COBERTOS

LUKS Encryption for my Linux Mint user directory

Tags:infrastructure2tutorial2

linux

I just setup a new OS and decided I would put /home/cobertos on a separate partition and that I should full disk encrypt it. In my last Linux Mint install, I toggled the "Encrypt my home folder" option which apparently used eCryptfs to encrypt just the home folder. I was unaware of what the option really did until writing this post.

For this install, LUKS felt like a better fit as I wanted a separate user home partition anyway and eCryptfs has some downsides (see Filesystem-level Encryption heading) I could avoid.

Formatting

Before using my drive, I partitioned 1.7TB mapped at /dev/nvme0n1p4 with the intention that it would be mounted at /home/cobertos. Adding LUKS encryption was simple with cryptsetup

# -y is ask for password twice to verify
# Will interactively prompt for password and confirmation before formatting
cryptsetup -yv luksFormat /dev/nvme0n1p4

After formatting, I "opened" it, which creates a Device Mapper mapping to the unencrypted device at /dev/mapper/[name]

cryptsetup open /dev/nvme0n1p4 mydata

Then, on top of this mapped drive, I could format it however I wanted.

mkfs.ext4 /dev/mapper/mydata
mount /dev/mapper/root /mnt

And this was all I ended up needing to do for encrypting my home directory. Arch Wiki's dm-crypt/Encrypting an entire system details more if you want to encrypt the entire system root, which I don't need yet.

Backing up the LUKS header (best practice)

If the LUKS header gets damaged, which the cryptsetup man page calls "something people manage to do with surprising frequency", you lose all your data. So I also made a backup header file and stored it somewhere safe.

cryptsetup luksHeaderBackup /dev/nvme0n1p4 --header-backup-file luksHeaderBackup.bin

Restoring it is simple as luksHeaderRestore if you ever manage to mess up the header.

After all that, I copied all my data from my old eCryptfs-protected home directory after a bit of a struggle2. Now everything was safe in my new encrypted home directory. Yay! :3

Decrypting on Login

To be useful, the LUKS-encrypted partition needs to be decrypted at login and mounted to /home/cobertos. On Linux Mint, login authentication is handled by Pluggable Authentication Modules (PAM) which has a module called pam_mount that can handle decryption and mounting at login. The encryption password for /dev/nvme0n1p4 has to be the same as the login password for it to work.

I installed pam_mount, which is in libpam-mount for Linux Mint.

apt install libpam-mount

And configured my volume in /etc/security/pam_mount.conf.xml.

<!--There's some other boilerplate configuration in here that I omitted-->
<volume user="cobertos" fstype="auto" path="/dev/nvme0n1p4" mountpoint="/home/cobertos" options="fsck,noatime" />

And then I needed to make sure pam_mount.so was getting called when authenticating. In Linux Mint, it looks like this was already in the config3 /etc/pam.d/common-session with the line

# ...
session	optional	pam_mount.so
# ...

common-session gets included in most of the other /etc/pam.d/[service] files so this will apply for all of those PAM-aware services that check PAM before doing certain actions.

Deconstructing this specific line, it has a session type which is described in pam.conf to be (emphasis mine)

this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.

The optional means the PAM stack will basically ignore the success/failure return of pam_mount.so . It's a little more intricate than this, but you're much better off reading the pam.conf man page if you want to understand it deeply. There's a lot of annoying subtleties.

Conclusion

And that's it! Hopefully I don't have to put this encryption to the test anytime soon. But knowing me and given years of time, it's likely I would probably forget my laptop and having my home encrypted would make me just a bit less anxious.

[1]: I saw LUKS and dm-crypt used very interchangably. According to the cryptsetup man page

The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.

PLAIN DM-CRYPT OR LUKS?Unless you understand the cryptographic background well, use LUKS. With plain dm-crypt there are a number of possible user errors that massively decrease security. While LUKS cannot fix them all, it can lessen the impact for many of them.

So LUKS seems like dm-crypt where the encryption information is stored in a header. Plus some sane defaults. I also found more on security.se.

[2]: Opening my previous eCryptfs-encrypted home directory was a real pain! I had never tested doing that before using it heavily. The previous Linux Mint installer made is so temptingly easy to just check the "Encrypt home directory" and forget about it I never put in the effort to dig deeply into it.

I kept getting an unsettling error from ecryptfs-mount-private.

mount: mount(2) failed: No such file or directory
ERROR: Failed to mount private data at [/tmp/ecryptfs.xxx].

Originally it was because I was using the wrong .Private directory. But even after using the right one, it still failed to mount. I tried some answers from StackOverflow but nothing worked. After messing with some answers, I tried the normal way and then it magically worked... So I just rolled with it and hope I don't need to do this again.

[3]: When I first opened /etc/pam.d/common-session it was already in the config. I'm not sure if this is because it was default, or if it was something that was regenerated after installing pam_mount by pam-auth-update.