How to create encrypted loopback images with dm-crypt and LUKS + automatically mounting them after login with pam_mount
I recommend using debian squeeze for this scenario as lenny includes a very old version of libpam-mount and I had lots of problems when I tried using it.
Using only the libpam-mount package and its dependencies from squeeze maybe (I didn’t try it and I wouldn’t recommend it either) does the job too, but at least has a very bitter after taste if you take a closer look at the dependencies.
1. Make sure you have the required kernel modules loaded. If you use the stock debian kernel, this will be the case. if you don’t, make sure you’ve set the following options:
- CONFIG_BLK_DEV_DM=y or CONFIG_BLK_DEV_DM=M
- CONFIG_DM_CRYPT=y or CONFIG_DM_CRYPT=M
- CONFIG_CRYPTO_CBC=y
Additionally, you need to include support for at least one cipher.
In make menuconfig, you can find the required kernel modules at the following locations:
Device Drivers ---> Multi-device support (RAID and LVM) ---> Device mapper support Crypt target support Cryptographic options ---> SHA256 digest algorithm AES cipher algorithms (x86_64)
To avoid a reboot, you can build all of these options as modules. If you chose to do so, you can later load the modules by using modprobe .
2. Install the required packages
apt-get install cryptsetup libpam-mount
…apt-get should take care of all dependencies
3. Generate a random key and assign it to a variable for later use
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
4. Encrypt the key and save it to a file
echo $KEY | openssl aes-256-cbc > container.key
5. Create the loopback file and fill it with random data
dd if=/dev/urandom of=~/container.img bs=1G count=10
This will create a 10GB file and fill it with random data taken from /dev/urandom.
Another option (which will be much faster especially on older hardware) is using /dev/zero to fill the loopback file with zeros:
dd if=/dev/zero of=~/container.img bs=1G count=10
6. Set up a loop device
losetup /dev/loop0 ~/container.img
7. LuksFormat it
echo $KEY | cryptsetup -v -c aes -s 256 luksFormat /dev/loop0
8. Open it
cryptsetup luksOpen /dev/loop0 container
9. Make a filesystem of your choice
mkfs.xfs /dev/mapper/container
10. Close it and delete loop
cryptsetup luksClose container && losetup -d /dev/loop0
11. Configure pam_mount
Open /etc/security/pam_mount.conf.xml in your favorite text editor and change it to the following:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="1" /> <mkmountpoint enable="1" remove="true" /> <msg-sessionpw>reenter password for pam_mount:</msg-sessionpw> <volume user="foobar" path="/home/foobar/container.img" mountpoint="/home/foobar/containercontents" options="cipher=aes-cbc-essiv:sha256,hash=sha512,keysize=256" fstype="crypt" fskeycipher="aes-256-cbc" fskeypath="/home/foobar/container.key" fskeyhash="md5" /> </pam_mount>
Using this configuration the image /home/foobar/container.img will get mounted into /home/foobar/containercontents when the user foobar logs in.
Enabling debugging is pretty usefull if something isn’t working as it should. In this case you can take a look at /var/log/auth.log.
12. Include /etc/pam.d/common-pammount in the PAM configuration files of the services that should use it (for example: SSHd)
Open /etc/security/sshd in your favorite text editor. Look for the line “@include common-session” and add a new line after it:
... @include common-session @include common-pammount ...
13. If needed, change the configuration of the relevant services (for example: SSHd)
Open /etc/ssh/sshd_config in your favority text editor and make sure you have the following lines in there:
# pam_mount UsePAM yes PasswordAuthentication yes ChallengeResponseAuthentication no UsePrivilegeSeparation no PermitUserEnvironment yes
If you disable PasswordAuthentication and use keys instead you have to enter the users password after connecting via SSH.
14. Test if anything works as expected
Open a root session or use sudo and watch the auth log by using tail -f /var/log/auth.log. Then login as the user for which you have configured a volume earlier.
If the encrypted loopback image gets mounted, also test if it gets unmounted again, when the user logs out.
If anything works remove the debug line from /etc/security/pam_mount.conf.xml.
Many thanks go to the users tuxophil and pillgrim from the gentoo forums. Large parts of this howto were taken from their postings at http://forums.gentoo.org/viewtopic-t-274651.html.
Hey,
Thanks for sharing the link – but unfortunately it seems to be not working? Does anybody here at isd-weberfrede.de have a mirror or another source?
Cheers,
Peter
I’m looking in behalf of fellow who designe me a inimitable logo as a replacement for my site. If you are interested please contant me.
Bye
Entertainment world
Tommy has shown incredible passion while expressing views. Thanks for the great information, I have it bookmarked
Where the world slides?
Hello!
The interesting name of a site – isd-weberfrede.de, how did you manage to get such interesting domain
name? Very interesting site though you should have more categories.
But the category this here is awesome.
I spent 4 hours searching in the network, until find your forum! I think, I shall stay here
for a long time! Check out a marvelous degree.
It is very easy to get this degree and make a decent living out of it.
Computer forensics are used in many fields, from legalities involving trade secrets to prevention of computer-related fraud; however, more and more computer
forensics are being used to help solve crimes of all kinds. Read More at
http://www.computerforensicsspecialist.biz
Hey,
Thanks for sharing the link – but unfortunately it seems to be not working? Does anybody here at isd-weberfrede.de have a mirror or another source?
Cheers,
Jules
This is such a great resource that you are providing and you give it away for free. I enjoy seeing websites that understand the value of providing a prime resource for free. I truly loved reading your post. Thanks!
awesome blog, do you have twitter or facebook? i will bookmark this page thanks. jasmin holzbauer
Hi there,
Thanks for sharing this link – but unfortunately it seems to be not working? Does anybody here at isd-weberfrede.de have a mirror or another source?
Thanks,
Mark
.. Seldom.. It is possible to tell, this exception
Bravo, magnificent idea
Very creative,I like it.
I am sorry, that has interfered… I understand this question. It is possible to discuss. Write here or in PM.
Thank u, good post! =)
Strange as that
This version has become outdated
I congratulate, it seems remarkable idea to me is
You were visited simply with a brilliant idea
Something so is impossible
How it can be defined?
At you incorrect data
So it is infinitely possible to discuss..
Rather good idea
Bravo, is simply magnificent idea
You, probably, were mistaken?
Valuable info. Lucky me I found your site by accident, I bookmarked it.
Real nice ! Many thanks !
Allow to help you?
It’s good webpage, I was looking for something like this
YES, it is exact
Nice site, nice and easy on the eyes and great content too.
Visit our site, TechNGCentral (http://www.techngcentral.com). We have been providing gaming and hardware news, reviews, gaming news, and interviews since 2002. Thanks for looking!
Greetings,
I have a question for the webmaster/admin here at isd-weberfrede.de.
May I use some of the information from your post above if I provide a link back to this website?
Thanks,
Thomas
Was an interesting article, thank you..
Incredible story