Quick Guide to LUKS Encrypted Home Volumes

If you search for information on how to do LUKS encrypted home volumes, you’re likely to get these big fluffy documents on how to do it.  Well, if you’re like me, you’d like to skip all that fluff, and get straight to the point.  That’s what I try to do here.  If you like, you can completely ignore what I’m saying here, and just use the commands; it really isn’t complex.

Keep in mind that this will only work for a maximum of 8 users per system.  Anything more than that, and you will have to resort to either full disk encryption, or some other method of encrypting your /home files.

I would try this out on a 1G volume or something just for fooling around.  Then once you’ve got that working, do it to your actual home directory.  I use LVM with mine, but it could also be a raw partition if you prefer that.  If it is a removable drive, I HIGHLY recommend using LVM, because you will be able to reference it by lvm “name”.  Using a partition for external drives becomes difficult, because you cannot name an encrypted volume.

The default encryption algorithm for LUKS is AES with a cipher mode of cbc-essiv:sha256.  There are essentially 2 steps to creating a LUKS based encrypted volume.

  1. LUKS Volume
  2. Automounting

LUKS Volume

Tip: If you are the only user, just give your account password during luksFormat, and skip point #1.2

  1. Create Encrypted Volume
    1. cryptsetup luksFormat /dev/s/home    # use CAPITAL "YES" to say yes, and enter main key
    2. cryptsetup luksAddKey /dev/s/home    # add your account password as a key password
  2. Mount and Sync to Encrypted Volume
    1. cryptsetup luksOpen /dev/s/home home # opens to /dev/mapper/home
    2. mkfs.whatever /dev/mapper/home
    3. mount /dev/mapper/home /mnt/newhome
    4. rsync -a /home/ /mnt/newhome/

If you really want to overwrite your entire hard drive with random data, to make sure that there is no residual data on the drive somewhere, just use a dd from /dev/urandom to output to a file with no count option, and the volume will eventually run out of space, and the entire disk will then have random encrypted data; then just remove the file.

Automounting

Auto mounting on login is taken care of by pam_mount.  It knows how to mount encrypted volumes.  PAM will pass your user account password to pam_mount.  pam_mount will use that as the password for decrypting the volume.  That means it’s important to use the luksAddKey step above to add your user account password to the list of keys.

We need to setup pam by

  1. Configuring the location of the volume
  2. Having KDE use pam_mount
  3. Optionally having the default shell login (console mode logins) decrypt the volume.

1. Modify /etc/security/pam_mount.conf.xml

2. KDE pam configuration
/etc/pam.d/kde

auth       optional pam_mount.so try_first_pass
session    optional pam_mount.so

3. Setup the default shell login to load pam_mount.
/etc/pam.d/login

auth       optional pam_mount.so try_first_pass
session    optional pam_mount.so

I think that’s all.  If you have questions, just fire away.