[Linux] Encrypting home

The policy says that there should be encryption. Nice to hear that AFTER installing the system. Nothing special is on the system partition. So it should be enough to encrypt home.

The first search showed, that it indeed is possible.

Directly installing the tools, like encfs and ecryptfs-utils, was showing a big warning about encfs and its security issues which were found 2014. Directly there they suggest gocryptfs. Their comparison looks good. (But who would put a bad comparison on their own site??)

Another candidate that showed up was ecryptfs. It's native inside the linux system. Why not try that? Because it is gone from stable and testing because of security concerns.

Okay, so gocryptfs it should be.

Using it is rather simple.

• aptitude install gocryptfs
• mkdir ~/encrypted
• mkdir ~/decrypted
• gocryptfs -init ~/encrypted
• gocryptfs ~/encrypted ~/decrypted

And you can put files into your decrypted folder where they are save.

Basically, to now get your home secure:

• create two folders,

• one with your encrypted home inside,
• and the other as decryption mount point,

• mount
• and copy your old home files inside.

A little more in detail:

1. First, log out of your running GUI system and go to the terminal, e.g. via Ctrl-Alt-F2.
2. Log in as root.
3. Move your home aside: mv /home/USER /home/USER.old
4. Create your new home: mkdir /home/USER
5. Give it to the user: chown USER:USER /home/USER
6. Create your new encrypted home: mkdir /home/USER.cipher
7. And give it to the user: chown USER:USER /home/USER.cipher
8. Initialize gocryptfs: su -c "gocryptfs -allow_other /home/USER.cipher /home/USER" USER
9. There may be a message saying that you need to add "user_allow_other" into /etc/fuse.conf to get it working.
10. Copy your home over: su -c "cp -r /home/USER.old/. /home/USER/"
11. Go back to your log in screen, e.g. via Ctrl-Alt-F7 and log in.

You should now be back in your normal environment. But this time it is save in the encrypted space.

But what happens, when you reboot?

Everything is gone!

On the next boot, your encrypted home folder is not mounted anymore. So there is just an empty folder for you as the user. To get back into your home, you, before you log in, go to the terminal, mount your home via gocryptfs, go back to the log in, and log in.

Normally this could be handled by pam. There is libpam-encfs and libpam-mount for mounting different kinds of system when the user logs in.

I tried and failed.

To get it working, you add to e.g. /etc/pam.d/sddm:

• session    optional   pam_mount.so

• auth       optional   pam_mount.so

And into /etc/security/pam_mount.conf.xml above </pam_mount>:

• <volume user="USER" fstype="fuse" options="nonempty,allow_other,quiet" path="/usr/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />

At least that is what the internet is saying...

But I am getting errors from journalctl, like:

• sddm: Messages from underlying mount program:
• sddm: /usr/bin/fusermount: unknown option 'nonempty'
• sddm: Invalid mountpoint: directory /home/USER not empty
  
• sddm: fuse.NewServer failed: fusermount exited with code 256
• sddm: mount of /usr/bin/gocryptfs#/home/USER.cipher failed
• sddm: chdir( /home/USER ) failed for user:  "USER"
• sddm: verify directory exist and has sufficient permissions
• sddm: fusermount: failed to unmount /home/USER: Device or resource busy
  
• su: fusermount: failed to unmount /home/USER: Invalid argument
• su: unmount of /usr/bin/gocryptfs#/home/USER.cipher failed
  

At least one is because fuse removed nonempty.

Removing that and also removing the /home/USER folder, and having

• <mkmountpoint enable="1" remove="true" />

inside /etc/security/pam_mount.conf.xml makes it working once.

But at the next reboot the folder is again there, and the "directory not empty" will appear again…

It should not happen, as the man-page of pam_mount.conf says, that the create mountpoint should be remove afterwards automatically:

       <mkmountpoint enable="1" remove="true" />
              Controls automatic creation and removal of mountpoints. If a mountpoint does not exist when the volume is  about  to
              be mounted, pam_mount can be instructed to create one using the enable attribute. Normally, directories created this
              way are retained after logout, but remove may be set to true to remove the mountpoint again, but only if it was  au‐
              tomatically created by pam_mount in the same session before.

But it doesn't do it for me.

If you may be getting this error:

• su: /usr/bin/fusermount: user has no write access to mountpoint /home/USER

Then make sure that your folders have the right permissions set.

And another problem:

When auto-mounting via pam (the one time that it works…), secure things inside KDE/plasma are not working as they should be. Messages are coming up about failed kwallet access, problems with wireless passwords, and other things related to passwords and secrets and encryption. Trying different options inside the volume section for now didn't help. And mounting it from the commandline via the gocryptfs utility directly, doesn't make any of those problems…

For now I could not get it to work. So I need to mount it by hand on each reboot.

Maybe it will work when version 1.8 of gocryptfs is finally in Debian, as currently it is still on 1.7.1.

Or maybe it is something else…