Revision 1 as of 2008-10-14 20:10:47

Clear message

Encrypted Home Directory with EncFS and pam_mount, with working X and Gnome

Notes

  • I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information.
  • I use EncFS for a long time now and i didn't hit a single problem.

Steps

  1. aptitude install encfs
  2. aptitude install libpam-mount
  3. Create a new user, i will call him "john". John's home is /home/john.
  4. Create a new directory owned by john, /home/john.encfs
  5. /home/john will be the mountpoint for /home/john.encfs . It has to emtpy: 

sudo -u john rm -Rv /home/john/* /home/john/.*
  1. Setup the EncFS volume: 

sudo -u john encfs /home/john.encfs /home/john

Just press enter at the promt for default encryption and pick a password (the password can be changed easily later so you can pick something easy until everything works).

  1. Edit /etc/security/pam_mount.conf.xml . Edit the <fusemount> and <fuseumount> so that it looks like this: 

<fusemount>encfs %(VOLUME) %(MNTPT) -- -o allow_other"</fusemount>
<fuseumount>fusermount -u %(MNTPT)</fuseumount>

This is not neccessary when you don't to pass options to encfs. I need "allow_other", using the options="" property of the volume doesn't work because of encfs' strange syntax. In the same file, add this: 

<volume user="john" fstype="fuse" path="/home/john.encfs" mountpoint="/home/john" />
  1. Edit /etc/pam.d/gdm . Insert 

@include common-pammount

right after @include common-auth . Note that you can't add it to the end of the file because something in the pam stack creates ~/.gnome-something . The EncFS volume has to be mounted before this happens - otherwise mounting will fail because the home dir is not empty. Note: You shouldn't use nonempty to work around this as that will make the files created before mounting inaccessible.

  1. (Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you wan't the encrypted home to work even when logging in through the console.
  2. Edit /etc/pam.d/common-pammount . Comment out everything and add this to the end: 

auth       required   pam_mount.so
session    required   pam_mount.so

This will prevent login when mounting the encrypted home fails. Change required to optional if you want to be able to login even when mounting the home dir fails. Note that Gnome will then create a mess of files in /home/john (the mountpoint that should stay empty) that have to be cleared out every time you enter a wrong EncFS password. Note that i removed try_first_pass to be able to have different passwords for the user and for the encrypted home directory. The reason is that i have to the user password every time i'm using sudo, so i want it a) to be easier to type b) don't want the encryption password to be easily observable by shoulder-surfing

  1. Edit /etc/gdm/gdm.conf . Look for UserAuthDir= . Set 

UserAuthDir=/tmp

This is neccessary because otherwise gdm will create a file ".Xauthority" in the home dir before pam_mount can mount the encrypted home directory. Then mounting will fail because the home dir is not empty.

  1. Reboot (Restarting gdm might suffice)

  2. Enjoy Wink ;)

Known Problems

  1. The encrypted volume will not be unmounted on logout because lots of processes will still be holding files when pam_mount tries to unmount it. Note that lazy unmounting makes things worse: This causes unmounting to work, but then processes might create files in the mountpoint directory /home/john (i observed gconfd creating some state file). Subsequent mounts will fail because the mountpoint is not empty

  2. Once logged out, you can't log in again because unmounting failed => the encfs volume is still mounted => The mountpoint is not empty => mounting fails. pam_mount should detect that the volume is already mounted and shouldn't try to mount it again. However, for the version in Hardy, this doesn't work for EncFS. Note that the -n switch for FUSE is not availible in Hardy to work around this.

The workarounds for this are:

  1. Don't log out but lock the screen and switch user
  2. If you did log out: Log into a root console and unmount the volume manually: 

fusermount -u /home/john

Note that setting pam_mount.so to optional solves this problem, but leaves you with a mess when entering a wrong EncFS password. I think that the latter is worse.

User Comments

  1. (none yet)