[NCLUG] Fun project: Paranoid security for encrypted home.

Grant Johnson grant at amadensor.com
Wed Apr 12 19:28:23 MDT 2017 

Fun project:   Paranoid security for encrypted home.

1)  Install ecryptfs-utils.
2)  Make a thumb drive always mount to the same place
To do this, first find out the UUID of the drive:
grant at Grant2017:~$ sudo blkid /dev/sdb1
/dev/sdb1: UUID="10E1-E32B" TYPE="vfat"

Make a path to mount to:
grant at Grant2017:~$ sudo mkdir /keys

Then, adjust your fstab to mount to the same place every time, but to
keep booting if it is missing:
UUID=10E1-E32B /keys vfat nofail 0 0

The important parts are the UUID instead of the device (it can change
each time it is plugged in) and the nofail.

Test this by booting both with and without the thumbdrive, to see that
the files are there when it is plugged in, and missing, but it boots
when plugged in.

3) Encrypt your home directory.
Log in as root (not a the user to be encrypted and then sudo).   The
user to be encrypted must have no files open on their home:
lsof /home/grant
ps aux|grep grant

Encrypt the home:
ecryptfs-migrate-home -u grant

Log in as the user (not with sudo, PAM needs to fire).

Test it!

4) Move the keys to the thumbdrive:
There is a path /home/.ecryptfs/$USER.   In there is a directory called
.ecryptfs.   It is very small and contains the keys.   There is also a
larger one called .Private.   That is your files, encrypted.

mkdir /keys/grant
mv /home/.ecryptfs/grant/.ecryptfs /keys/grant

Make a symlink:
ln -s /keys/grant/.ecryptfs /home/.ecryptfs/grant/.ecryptfs

Here is what it looks like when it is done:

grant at Grant2017:/home/.ecryptfs/grant$ pwd
/home/.ecryptfs/grant
grant at Grant2017:/home/.ecryptfs/grant$ ls -la
total 12
drwxr-xr-x  3 grant grant 4096 Apr 11 20:26 .
drwxr-xr-x  3 root  root  4096 Apr  7 18:54 ..
lrwxrwxrwx  1 root  root    21 Apr 11 20:26 .ecryptfs ->
/keys/grant/.ecryptfs
drwxr-xr-x 30 grant grant 4096 Apr 12 19:06 .Private

5)  Done!

I have an encrypted home that requires both a password and a
thumbdrive.    I also made a backup of the files on the thumbdrive,
just in case, but since it is a laptop, everything is backed up to my
OwnCloud server or my git repository anyway, so I can reinstall if
needed and get all of my data back.

Just remember, just because you are paranoid, that doesn't mean they
aren't after you.   Also, better security in case of device theft.  
They can't just crack /etc/shadow.

More information about the NCLUG mailing list