arcanis/arcanis.me
1
0
Fork 0
mirror of https://github.com/arcan1s/arcanis.me.git synced 2025-07-24 01:49:55 +00:00
Code Issues Projects Releases Wiki Activity

more pretty md files

Browse Source
This commit is contained in:
Evgenii Alekseev
2016-02-02 00:55:13 +07:00
parent c0ad1a6912
commit 518956bdff
39 changed files with 1550 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
_posts/2014-12-12-encryption-home-directory.md
View File

@ -7,7 +7,9 @@ tags: linux, systemd, ecryptfs
title: How to encrypt home directory. For dummies
short: ecnryption-home-directory
---
<figure class="img">![single-door](/resources/papers/single-door.jpg)</figure>This paper is about encryption home directory using ecryptfs and automount settins using systemd and key on flash card.
<figure class="img">![single-door](/resources/papers/single-door.jpg)</figure>This
paper is about encryption home directory using ecryptfs and automount settins
using systemd and key on flash card.
<!--more-->
@ -26,7 +28,9 @@ short: ecnryption-home-directory
## <a href="#step1" class="anchor" id="step1"><span class="octicon octicon-link"></span></a>Step 1: Encryption
The widespread solution in the Internet is to use automatic utilities to do it. However in our case they are not suitable, since we need to import key / password signature, which is not possible in this case.
The widespread solution in the Internet is to use automatic utilities to do it.
However in our case they are not suitable, since we need to import key /
password signature, which is not possible in this case.
The encryption can be done by the following command (lol):
@ -34,8 +38,10 @@ The encryption can be done by the following command (lol):
mount -t ecryptfs /home/$USER /home/$USER
```
While process it asks some question (I suggest to do first mounting in the interactive mode). The answers may be like following (see the comments),
please note that if you change something, it will be changed in some lines below too:
While process it asks some question (I suggest to do first mounting in the
interactive mode). The answers may be like following (see the comments),
please note that if you change something, it will be changed in some lines below
too:
```bash
# key or certificate. The second one is more reliable while you don't lose it %)
@ -94,25 +100,31 @@ cp -a /home/$USER-org/. /home/$USER
## <a href="#step2" class="anchor" id="step2"><span class="octicon octicon-link"></span></a>Step 2: systemd automounting
Create file on flash card (I've used microSD) with the following text (you should insert your password):
Create file on flash card (I've used microSD) with the following text (you
should insert your password):
```bash
passphrase_passwd=someverystronguniqpassword
```
Add card automount (mount point is `/mnt/key`) to `fstab` with option `ro`, for example:
Add card automount (mount point is `/mnt/key`) to `fstab` with option `ro`, for
example:
```bash
UUID=dc3ecb41-bc40-400a-b6bf-65c5beeb01d7 /mnt/key ext2 ro,defaults 0 0
UUID=dc3ecb41-bc40-400a-b6bf-65c5beeb01d7 /mnt/key ext2 ro,defaults 0 0
```
Let's configure home directory mounting. The mount options can be found in the following output:
Let's configure home directory mounting. The mount options can be found in the
following output:
```bash
mount | grep ecryptfs
```
I should note that there are not all options there, you need add `key`, `no_sig_cache`, `ecryptfs_passthrough` too. Thus systemd mount-unit should be like the following (if you are systemd-hater you can write the own daemon, because it doesn't work over `fstab` without modification (see below)).
I should note that there are not all options there, you need add `key`,
`no_sig_cache`, `ecryptfs_passthrough` too. Thus systemd mount-unit should be
like the following (if you are systemd-hater you can write the own daemon,
because it doesn't work over `fstab` without modification (see below)).
```bash
# cat /etc/systemd/system/home-$USER.mount
@ -130,7 +142,9 @@ Options=rw,nosuid,nodev,relatime,key=passphrase:passphrase_passwd_file=/mnt/key/
WantedBy=local-fs.target
```
`XXXXX` should be replaced to signature from options with which directory are currently mounting. Also you need to insert user name and edit path to file with password (and unit name) if it is needed. Autoload:
`XXXXX` should be replaced to signature from options with which directory are
currently mounting. Also you need to insert user name and edit path to file with
password (and unit name) if it is needed. Autoload:
```bash
systemctl enable home-$USER.mount
@ -159,17 +173,22 @@ Enable:
systemctl enable umount-key.service
```
Reboot. Remove backups if all is ok. If not then you did a mistake, resurrect system from emergency mode.
Reboot. Remove backups if all is ok. If not then you did a mistake, resurrect
system from emergency mode.
## <a href="#whynotfstab" class="anchor" id="whynotfstab"><span class="octicon octicon-link"></span></a>Why not fstab?
In my case I could not to make flash mounting before home decryption. Thus I saw emergency mode on load in which I should just continue loading. There are two solutions in the Internet:
In my case I could not to make flash mounting before home decryption. Thus I saw
emergency mode on load in which I should just continue loading. There are two
solutions in the Internet:
* Create entry with noauto option and then mount using the special command in `rc.local`.
* Create entry with noauto option and then mount using the special command in
`rc.local`.
* Create entry with nofail option and then remount all partitions in `rc.local`.
In my opinion both of them are workarounds too much.
## <a href="#whynotpam" class="anchor" id="whynotpam"><span class="octicon octicon-link"></span></a>Why not pam?
Other solution is to mount using pam entry. In my case I have authentication without password on fingerprint so it doesn't work for me.
Other solution is to mount using pam entry. In my case I have authentication
without password on fingerprint so it doesn't work for me.