welcome to the world of…

Looks like a small bulb used to indicate something unusual, like a malfunction.

Ubuntu encrypted home

Filed under: Uncategorized — Tags: , , , , , , — admin @ 2011-03-18 19:04

I played with my new toy – HP Mini 5103 WT211ES. eCryptfs is not as enterprise as they say. It started to fail on Ubuntu 10.10. And also it is terribly slow especially for seeking. So I was looking for a better solution. I didn’t want the full disk encryption which the alternative CD offers during the installation because the disk is very fast and the CPU is not so fast 🙂 I decided to make a separate partition to host my home directory and other private data.

First I booted into the Live CD to make the disk preparations. I splitted the disk into 3 partitions:

  • 250 GB for root
  • 60 GB encrypted partition
  • 10 GB swap

For the encryption I decided to utilize aes-ebc-plain with key size 128 bits for its speed (I don’t need military grade safety). Partitions formatting:

mkfs.ext4 /dev/sda1
cryptsetup luksFormat -c aes-ecb-null -s 128 /dev/sda2
cryptsetup luksOpen /dev/sda2 encpart
mkfs.ext4 /dev/mapper/encpart
cryptsetup luksClose encpart
mkswap /dev/sda3

First idea was to have the encrypted partition mounted directly to /home/bobalice in my final system but I wasn’t able to make the mount point owned by bobalice. So I created a directory home/bobalice on the encrypted partition and used symbolic link to “attach it”. See below. After the disk preparation I ran ordinary Ubuntu installation using the root and swap partition.

Login mount

Next step was to setup automatic mount of the encrypted partition. It was a kind of easy. I installed package libpam-mount and added lines to /etc/security/pam_mount.conf.xml:

<mkmountpoint enable="1" remove="true" />
<volume user="bobalice" fstype="crypt"
    mountpoint="/mnt/localcrypt" />

It says that only on bobalice login the mounting should be performed. I advice to use by-uuid partition reference because sd* labels are not constant. Now if I login as bobalice the partition will be mounted and ready. Next:

mv /home/bobalice/.??* /enc/home/bobalice
rm -Rf /home/bobalice
usermod -d /enc/home/bobalice bobalice

Now I have my home directory on the encrypted partition.

GDM and initial chdir

My first idea of home directory mapping was to use a symbolic link (ln -sf /enc/home/bobalice /home/bobalice) but it caused a little trouble with GDM. When I logged in with GDM it changed directory to the path on the encrypted mount, it followed the symlink. It is not a big deal but current working directory was different from $PATH.


  1. You really shouldn’t use ECB mode for encryption. See for example https://secure.wikimedia.org/wikipedia/en/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
    Default CBC mode is only marginally slower and much safer.
    Also, encryption can support multicore CPUs since kernel version 2.6.38 for extra speed.

    Comment by TK — 2011-10-22 @ 14:29

  2. I know but I don’t need strong protection. If there is some kind of a simple XOR encryption in the kernel I would use it. I need only a simple protection for a case when some junkie will steel my bag on the street. I don’t expect an industrial espionage on me. I tried CBC as well but it is 10 % slower on this notebook.

    Comment by admin — 2011-10-24 @ 10:40

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.