193.252.149.222 : /* DM-CRYPT */

2010-05-28T15:26:35Z

DM-CRYPT

← Version précédente		Version du 28 mai 2010 à 15:26
Ligne 73 :		Ligne 73 :
	== PAM MOUNT + SUDO ==		== PAM MOUNT + SUDO ==

		+	http://bugs.gentoo.org/273785
	dams@linux4ever:~$ sudo su		dams@linux4ever:~$ sudo su
	Segmentation fault		Segmentation fault

193.252.149.222 : /* DM-CRYPT */

2010-05-28T15:26:16Z

DM-CRYPT

← Version précédente		Version du 28 mai 2010 à 15:26
Ligne 69 :		Ligne 69 :
	session optional pam_permit.so		session optional pam_permit.so
	session optional pam_mount.so		session optional pam_mount.so
		+
		+
		+	== PAM MOUNT + SUDO ==
		+
		+	dams@linux4ever:~$ sudo su
		+	Segmentation fault
		+
		+	A workaround would be to copy the contents of /etc/pam.d/system-auth to
		+	/etc/pam.d/sudo without the pam_mount session line. The default pam
		+	configuration for sudo just includes system-auth.
		+

	References:		References:

193.252.149.222 le 28 mai 2010 à 13:44

2010-05-28T13:44:37Z

Nouvelle page

= DM-CRYPT =

http://home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_

In preparation for yet another cross continent travel plan I finally decided to encrypt my home partition on myX61s laptop. I had to mess a bit with the pam_mount configuration file to make it work so I thought I would share my notes. In the following I will briefly describe how I'm going to use a password protected key stored on an external media to encrypt my home partition. I'll use the same password used for Xorg login to protect the key. So when you get asked to type in a password in the following examples use your normal user password and we'll use pam_mount to pass the password to LUKS once you log in.

First start out by preparing a key:

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-ecb > verysekrit.key

Then create an LVM volume for the home directory and subsitute home with what you like to name the logical volume:

lvcreate -L30G -nhome vg

Then we initialize the volume with our secret key and LUKS:

openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher aes-cbc-plain --key-size 256 luksFormat /dev/vg/home

Now lets test that we can open the encrypted volume and format it:

openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen /dev/vg/home myh_crypt
mkfs.ext3 /dev/mapper/myh_crypt

You can not mount it and sync over your old home like this:

mount /dev/mapper/myh_crypt /mnt/gentoo
rsync -va /home/username/* /mnt/gentoo/

Once everything is synced over we'll close the LUKS volume again:

cryptsetup luksClose myh_crypt

Now unmask and emerge pam_mount:

echo "sys-auth/pam_mount" >> /etc/portage/package.keywords
emerge -v pam_mount

Now configure pam_mount to first mount the SD card (/dev/mmcblo0p1) and then use the key to unlock the home partition by editing /etc/security/pam_mount.conf.xml. Note that if you store your secret key somewhere else the first volume statement may be omitted.

<volume user="username"
path="/dev/mmcblk0p1"
mountpoint="/mnt/mmc"
fstype="auto" />

<volume user="username"
path="/dev/mapper/vg-username"
mountpoint="/home/username"
fstype="crypt"
options="data=journal,commit=15"
cipher="aes-cbc-plain"
fskeypath="/mnt/mmc/verysekrit.key"
fskeycipher="aes-256-ecb"
fskeyhash="md5" />

Then configure PAM to use pam_mount by editing /etc/pam.d/system-auth. Add pam_mount to the auth section like this:

auth required pam_env.so
auth optional pam_mount.so
auth required pam_unix.so try_first_pass likeauth nullok

And to the sessions section like this:

session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_mount.so

References:

http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick
http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS
http://blog.infion.de/archives/2007/05/15/Full-disk-encryption-with-LUKS-on-new-notebook/

Dm-crypt - Historique des versions

193.252.149.222 : /* DM-CRYPT */

193.252.149.222 : /* DM-CRYPT */

193.252.149.222 le 28 mai 2010 à 13:44