First, make sure you have ecryptfs and related packages installed:
# yum install keyutils ecryptfs-utils pam_mount
Then you can either go the easy way:
[All done! Now you can log in via GDM or the console ("su - user" will not work without running ecryptfs-mount-private)]
OR the hard way, which I followed. There are some benefits of going this route. It is a much more configurable install which allows you to select the cipher and key strength:
First enable ecryptfs:
Move your home directory out of the way, and make a new one:
Make a nice random-ish passphrase for your encryption:
Mount the new /home/user with ecryptfs:
Add to the /etc/fstab (with the mount options from ecryptfs_mount_options above, plus those in bold) like so:
Wrap up the passphrase with the users login:
Copy over files to the new home dir:
Unmount /home/user and set up the initial files for ecryptfs and pam_mount:
Now it gets interesting! Edit /etc/pam.d/postlogin and add the lines in bold:
Edit /etc/security/pam_mount.conf.xml and replace the whole file with:
Finally,
And add this:
Now you can login and see your decrypted files! ("su - user" will not work without running ecryptfs-mount-private.)
You should setup swap encryption for both of these methods with:
If you want to go that extra mile, you can symbolically link your /home/user/.ecryptfs/wrapped-passphrase to a flash drive and mount it at boot, or use autofs or some scripting to mount it on login (and just in time for PAM to access it.) However, if you are going to go that far you should look into more CIA level disk encryption, like TrueCrypt.
# authconfig --enableecryptfs --updateall
# usermod -aG ecryptfs USER
# ecryptfs-migrate-home -u USER
# su - USER
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase (write this down for safe keeping)
$ ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase
[All done! Now you can log in via GDM or the console ("su - user" will not work without running ecryptfs-mount-private)]
OR the hard way, which I followed. There are some benefits of going this route. It is a much more configurable install which allows you to select the cipher and key strength:
First enable ecryptfs:
# authconfig --enableecryptfs --updateall
# mv /home/user /home/user.old
# mkdir -m 700 /home/user
# chown user:user /home/user
# usermod -d /home/user.old user
# < /dev/urandom tr -cd \[:graph:\] | fold -w 64 | head -n 1 > /root/ecryptfs-passphrase
Mount the new /home/user with ecryptfs:
# mount -t ecryptfs /home/user /home/user
(choose passphrase, any cipher, any strength, plain text pass through, and encrypt file names)
# mount |grep ecryptfs > /root/ecryptfs_mount_options
/home/syncomm /home/syncomm ecryptfs rw,user,noauto,exec,relatime,ecryptfs_fnek_sig=113c5eeef8a05729,ecryptfs_sig=113c5e8ef7a05729,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0
# ecryptfs-wrap-passphrase /root/.ecryptfs/wrapped-passphrase
# su - user
$ rsync -aP /home/user.old/ /home/user/
# umount /home/user
# usermod -d /home/user user
# mkdir /home/user/.ecryptfs
# cp /root/.ecryptfs/sig-cache.txt /home/user/.ecryptfs
# cp /root/.ecryptfs/wrapped-passphrase /home/user/.ecryptfs
# touch /home/user/.ecryptfs/auto-mount
# touch /home/user/.ecryptfs/auto-umount
# chown -R user:user /home/user/.ecryptfs
# su - user -c "ecryptfs-insert-wrapped-passphrase-into-keyring /home/user/.ecryptfs/wrapped-passphrase"
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth optional pam_ecryptfs.so unwrap
auth optional pam_permit.so
auth optional pam_mount.so
password optional pam_ecryptfs.so unwrap
session optional pam_ecryptfs.so unwrap
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp silent
session optional pam_lastlog.so silent noupdate showfailed
session optional pam_mount.so
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<luserconf name=".pam_mount.conf.xml" />
<mntoptions allow="*" />
<mntoptions require="" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />
<lclmount>/bin/mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount>
</pam_mount>
# su - user -c "vi /home/user/.pam_mount.conf.xml"
And add this:
<pam_mount>
<volume noroot="1" fstype="ecryptfs" path="/home/user" />
</pam_mount>
You should setup swap encryption for both of these methods with:
# ecryptfs-setup-swap
Not Working @ Fedora 21.
ReplyDelete