After being seeking around for a user-based home folder encryption really flexible using Truecrypt, I've been surprised not finding anything. Therefore, I've considered experimenting it. Encryption of home folder perfectly fits a laptop security requirement for example.

Use cases

• Create a new user with an encrypted folder
• Convert an existing user home into an encrypted truecrypt container

Common setup (by root)

• Install truecrypt package (available http://www.truecrypt.org)

• Ensure user is in admin wheel to be able to mount the home encrypted fs:

 addgroup <username> admin 

• Install Xsession.d script to mount your home on first login after boot (asking for passphrase interactively). This script executes after login before any script. The main problematic is to keep the X authentication token which is solved by copy (see comments in script)

/etc/X11/Xsession.d/10tc-home

TC_HOME_FILE=${HOME}/.tc-home

# check conf file exists
if [ -e ${TC_HOME_FILE} ] 
then
        # use conf file variables
        . ${TC_HOME_FILE}
        # check home volume exists
        if [ -e ${TC_HOME_VOLUME} ]
        then
                # when remounting home, the Xserver cannot access to its authentication signature
                # need to copy it to the remounted home
                TEMP=`mktemp`
                XAUTH=${HOME}/.Xauthority
                # backup Xserver authority file in current home
                cp ${XAUTH} ${TEMP}
                # proceed to home mount
                truecrypt ${TC_HOME_VOLUME} ${HOME}
                # restore Xserver authority file to remounted home
                mv ${TEMP} ${XAUTH}
        fi
fi

New user home folder encryption

• Add new user:

 adduser <username> 

• Create truecrypt volume (use truecrypt GUI, use a linux aware FS (ext3/4)): /home/<username>/home.tc

• Create /home/<username>/.tc-home file with content:

TC_HOME_VOLUME=${HOME}/home.tc

• Login under <username>

Convert user home into truecrypt volume

• Create truecrypt volume (use truecrypt GUI, use a linux aware FS (ext3/4)): /home/<username>/home.tc

• Mount truecrypt volume (hereafter assumed /media/truecrypt)
• Move old home to new one (do this as root !)

cd ~/..
mv $USERNAME /media/truecrypt<x>
cd /media/truecrypt<x>/$USERNAME
mv * .* ../
cd /media/truecrypt<x>/
rmdir $USERNAME

• Create /home/<username>/.tc-home file with content:

TC_HOME_VOLUME=${HOME}/home.tc

• Login under <username> (or reboot:  sudo reboot )

Shell login

You need to add aside your home.tc (i.e. outside the encrypted home) a .bash_profile that callback the encryption container mount .bash_profile

# mount encrypted home folder
/etc/X11/Xsession.d/10tc-home
# switch to encrypted folder
cd
source ~/.bashrc

Conclusion

Hope it helps, it's just a draft so feel free to update and/or correct mistakes

Pros:

• easy to backup (copy of the truecrypt file),
• proven security (hidden volume (2 versions of your home folder is possible !),
• encrypt the whole home folder no user selection, all .* files also.

Cons:

• fixed size container (not extensible on the fly (unsensitive data not to be stored in your home folder, use symlinks ...))
• need to modify the X11 boot process (as for ecryptfs based solutions)

-- topaz 2010-07-10 10:04:07 CategoryLaptop