I played with my new toy – HP Mini 5103 WT211ES. eCryptfs is not as enterprise as they say. It started to fail on Ubuntu 10.10. And also it is terribly slow especially for seeking. So I was looking for a better solution. I didn’t want the full disk encryption which the alternative CD offers during the installation because the disk is very fast and the CPU is not so fast I decided to make a separate partition to host my home directory and other private data.
First I booted into the Live CD to make the disk preparations. I splitted the disk into 3 partitions:
- 250 GB for root
- 60 GB encrypted partition
- 10 GB swap
For the encryption I decided to utilize aes-ebc-plain with key size 128 bits for its speed (I don’t need military grade safety). Partitions formatting:
mkfs.ext4 /dev/sda1 cryptsetup luksFormat -c
aes-ecb-null -s 128 /dev/sda2 cryptsetup luksOpen /dev/sda2 encpart mkfs.ext4 /dev/mapper/encpart cryptsetup luksClose encpartmkswap /dev/sda3
First idea was to have the encrypted partition mounted directly to /home/bobalice in my final system but I wasn’t able to make the mount point owned by bobalice. So I created a directory home/bobalice on the encrypted partition and used symbolic link to “attach it”. See below. After the disk preparation I ran ordinary Ubuntu installation using the root and swap partition.
Next step was to setup automatic mount of the encrypted partition. It was a kind of easy. I installed package libpam-mount and added lines to /etc/security/pam_mount.conf.xml:
<mkmountpoint enable="1" remove="true" /> <volume user="bobalice" fstype="crypt" path="/dev/disk/by-uuid/55f028b1-3306-4de6-b420-6478ea649604" mountpoint="/mnt/localcrypt" />
It says that only on bobalice login the mounting should be performed. I advice to use by-uuid partition reference because sd* labels are not constant. Now if I login as bobalice the partition will be mounted and ready. Next:
mv /home/bobalice/.??* /enc/home/bobalice rm -Rf /home/bobalice usermod -d /enc/home/bobalice bobalice
Now I have my home directory on the encrypted partition.
GDM and initial chdir
My first idea of home directory mapping was to use a symbolic link (ln -sf /enc/home/bobalice /home/bobalice) but it caused a little trouble with GDM. When I logged in with GDM it changed directory to the path on the encrypted mount, it followed the symlink. It is not a big deal but current working directory was different from $PATH.