Following the directions on Lars’ blog, I set up an encrypted home directory on Ubuntu 9.04 using LUKS.
The following commands were all executed with root permissions. Add “sudo” to the front of the commands if you are not running with root permissions.
apt-get install cryptsetup libpam-mount
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda7
The partition I used was /dev/sda7, replace that with the partition you created. It will ask you for a password, I suggest using the same password as your login.
Then, to map the encrypted partition to /dev/mapper/cryptohome, do this:
cryptsetup luksOpen /dev/sda7 cryptohome
Then create a (ext3) filesystem. You may substitute a file-system of your choice here, but ext3 is the most widely used, and therefore, tested.
(-m 1 and sparse_super save space, and should be safe as this is not a root filesystem. Note that the O for options is capitalised, and you may NOT have spaces after the commas that separate the options.)
mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
To test that everything is working, unmount it, try to mount it again and make sure you can write a file to the partition and unmount/close it!
cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda7 cryptohome
mkdir -p /mnt/test
sudo mount /dev/mapper/cryptohome /mnt/test
touch /mnt/test/testfile
ls /mnt/test
umount /mnt/test
cryptsetup luksClose cryptohome
To make it mount automatically when you log in:
Make sure you do not have a partition listed for your home directory in /etc/fstab.
Add a line in /etc/crypttab:
cryptohome /dev/sda7 noauto luks
And configure pam_mount in /etc/security/pam_mount.conf.xml to auto-load your encrypted home directory on login:
<volume user="summetj" fstype="crypt" path="/dev/sda7" mountpoint="/home/summetj" />
Note that initially the users home directory will be owned by root, and you will have to chown -R
If you get an error message that says: pam_mount(pam_mount.c:100): unknown pam_mount option “use_first_pass” you can get rid of it by editing the /etc/pam.d/common-pammount and /etc/pam.d/common-auth files and removing the “use_first_pass” option from both of them.