
partition hda7.

Create the encrypted volume:

cryptsetup luksFormat /dev/sda8

One of LUKS[3] noteworthy features is that it supports unlocking the encrypted volume with any one of several passwords. Now name the encrypted volume "mysecrets", and format it:

cryptsetup luksOpen /dev/sda8 mysecrets
mkfs.ext4 /dev/mapper/mysecrets

Mount the encrypted volume and write a test file, and then unmount:

mount /dev/mapper/mysecrets /home/user/
date > /home/user/date.txt
cat /home/user/date.txt
umount /home/user/
cryptsetup luksClose mysecrets

Now verify that mount.crypt from libpam-mount will open the encrypted volume:

mount.crypt /dev/sda8 /home/user/
cat /home/user/date.txt
umount.crypt /home/user/

Mount the Encryped Volume Automatically on Login:

Unfortunately, at this point the advice from [1] stopped working for my circa November 2008 Debian installation. This was a bit disconcerting since [1] was only just published. However, a bit of poking around indicated that PAM is a bit of a complex beast, and that there was more then one way to get this to work. So next I tried the "Automagically
mounting" section of [2].

As [2] says, for this to work, the user's login password must be the same as one of the passwords assigned to the LUKS-formatted encrypted volume we created in the preceding section.

Next we have to do something a little different then [2], since PAM has evolved a bit since [2] was written. Add the following block to /etc/security/pam_mount.conf.xml:

And that is it. user="username" means this block will only kick in when "username" logs in. The empty strings assigned to the last two parameters above apparently tell PAM to use the user's login password instead of a key file. Now log out, log back in, and you should find that /home/user/ has been automatically decrypted and mounted.

Note: There sometimes are permission problems on the first login that kick up some errors and lead to a read-only home directory. So, after the first login, do an Alt-Ctrl-F1 and login as root. Then fix the permissions:

chown -R user:user /home/user
chmod -R 755 /home/user

Logout and login again, and everything should work.

Future password changes must also be separately applied to the encrypted volume, ie.

cryptsetup luksAddKey /dev/sda8

to first add a new password to the volume (up to a maximum of eight). Note that this will add the new password to the first empty slot, and not overwrite your current password, as the dialog might imply. Then change your Linux user password. And finally

cryptsetup luksDelKey /dev/sda8 0

to delete the oldest password, in the first slot, when you are ready. No rush. That is one of the advantages of using LUKS. Be very, very careful that there is always one working password available, or you will be permanently locked out.

cryptsetup luksDump /dev/sda8

will tell you which password slots are in use (among other things) but obviously will not tell you what the passwords are.

On a strategic note, if you are going to cross a border with your now-encrypted directory, I would suggest you create a dummy user account with a throw-away password. That way, if the immigration goons seize your laptop and insist that you give them "the password", you can give them one that does not matter, and in particular, does not unlock your encrypted directory. Likewise, make sure that the root password is not the same password as the user password that unlocks your encrypted partition, as they might be smart enough to demand the root password as well.