Encrypted Home Directory with EncFS and pam-encfs, with working X and Gnome

(i) Please refer to EncryptedFilesystems for further documentation.

Should also work for KDE - edit /etc/pam.d/kdm instead of /etc/pam.d/gdm .

Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder .

Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1

Notes

(i) ^This is incorrect; eCryptfs does in fact support encryption of filenames.

Required packages

  1. encfs
  2. libpam-encfs (DO NOT INSTALL VIA APT (if you are on Hardy) - broken in the Hardy repos - see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )

Install encfs from the Ubuntu repositories:

sudo aptitude install encfs

Install libpam-encfs from: http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb

/etc/security/pam_encfs.conf

The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and allow_root is set in the automatic encfs mount per user. These two options cannot be specified together! It looks like EncFS Options and FUSE Options cannot be left empty, so i just use -v for EncFS (just verbose output) and allow_other for FUSE (you need either allow_other or allow_root for gdm to work). This is what it looks like for me, username jakob:

drop_permissions
encfs_default
fuse_default

#USERNAME       SOURCE                  TARGET          EncFS Options           FUSE Options
jakob           /home/jakob.encfs       /home/jakob     -v                      allow_other

/etc/fuse.conf

Uncomment or add the following line to /etc/fuse.conf so that the allow_other option in pam_encfs.conf can take effect.

user_allow_other

Make sure the user is in the group "fuse" as well, or else he won't be able to use FUSE mounts like EncFS.

/etc/pam.d/gdm

pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, EncFS needs to be mounted before this happens. Insert "auth requisite pam_encfs.so" just before "@include common-auth". For me this file looks like this:

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    requisite       pam_encfs.so
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session optional        pam_gnome_keyring.so auto_start
@include common-password

/etc/pam.d/login

(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you want the encrypted home to work even when logging in through the text mode console. WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of EncFS, as the mountpoint is no more empty. You have to delete this file as root to fix this.

Create encrypted folder

sudo -s
mv /home/jakob /home/jakob.original
mkdir /home/jakob.encfs /home/jakob
chown jakob:jakob /home/jakob /home/jakob.encfs

sudo -u jakob encfs /home/jakob.encfs /home/jakob

sudo -u jakob rsync -a --progress /home/jakob.original/ /home/jakob/

Your home folder should now be encrypted. If it works, log in and delete your jakob.original folder.

Known Issues

Workaround:

  1. Log in to another (unencrypted) sudo/root account
  2. Copy your home directory's contents to another (not encrypted) folder
  3. Upgrade to Intrepid
  4. Create a new EncFS volume and copy your home dir contents into it - see instructions above

EncryptedHomeDirectoryHowto (last edited 2014-01-05 01:11:47 by e180072102)