pam_mount, LUKS: revisited

Do you remember my previous rant on pam_mount? Well, now I must admit it works smoothly in its last incarnation, which is 0.18 at the time if this writing. I spent some time last weekend setting up a LUKS-encrypted partition to be used as home directory and decided to give it another try. Also, I picked up the DAR archiver for a spin.

First of all, make a backup of your home directory, I used DAR because it is able of storing ACLs as well as creating big archives (make sure you compile it with the «dar64» USE-flag). I used an old 15GB iPod which is very handy (and fast) to be used as external Firewire drive. Also, install required tools:

# mount -t vfat /dev/sda2 /mnt
# cd /home/hario
# dar -c /mnt/hario -v -Z '*.bz2' -Z '*.gz' -Z
# emerge cryptsetup-luks multipath-tools pam_mount

The «-Z » swich instructs DAR to skip compressing files which are already compressed, as there is no gain in doing that. The next step is formatting the partition, but first we must destroy its contents with random data so we ensure proper encryption is done and no remains of old data is kept in the partition («hda12» is my home partition):

# umount /home/hario
# shred -n 2 -v /dev/hda12
# cryptsetup luksFormat -c twofish -b 256 /dev/hda12
# cryptsetup luksOpen /dev/hda12 hario
# mkfs.xfs /dev/mapper/hario
# cryptsetup luksClose hario

You may want to use a different cipher, but Twofish is very fast and as secure as other widely used algorithms like AES. I have chosen a key size of 256 which I believe is enough for my purpose. Also, replace «mkfs.xfs» with the proper tool to format the encrypted partition with the filesystem of your choice.

Now let’s try mounting the partition by using a filesystem type of «crypt». If that works, then pam_mount will mount the partition without problem. Also, this is a good point to unpack our backup:

# mount -t crypt /dev/hda12 /home/hario
# dar -x /mnt/hario -v
# umount /home/hario

Now check you’ve removed the affected partition from «/etc/fstab» and finally, just add a line to «/etc/security/pam_mount.conf» stating that the home directory must be mounted at login:

# echo "volume hario crypt - /dev/hda12 /home/hario - - -" \
>> /etc/security/pam_mount.conf

You should be able of logging in and out successfully, and pam_mount should mount and unmount the partition when no more open sessions remain. If the verbosity of pam_mount annoys you, you may want to set the «debug 0» in the configuration file.


One thought on “pam_mount, LUKS: revisited

  1. [Off-Topic]
    Me acabo de enterar (por lo que veo con bastante retraso) de que tienes otra vez un blog operativo. ¡Enlazado quedas! 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s