isilmeCryptsetupConfig

This is the cryptsetup + pam_mount configuration I have on isilme:

/etc/security/pam_mount.conf

# Turn on if you want to debug why some volume cannot be mounted etc.
# This can be overriden by user's local configuration
#
# Format: debug [ 1 | 0 ]
# Local user configuration can override this.
debug 1


# Create mountpoint if it does not exist yet. This is a good thing.
mkmountpoint 1


# Loopback device to use to run fsck on loopback filesystems.
fsckloop /dev/loop7


#------------------------------------------------------------------------------
# Users' local configuration file (if there is none, comment this
# parameter out). Will be read as ~/<file>
#
# Note: you must include either options_allow or options_deny to use
# this directive. I recommend also including options_require.
#
# Individual users may define additional volumes to mount if allowed
# by pam_mount.conf (usually ~/.pam_mount.conf).  The volume keyword is
# the only valid keyword in these per-user configuration files.  If the
# luserconf parameter is set in pam_mount.conf, allowing user-defined
# volumes, users may mount and unmount any volumes they specify.
# The mount operation is executed under the user account, not with
# root permissions.
#
# Format: luserconf <file>
#
#luserconf .pam_mount.conf


#------------------------------------------------------------------------------
# These directives determine which options may be specified in a user config
# file (luserconf). You must include one of these directives if you have a
# luserconf directive. You may not include both directives.
#
# If you have an options_allow directive, then the options listed in that
# directive wil be allowed, and all others rejected. If you have an
# options_deny directive, then the options listed will be denied, and all others
# permitted.
#
# You may use the wildcard '*' to match all options.
# I recommend not permitting the suid and dev options.
#
options_allow   nosuid,nodev,loop,encryption,fsck
#options_deny   suid,dev
#options_allow  *
#options_deny   *


# The options listed in this directive are required for all volumes from a
# user config file. That is, any volume specified in a user config file that
# does not include these options will be ignored.
#
# Note: you must make sure that a required option is permitted (either by
# including it in options_allow, or by not including it in options_deny).
#
# I recommend requiring at least nosuid and nodev.
#
# This is ignored completely if the volume is configured to get its options
# and mount point from /etc/fstab.
#
options_require nosuid,nodev


#------------------------------------------------------------------------------
# Commands to mount/unmount volumes. They can take parameters, as shown.
#
# If you change the -p0 argument for lclmount, you'll need to modify the
# source in mount.c (it sends the password to the stdin file descriptor
# of the child process -- look for STDIN_FILENO).
#
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e\" CIPHER)" "%(before=\"-k\" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"

smbmount /usr/bin/smbmount   //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /usr/bin/ncpmount   %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
ncpumount /usr/bin/ncpumount %(MNTPT)

# Linux supports lazy unmounting (-l).  May be dangerous for encrypted volumes.
# May also break loopback mounts because loopback devices are not freed.
# Need to unmount mount point not volume to support SMB mounts, etc.
umount /bin/umount %(MNTPT)

# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
lclmount /bin/mount -p0 -t %(FSTYPE) %(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o\" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
# For BSD: mntagain mount_null %(PREVMNTPT) %(MNTPT)
# For Solaris: mntagain mount -F lofs %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)


#------------------------------------------------------------------------------
# Volumes that will be mounted when user triggers the pam_mount module
# (usually at login).
#
# Format (one line):
# volume <user> <type> <server> <volume> <mount point>
#        <mount options> <fs key cipher> <fs key path>
#
# <user> is a user for which a volume rule applies.
# "*" selects all users, "@xyz" selects all users which have xyz as their
# primary group.
#
# - If such a wildcard (* or @) is used, the '&' wildcard becomes available
#   for <volume>, <mount point>, <mount options> and <fs key path>, and
#   expands to the username that was used for login.
# - '~' expands to the user's home directory as present in the passwd
#   database, but ONLY if it is the first char. (Like in bash; /import/~ does
#   not equal /import/home/jengelh!)
# Examples see below.
#
# <type> can be any filesystem type. If /bin/mount or the kernel does not
# support it, you will get an error. You can use the special keyword "auto"
# which automatically lets the kernel choose a matching filesystem. Note
# that you the kernel's auto feature only works with filesystems listed in
# /proc/filesystem, so you will have to load the necessary modules *first*
# for them to be recognized with "auto".
#
# The "cifs", "smbfs" and "ncpfs" types override the identically-named kernel
# filesystems and use the smbmount/ncpmount programs, as defined above,
# instead of `mount -t smbfs ...`.
#
# Note that if the mount command has specified an option, e.g. %(KEYBITS)
# and you don't specify a value, a warning is printed in the log. The
# warning can usually be ignored, except when the option is mandatory.
#
# SMB mounts require the `smbmount` and `smbumount` programs,
# NCP `ncpmount` and `ncpumount`. Both SMB and NCP work in ~/.pam_mount.conf.
#
# General examples:
#     volume user smbfs krueger public /home/user/krueger - - -
#     volume user ncpfs krueger public /home/user/krueger user=user.context - -
#     volume * smbfs krueger &     /home/&         uid=&,dmask=0750 - -
#     volume * smbfs krueger homes /home/&/remote  - - -
# Useful for pam_chroot:
#     volume * auto - /bin /home/&/bin - - -
# For FUSE mounts, example sshfs:
#     volume * fuse - "sshfs#&@fileserver:" /home/& - - -
# Or...
#     volume * fuse - "sshfs#&@fileserver:" ~ - - -
# Some more examples:
#     volume * auto - /home/&.img - - aes-256-ecb /etc/ehd/&
# Windows 2000, which requires a domain specified, example (thanks John Knox):
#     volume * smbfs viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -
# An NCP example:
#     volume user ncpfs SERVER /USERS/Department/user /home/user user=user.full.context,uid=user,gid=user,symlinks - -
# An example using spaces:
#     volume * smbfs krueger 'Home\ Directories' /home/& - - -


#------------------------------------------------------------------------------
# Linux encrypted home directory examples, using dm_crypt:
#
# crypt mounts require a kernel with CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT
# enabled as well as all the used ciphers (e.g. CONFIG_CRYPTO_AES_586,
# CONFIG_CRYPTO_TWOFISH, etc.).
# crypt mounts must be in the global config file /etc/security/pam_mount.conf
#   volume user crypt - /dev/sda2 /home/user cipher=aes,fsck aes-256-ecb /home/user.key
#
# Linux encrypted home directory examples, using dm_crypt:
#   volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key


# cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled.
# cryptoloop mounts must be in the global config /etc/security/pam_mount.conf
# Linux encrypted home directory examples, using cryptoloop:
#
#   volume user auto - /dev/hda123 /home/user loop,encryption=aes - -
#   volume user auto - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - -
#   volume user auto - /home/user.img - - - -
#   volume user auto - /home/user.img - - aes-256-ecb /home/user4.key

# The last two examples (^^) need a line like the following in
# /etc/fstab:
#   /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0


# OpenBSD encrypted home directory example (see also lclmount above):
#   volume user auto - /home/user.img /home/user svnd0 - -


# Volatile tmpfs mount with restricted size
# (thanks to Mike Hommey for this example)
#   volume test tmpfs - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - -


# Details:
# Local user configuration (~/.pam_mount.conf) can extend this.
#
# If there are no servers, mount options, fs key ciphers, etc. you must
# supply a lone dash, i.e. "-"
#
# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
# to learn how to create a encrypted loopback filesystem.
#
# If the volume's password is different than the user's login password,
# the following technique may be used (see also README):
#
# {...} are placeholders, insert the proper value there!
#
# 1.  Create a file containing the volume's password (FS key).  If you are
#     using pam_mount to mount an loopback encrypted volume, this password
#     should may generated by /dev/urandom.
#
#     Simple example:
#     echo {volume password} | openssl enc -aes-256-ecb >/home/user.key
#     Encrypt this file using the user's login password as the key.
#
#     Verbose loopback encrypted volume example:
#     a.  dd if=/dev/urandom of=/home/user.img bs=1M count={image size in MB}
#     b.  dd if=/dev/urandom bs=1c count={keysize/8} | \
#         openssl enc -{fs key cipher} >/home/user.key
#         Encrypt this file using the user's login password as the key.
#     c.  modprobe -q cryptoloop
#     d.  openssl enc -d -{fs key cipher} -in /home/user.key | \
#         losetup -e aes -k {keysize} -p0 /dev/loop0 /home/user.img
#     e.  mkfs -t ext2 /dev/loop0
#     f.  losetup -d /dev/loop0
#
# 3.  In pam_mount.conf:
#       a.  Set the fs key cipher variable to the cipher used (ie: aes-256-ecb).
#       b.  Set the fs key path variable to the key's path (ie: /home/user.key)
# 4.  If a user changes his login password, regenerate the efsk that
#     was created in step 1b.  A script named passwdehd is provided to do this.
#
# If fs_key_cipher is -, then the user's login password is also the volume's
# password.


volume daniel crypt - /dev/hda5 /home/daniel cipher=aes aes-256-ecb /home/daniel.key

Setup

A random passprhase was generated and passed to cryptsetup (on dapper) to create the encrypted filesystem.

The key at /home/daniel.key was generated using openssl enc -aes-256-ecb -out /home/daniel.key. To encrypt I used the same password I use to log in. The plaintext encrypted was the passphrase for cryptsetup.

This setup was working fine in dapper and it also works fine in edgy with dapper's cryptsetup but not with edgy's cryptsetup.


CategoryLookMergeDelete

isilmeCryptsetupConfig (last edited 2008-08-06 16:24:10 by localhost)