Encrypted Home Directory with EncFS and pam-encfs, with working X and Gnome

(i) Please refer to EncryptedFilesystems for further documentation.

Should also work for KDE - edit /etc/pam.d/kdm instead of /etc/pam.d/gdm .

Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder .

Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1

Notes

  • This uses pass-through filesystem encryption with EncFS. You don't need an encrypted partition nor do you need to decide how large the encrypted portion should be. See http://www.arg0.net/encfsintro for a detailed explaination.

  • I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information.

(i) ^This is incorrect; eCryptfs does in fact support encryption of filenames.
  • I use EncFS for a long time now and i didn't hit a single problem.
  • I use pam-encfs and not pam-mount because pam-mount had problems i don't remember exactly with the FUSE EncFS mount
  • You must have a second account (root or sudo) handy to log into a console and fix things up

Required packages

  1. encfs

  2. libpam-encfs (DO NOT INSTALL VIA APT (if you are on Hardy) - broken in the Hardy repos - see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )

Install encfs from the Ubuntu repositories: 

sudo aptitude install encfs

Install libpam-encfs from: http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb

/etc/security/pam_encfs.conf

The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and allow_root is set in the automatic encfs mount per user. These two options cannot be specified together! It looks like EncFS Options and FUSE Options cannot be left empty, so i just use -v for EncFS (just verbose output) and allow_other for FUSE (you need either allow_other or allow_root for gdm to work). This is what it looks like for me, username jakob: 

drop_permissions
encfs_default
fuse_default

#USERNAME       SOURCE                  TARGET          EncFS Options           FUSE Options
jakob           /home/jakob.encfs       /home/jakob     -v                      allow_other

/etc/fuse.conf

Uncomment or add the following line to /etc/fuse.conf so that the allow_other option in pam_encfs.conf can take effect. 

user_allow_other

Make sure the user is in the group "fuse" as well, or else he won't be able to use FUSE mounts like EncFS.

/etc/pam.d/gdm

pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, EncFS needs to be mounted before this happens. Insert "auth requisite pam_encfs.so" just before "@include common-auth". For me this file looks like this: 

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    requisite       pam_encfs.so
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session optional        pam_gnome_keyring.so auto_start
@include common-password

/etc/pam.d/login

(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you want the encrypted home to work even when logging in through the text mode console. WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of EncFS, as the mountpoint is no more empty. You have to delete this file as root to fix this.

Create encrypted folder

  • Log out and log in as a different user (sudo-enabled or root)
  • Create necessary directories and set permissions (replace "jakob" with your username). 

sudo -s
mv /home/jakob /home/jakob.original
mkdir /home/jakob.encfs /home/jakob
chown jakob:jakob /home/jakob /home/jakob.encfs
  • Create encrypted folder 

sudo -u jakob encfs /home/jakob.encfs /home/jakob
  • Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.

  • The Password does not have to be the same as the login password

  • Copy your home folder contents into the encrypted folder 

sudo -u jakob rsync -a --progress /home/jakob.original/ /home/jakob/
  • Reboot
  • You will be asked first for your EncFS password and then for your login password

Your home folder should now be encrypted. If it works, log in and delete your jakob.original folder.

Known Issues

  • The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of trouble for me. Most of the time, unmounting won't work anyway because some gnome apps take long to terminate and have files open when the unmount should happen. Another thing i experienced is some gnome app creating a file (saved_state) after encfs is unmounted ( ! ). This file is created in the mountpoint. Then the mountpoint will be non-empty and subsequent logins will fail! You have to empty it again using a root shell to fix this.

  • Upgrading to intrepid will break the setup: https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/234818 .

Workaround:

  1. Log in to another (unencrypted) sudo/root account
  2. Copy your home directory's contents to another (not encrypted) folder
  3. Upgrade to Intrepid
  4. Create a new EncFS volume and copy your home dir contents into it - see instructions above

EncryptedHomeDirectoryHowto (last edited 2014-01-05 01:11:47 by e180072102)