I played with my new toy – HP Mini 5103 WT211ES. eCryptfs is not as enterprise as they say. It started to fail on Ubuntu 10.10. And also it is terribly slow especially for seeking. So I was looking for a better solution. I didn’t want the full disk encryption which the alternative CD offers during the installation because the disk is very fast and the CPU is not so fast 🙂 I decided to make a separate partition to host my home directory and other private data.
First I booted into the Live CD to make the disk preparations. I splitted the disk into 3 partitions:
- 250 GB for root
- 60 GB encrypted partition
- 10 GB swap
For the encryption I decided to utilize aes-ebc-plain with key size 128 bits for its speed (I don’t need military grade safety). Partitions formatting:
mkfs.ext4 /dev/sda1
cryptsetup luksFormat -c aes-ecb-null -s 128 /dev/sda2
cryptsetup luksOpen /dev/sda2 encpart
mkfs.ext4 /dev/mapper/encpart
cryptsetup luksClose encpart
mkswap /dev/sda3
First idea was to have the encrypted partition mounted directly to /home/bobalice in my final system but I wasn’t able to make the mount point owned by bobalice. So I created a directory home/bobalice on the encrypted partition and used symbolic link to “attach it”. See below. After the disk preparation I ran ordinary Ubuntu installation using the root and swap partition.
Login mount
Next step was to setup automatic mount of the encrypted partition. It was a kind of easy. I installed package libpam-mount and added lines to /etc/security/pam_mount.conf.xml:
<mkmountpoint enable="1" remove="true" /> <volume user="bobalice" fstype="crypt" Â Â Â path="/dev/disk/by-uuid/55f028b1-3306-4de6-b420-6478ea649604" Â Â Â mountpoint="/mnt/localcrypt" />
It says that only on bobalice login the mounting should be performed. I advice to use by-uuid partition reference because sd* labels are not constant. Now if I login as bobalice the partition will be mounted and ready. Next:
mv /home/bobalice/.??* /enc/home/bobalice rm -Rf /home/bobalice usermod -d /enc/home/bobalice bobalice
Now I have my home directory on the encrypted partition.
GDM and initial chdir
My first idea of home directory mapping was to use a symbolic link (ln -sf /enc/home/bobalice /home/bobalice) but it caused a little trouble with GDM. When I logged in with GDM it changed directory to the path on the encrypted mount, it followed the symlink. It is not a big deal but current working directory was different from $PATH.
You really shouldn’t use ECB mode for encryption. See for example https://secure.wikimedia.org/wikipedia/en/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
Default CBC mode is only marginally slower and much safer.
Also, encryption can support multicore CPUs since kernel version 2.6.38 for extra speed.
Comment by TK — 2011-10-22 @ 14:29
I know but I don’t need strong protection. If there is some kind of a simple XOR encryption in the kernel I would use it. I need only a simple protection for a case when some junkie will steel my bag on the street. I don’t expect an industrial espionage on me. I tried CBC as well but it is 10 % slower on this notebook.
Comment by admin — 2011-10-24 @ 10:40