« Debian Lenny: pam_mount, files and loop devices Java: Periodically check internet connection availability »
How to create encrypted loopback images with dm-crypt and LUKS + automatically mounting them after login with pam_mount
I recommend using debian squeeze for this scenario as lenny includes a very old version of libpam-mount and I had lots of problems when I tried using it.
1. Make sure you have the required kernel modules loaded. If you use the stock debian kernel, this will be the case. if you don’t, make sure you’ve set the following options:
Additionally, you need to include support for at least one cipher.
In make menuconfig, you can find the required kernel modules at the following locations:
Device Drivers ---> Multi-device support (RAID and LVM) ---> <*> Device mapper support <*> Crypt target support Cryptographic options --->
To avoid a reboot, you can build all of these options as modules. If you chose to do so, you can later load the modules by using modprobe
2. Install the required packages
3. Generate a random key and assign it to a variable for later use
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
4. Encrypt the key and save it to a file
echo $KEY | openssl aes-256-cbc > container.key
5. Create the loopback file and fill it with random data
dd if=/dev/urandom of=~/container.img bs=1G count=10
This will create a 10GB file and fill it with random data taken from /dev/urandom.
dd if=/dev/zero of=~/container.img bs=1G count=10
6. Set up a loop device
losetup /dev/loop0 ~/container.img
7. LuksFormat it
echo $KEY | cryptsetup -v -c aes -s 256 luksFormat /dev/loop0
8. Open it
cryptsetup luksOpen /dev/loop0 container
9. Make a filesystem of your choice
10. Close it and delete loop
cryptsetup luksClose container && losetup -d /dev/loop0
11. Configure pam_mount
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="1" /> <mkmountpoint enable="1" remove="true" /> <msg-sessionpw>reenter password for pam_mount:</msg-sessionpw> <volume user="foobar" path="/home/foobar/container.img" mountpoint="/home/foobar/containercontents" options="cipher=aes-cbc-essiv:sha256,hash=sha512,keysize=256" fstype="crypt" fskeycipher="aes-256-cbc" fskeypath="/home/foobar/container.key" fskeyhash="md5" /> </pam_mount>
Using this configuration the image /home/foobar/container.img will get mounted into /home/foobar/containercontents when the user foobar logs in.
12. Include /etc/pam.d/common-pammount in the PAM configuration files of the services that should use it (for example: SSHd)
... @include common-session @include common-pammount ...
13. If needed, change the configuration of the relevant services (for example: SSHd)
# pam_mount UsePAM yes PasswordAuthentication yes ChallengeResponseAuthentication no UsePrivilegeSeparation no PermitUserEnvironment yes
If you disable PasswordAuthentication and use keys instead you have to enter the users password after connecting via SSH.
14. Test if anything works as expected
Many thanks go to the users tuxophil and pillgrim from the gentoo forums. Large parts of this howto were taken from their postings at http://forums.gentoo.org/viewtopic-t-274651.html.
Donnerstag, Juni 17th, 2010 and is filed under Administration, Linux / Unix, Sicherheit. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
Comments are closed.