ephro
December 19th, 2007, 10:17 PM
Quick Head Up: This is a current work in progress and is being tested by a couple of users that I know. In the future I'll have it packaged in a .deb, but don't want to go the hassle while it's still under bug fixes.
So after searching high and low for an easier to use security system for linux I decided to roll my own. The following requirements had to be met:
Fully encrypted home directory
Ability to have a plausible deniability drive (even if never used)
Encrypted drive not have to be used (say if your wife/kids/friends want to look something up on the internet)
Be fairly user friendly
Keep all stateful session information for each driveIn addition I also configured a random key swap and tmp directory, but that is covered in many other places on the internet and a little Googling will find it for you.
I went through quite a few revisions before coming up with the following soliution. Basically what I decieded to do was make it so that after a login the user is prompted for the encryption password. This password is used to remount the login home directory with the TrueCrypt partition that the key unlocks. If you are familiar with TrueCrypt, this means that there is just one password prompt and it will either mount the encrypted drive or the hidden drive (which is the plausible deniability drive.)
Preconfiguration not currently scripted:
Create a TrueCrypt drive in /home that is named [login_name]_home.tc
Create a hidden TrueCrypt partition inside of the original partition
Format the first partition to your liking (I choose ext3)
Format the second partition to your liking (again I choose ext3)Now is where the fun starts:
Create a /usr/share/truehomecrypt directory
Create a /usr/share/truehomecrypt/scripts directory
In the /usr/share/truehomecrypt/scripts directory make a file named PostLogin with the following: #!/bin/bash
appname="TrueHomeCrypt"
loginname=$1
mount_error_text=""
do_window_popup()
{
password_line=`zenity --entry --hide-text=* --text="$1" --title=$appname`
retcode=$?
if [ $retcode -ne 0 ]; then
if [ $retcode -eq 1 ]; then
zenity --info --text="Proceeding without a secure home directory" --title=$appname
return 0
fi
return -1
fi
do_truecrypt_mount $loginname $password_line
return $?
}
do_truecrypt_mount()
{
password_line=$2
mount_error_text=`truecrypt -p $password_line /home/${loginname}_home.tc /home/${loginname}`
retcode=$?
return $retcode
}
do_ask_for_password()
{
function_return=-2
while [ $function_return -ne 0 ];
do
if [ "$mount_error_text" != "" ]; then
zenity --error --text="An Error has occured:\n\n${mount_error_text}" --title=$appname
fi
mount_error_text=""
do_window_popup "Enter Secure Storage Password" $loginname
function_return=$?
done
}
check_for_crypt_file()
{
if [ -e "/home/${loginname}_home.tc" ]; then
return 0
fi
zenity --error --text="File /home/${loginname}_home.tc does not exists" --title=$appname
return -1
}
check_for_crypt_file "$loginname"
num=0
(
while [ -e /dev/mapper/truecrypt* ] && [ $num -lt 100 ]; do
truecrypt -d
(( num++ ))
echo $num
sleep 1
done) | stopper=`zenity --progress --text="Cleaning up old mounted drives" --title=$appname --auto-close`
if [ "${PIPESTATUS[0]}" != "0" ]; then
zenity --error --text="Session is not secured." --title="Error"
exit 1
fi
if [ $? -eq 0 ]; then
#We have a file to process now we need to try to get a password
do_ask_for_password $loginname
if [ "$mount_error_text" != "" ]; then
zenity --error --text="Password is incorrect" --title=$appname
fi
fi
exit 0
Rename /etc/gdm/PostLogin/Default.sample to /etc/gdm/PostLogin/Default
Change /etc/gdm/PostLogin/Default to contain the following:#!/bin/sh
#
# Note: this is a sample and will not be run as is. Change the name of this
# file to <gdmconfdir>/PostLogin/Default for this script to be run. This
# script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that. $HOME, $LOGNAME and such will all be
# set appropriately and this script is run as root.
cd /etc/gdm/PostLogin
/usr/share/truehomecrypt/scripts/PostLogin $LOGNAME
Edit /etc/gdm/PostSession/Default and put the following before the "exit 0":if [ -e /dev/mapper/truecrypt* ]; then
loginname=`whoami`
umount -f /home/${loginname}
truecrypt -d
fiNow when you login you will be asked for an encryption password before your Xsession starts to load. Not hooking in before the Xsession causes major problems since files are already being written to in your home directory. If you hit 'Cancel' no encrypted drive is mounted and you can simply use your computer as normal.
Known Issues:
The PostSession doesn't actually do anything unless you don't have things such as trackerd running.
This is NOT multiuser friendly yet, meaning that two or more users can't be logged in at the same time with encrypted home directories, however if one is logged in, the other simply won't be able to mount another encrypted home directory after the first.
Once your drive is mounted it may not get unmounted after logout. Only shutting down your computer or relogging in without using an encryption password will force it
Files in your home directory can't be accessed between session (meaning you can't have cron jobs that run from there or other such things)Please post any comments or code changes. This was a 4 hour hack and will get supported more and hopefully make it into distribution. It's especially useful for one user laptop installs.
ephro
So after searching high and low for an easier to use security system for linux I decided to roll my own. The following requirements had to be met:
Fully encrypted home directory
Ability to have a plausible deniability drive (even if never used)
Encrypted drive not have to be used (say if your wife/kids/friends want to look something up on the internet)
Be fairly user friendly
Keep all stateful session information for each driveIn addition I also configured a random key swap and tmp directory, but that is covered in many other places on the internet and a little Googling will find it for you.
I went through quite a few revisions before coming up with the following soliution. Basically what I decieded to do was make it so that after a login the user is prompted for the encryption password. This password is used to remount the login home directory with the TrueCrypt partition that the key unlocks. If you are familiar with TrueCrypt, this means that there is just one password prompt and it will either mount the encrypted drive or the hidden drive (which is the plausible deniability drive.)
Preconfiguration not currently scripted:
Create a TrueCrypt drive in /home that is named [login_name]_home.tc
Create a hidden TrueCrypt partition inside of the original partition
Format the first partition to your liking (I choose ext3)
Format the second partition to your liking (again I choose ext3)Now is where the fun starts:
Create a /usr/share/truehomecrypt directory
Create a /usr/share/truehomecrypt/scripts directory
In the /usr/share/truehomecrypt/scripts directory make a file named PostLogin with the following: #!/bin/bash
appname="TrueHomeCrypt"
loginname=$1
mount_error_text=""
do_window_popup()
{
password_line=`zenity --entry --hide-text=* --text="$1" --title=$appname`
retcode=$?
if [ $retcode -ne 0 ]; then
if [ $retcode -eq 1 ]; then
zenity --info --text="Proceeding without a secure home directory" --title=$appname
return 0
fi
return -1
fi
do_truecrypt_mount $loginname $password_line
return $?
}
do_truecrypt_mount()
{
password_line=$2
mount_error_text=`truecrypt -p $password_line /home/${loginname}_home.tc /home/${loginname}`
retcode=$?
return $retcode
}
do_ask_for_password()
{
function_return=-2
while [ $function_return -ne 0 ];
do
if [ "$mount_error_text" != "" ]; then
zenity --error --text="An Error has occured:\n\n${mount_error_text}" --title=$appname
fi
mount_error_text=""
do_window_popup "Enter Secure Storage Password" $loginname
function_return=$?
done
}
check_for_crypt_file()
{
if [ -e "/home/${loginname}_home.tc" ]; then
return 0
fi
zenity --error --text="File /home/${loginname}_home.tc does not exists" --title=$appname
return -1
}
check_for_crypt_file "$loginname"
num=0
(
while [ -e /dev/mapper/truecrypt* ] && [ $num -lt 100 ]; do
truecrypt -d
(( num++ ))
echo $num
sleep 1
done) | stopper=`zenity --progress --text="Cleaning up old mounted drives" --title=$appname --auto-close`
if [ "${PIPESTATUS[0]}" != "0" ]; then
zenity --error --text="Session is not secured." --title="Error"
exit 1
fi
if [ $? -eq 0 ]; then
#We have a file to process now we need to try to get a password
do_ask_for_password $loginname
if [ "$mount_error_text" != "" ]; then
zenity --error --text="Password is incorrect" --title=$appname
fi
fi
exit 0
Rename /etc/gdm/PostLogin/Default.sample to /etc/gdm/PostLogin/Default
Change /etc/gdm/PostLogin/Default to contain the following:#!/bin/sh
#
# Note: this is a sample and will not be run as is. Change the name of this
# file to <gdmconfdir>/PostLogin/Default for this script to be run. This
# script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that. $HOME, $LOGNAME and such will all be
# set appropriately and this script is run as root.
cd /etc/gdm/PostLogin
/usr/share/truehomecrypt/scripts/PostLogin $LOGNAME
Edit /etc/gdm/PostSession/Default and put the following before the "exit 0":if [ -e /dev/mapper/truecrypt* ]; then
loginname=`whoami`
umount -f /home/${loginname}
truecrypt -d
fiNow when you login you will be asked for an encryption password before your Xsession starts to load. Not hooking in before the Xsession causes major problems since files are already being written to in your home directory. If you hit 'Cancel' no encrypted drive is mounted and you can simply use your computer as normal.
Known Issues:
The PostSession doesn't actually do anything unless you don't have things such as trackerd running.
This is NOT multiuser friendly yet, meaning that two or more users can't be logged in at the same time with encrypted home directories, however if one is logged in, the other simply won't be able to mount another encrypted home directory after the first.
Once your drive is mounted it may not get unmounted after logout. Only shutting down your computer or relogging in without using an encryption password will force it
Files in your home directory can't be accessed between session (meaning you can't have cron jobs that run from there or other such things)Please post any comments or code changes. This was a 4 hour hack and will get supported more and hopefully make it into distribution. It's especially useful for one user laptop installs.
ephro