HOWTO: Remounting home directory with truecrypt drive on session start

ephro

Quick Head Up: This is a current work in progress and is being tested by a couple of users that I know. In the future I'll have it packaged in a .deb, but don't want to go the hassle while it's still under bug fixes.

So after searching high and low for an easier to use security system for linux I decided to roll my own. The following requirements had to be met:

Fully encrypted home directory
Ability to have a plausible deniability drive (even if never used)
Encrypted drive not have to be used (say if your wife/kids/friends want to look something up on the internet)
Be fairly user friendly
Keep all stateful session information for each drive

In addition I also configured a random key swap and tmp directory, but that is covered in many other places on the internet and a little Googling will find it for you.

I went through quite a few revisions before coming up with the following soliution. Basically what I decieded to do was make it so that after a login the user is prompted for the encryption password. This password is used to remount the login home directory with the TrueCrypt partition that the key unlocks. If you are familiar with TrueCrypt, this means that there is just one password prompt and it will either mount the encrypted drive or the hidden drive (which is the plausible deniability drive.)

Preconfiguration not currently scripted:

Create a TrueCrypt drive in /home that is named [login_name]_home.tc
Create a hidden TrueCrypt partition inside of the original partition
Format the first partition to your liking (I choose ext3)
Format the second partition to your liking (again I choose ext3)

Now is where the fun starts:

Create a /usr/share/truehomecrypt directory
Create a /usr/share/truehomecrypt/scripts directory

In the /usr/share/truehomecrypt/scripts directory make a file named PostLogin with the following:

Code:

#!/bin/bash

appname="TrueHomeCrypt"
loginname=$1
mount_error_text=""

do_window_popup()
{
    password_line=`zenity --entry --hide-text=* --text="$1" --title=$appname`
    retcode=$?
    if [ $retcode -ne 0 ]; then 
    if [ $retcode -eq 1 ]; then
        zenity --info --text="Proceeding without a secure home directory" --title=$appname
        return 0
    fi
    return -1
    fi
    do_truecrypt_mount $loginname $password_line
    return $?
}

do_truecrypt_mount()
{
    
    password_line=$2
    mount_error_text=`truecrypt -p $password_line /home/${loginname}_home.tc /home/${loginname}`
    retcode=$?
    return $retcode
}

do_ask_for_password() 
{
    function_return=-2
    while [ $function_return -ne 0 ];
    do
    if [ "$mount_error_text" != "" ]; then
            zenity --error --text="An Error has occured:\n\n${mount_error_text}" --title=$appname
    fi
    mount_error_text=""
    do_window_popup "Enter Secure Storage Password" $loginname
    function_return=$?
    done
}

check_for_crypt_file()
{
    if [ -e "/home/${loginname}_home.tc" ]; then
    return 0
    fi
    zenity --error --text="File /home/${loginname}_home.tc does not exists" --title=$appname
    return -1
}

check_for_crypt_file "$loginname"

num=0
(
while [ -e /dev/mapper/truecrypt* ] && [ $num -lt 100 ]; do
    truecrypt -d
    (( num++ ))
    echo $num
    sleep 1
done) | stopper=`zenity --progress --text="Cleaning up old mounted drives" --title=$appname --auto-close`
if [ "${PIPESTATUS[0]}" != "0" ]; then
zenity --error --text="Session is not secured." --title="Error"
exit 1
fi


if [ $? -eq 0 ]; then
    #We have a file to process now we need to try to get a password
    do_ask_for_password $loginname
    if [ "$mount_error_text" != "" ]; then
    zenity --error --text="Password is incorrect" --title=$appname
    fi
fi

exit 0

Rename /etc/gdm/PostLogin/Default.sample to /etc/gdm/PostLogin/Default

Change /etc/gdm/PostLogin/Default to contain the following:

Code:

#!/bin/sh
#
# Note: this is a sample and will not be run as is.  Change the name of this
# file to <gdmconfdir>/PostLogin/Default for this script to be run.  This
# script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that.  $HOME, $LOGNAME and such will all be
# set appropriately and this script is run as root.

cd /etc/gdm/PostLogin
/usr/share/truehomecrypt/scripts/PostLogin $LOGNAME

Edit /etc/gdm/PostSession/Default and put the following before the "exit 0":

Code:

if [ -e /dev/mapper/truecrypt* ]; then
    loginname=`whoami`
    umount -f /home/${loginname}
    truecrypt -d
fi

Now when you login you will be asked for an encryption password before your Xsession starts to load. Not hooking in before the Xsession causes major problems since files are already being written to in your home directory. If you hit 'Cancel' no encrypted drive is mounted and you can simply use your computer as normal.

Known Issues:

The PostSession doesn't actually do anything unless you don't have things such as trackerd running.
This is NOT multiuser friendly yet, meaning that two or more users can't be logged in at the same time with encrypted home directories, however if one is logged in, the other simply won't be able to mount another encrypted home directory after the first.
Once your drive is mounted it may not get unmounted after logout. Only shutting down your computer or relogging in without using an encryption password will force it
Files in your home directory can't be accessed between session (meaning you can't have cron jobs that run from there or other such things)

Please post any comments or code changes. This was a 4 hour hack and will get supported more and hopefully make it into distribution. It's especially useful for one user laptop installs.

ephro

HDave

Thanks a lot for this -- just tried it out and it works.

I booted Gutsy into single user mode in order to copy all my files from my old home directory to the TC volume. Hit "exit" and the boot continued as normal and I was able to log in...viola.

Been a long time TC user (2+ years on WIndows and 2+ months on Ubuntu). However, I did notice that for some reason the read/write performance to my home directory is really slow. Any thoughts?

andreyka

ephro, thanks for your solution!
but at my ubuntu 7.10 gdm postlogin script doesn't work (yes, I rename Default.sample to Default and use gnome)
how I can fix them ?

ephro

Quote:

Originally Posted by andreyka

ephro, thanks for your solution!
but at my ubuntu 7.10 gdm postlogin script doesn't work (yes, I rename Default.sample to Default and use gnome)
how I can fix them ?

What is the error that you are getting? Is it just never asking you for the additional password?

ephro

andreyka

Thanks for fast reply.
here is the solve

Code:

sudo chmod 0755 /usr/share/truehomecrypt/scripts/PostLogin

founded after

Code:

cat /var/log/syslog | grep gdmDec 22 16:29:48 localhost gdm[5086]: WARNING: gdm_slave_session_start: Скрипт PostLogin вернул значение > 0. Происходит аварийное окончание работы. 
Dec 22 16:37:15 localhost gdm[5086]: WARNING: gdm_slave_xioerror_handler: Фатальная ошибка X - Перезапуск :0 
Dec 22 16:56:43 localhost gdm[5084]: WARNING: gdm_slave_session_start: Скрипт PostLogin вернул значение > 0. Происходит аварийное окончание работы.

(in russian)

HDave

I found another approach to doing this that uses the PAM facility that comes with Ubuntu. It worked great:

http://www.fstab.de/twiki/bin/view/Main/PamTruecrypt

Please note that in order to get it to compile I needed add:

Code:

#include <sys/syslog.h>

in the pam_truecrypt.c file.

Other than this little glitch it works exactly like TCGINA -- and reuses your login password to mount the truecrypt partition -- without storing your password anywhere!

Cool, eh?

IamAcoconut

Any idea on how to do this with KDE?

BTW http://www.fstab.de/twiki/bin/view/Main/PamTruecrypt is unavailable
Yet cached here: http://cc.msnscache.com/cache.aspx?q...0bbb&FORM=CVRE

_madman_

is anyone have same issue on truecrypt usage http://forums.truecrypt.org/viewtopic.php?t=15761 ?

December 19th, 2007	#1
ephro 5 Cups of Ubuntu Join Date: Jan 2007 Beans: 29	HOWTO: Remounting home directory with truecrypt drive on session start Quick Head Up: This is a current work in progress and is being tested by a couple of users that I know. In the future I'll have it packaged in a .deb, but don't want to go the hassle while it's still under bug fixes. So after searching high and low for an easier to use security system for linux I decided to roll my own. The following requirements had to be met: Fully encrypted home directory Ability to have a plausible deniability drive (even if never used) Encrypted drive not have to be used (say if your wife/kids/friends want to look something up on the internet) Be fairly user friendly Keep all stateful session information for each drive In addition I also configured a random key swap and tmp directory, but that is covered in many other places on the internet and a little Googling will find it for you. I went through quite a few revisions before coming up with the following soliution. Basically what I decieded to do was make it so that after a login the user is prompted for the encryption password. This password is used to remount the login home directory with the TrueCrypt partition that the key unlocks. If you are familiar with TrueCrypt, this means that there is just one password prompt and it will either mount the encrypted drive or the hidden drive (which is the plausible deniability drive.) Preconfiguration not currently scripted: Create a TrueCrypt drive in /home that is named [login_name]_home.tc Create a hidden TrueCrypt partition inside of the original partition Format the first partition to your liking (I choose ext3) Format the second partition to your liking (again I choose ext3) Now is where the fun starts: Create a /usr/share/truehomecrypt directory Create a /usr/share/truehomecrypt/scripts directory In the /usr/share/truehomecrypt/scripts directory make a file named PostLogin with the following: Code: #!/bin/bash appname="TrueHomeCrypt" loginname=$1 mount_error_text="" do_window_popup() { password_line=`zenity --entry --hide-text=* --text="$1" --title=$appname` retcode=$? if [ $retcode -ne 0 ]; then if [ $retcode -eq 1 ]; then zenity --info --text="Proceeding without a secure home directory" --title=$appname return 0 fi return -1 fi do_truecrypt_mount $loginname $password_line return $? } do_truecrypt_mount() { password_line=$2 mount_error_text=`truecrypt -p $password_line /home/${loginname}_home.tc /home/${loginname}` retcode=$? return $retcode } do_ask_for_password() { function_return=-2 while [ $function_return -ne 0 ]; do if [ "$mount_error_text" != "" ]; then zenity --error --text="An Error has occured:\n\n${mount_error_text}" --title=$appname fi mount_error_text="" do_window_popup "Enter Secure Storage Password" $loginname function_return=$? done } check_for_crypt_file() { if [ -e "/home/${loginname}_home.tc" ]; then return 0 fi zenity --error --text="File /home/${loginname}_home.tc does not exists" --title=$appname return -1 } check_for_crypt_file "$loginname" num=0 ( while [ -e /dev/mapper/truecrypt* ] && [ $num -lt 100 ]; do truecrypt -d (( num++ )) echo $num sleep 1 done) \| stopper=`zenity --progress --text="Cleaning up old mounted drives" --title=$appname --auto-close` if [ "${PIPESTATUS[0]}" != "0" ]; then zenity --error --text="Session is not secured." --title="Error" exit 1 fi if [ $? -eq 0 ]; then #We have a file to process now we need to try to get a password do_ask_for_password $loginname if [ "$mount_error_text" != "" ]; then zenity --error --text="Password is incorrect" --title=$appname fi fi exit 0 Rename /etc/gdm/PostLogin/Default.sample to /etc/gdm/PostLogin/Default Change /etc/gdm/PostLogin/Default to contain the following: Code: #!/bin/sh # # Note: this is a sample and will not be run as is. Change the name of this # file to <gdmconfdir>/PostLogin/Default for this script to be run. This # script will be run before any setup is run on behalf of the user and is # useful if you for example need to do some setup to create a home directory # for the user or something like that. $HOME, $LOGNAME and such will all be # set appropriately and this script is run as root. cd /etc/gdm/PostLogin /usr/share/truehomecrypt/scripts/PostLogin $LOGNAME Edit /etc/gdm/PostSession/Default and put the following before the "exit 0": Code: if [ -e /dev/mapper/truecrypt* ]; then loginname=`whoami` umount -f /home/${loginname} truecrypt -d fi Now when you login you will be asked for an encryption password before your Xsession starts to load. Not hooking in before the Xsession causes major problems since files are already being written to in your home directory. If you hit 'Cancel' no encrypted drive is mounted and you can simply use your computer as normal. Known Issues: The PostSession doesn't actually do anything unless you don't have things such as trackerd running. This is NOT multiuser friendly yet, meaning that two or more users can't be logged in at the same time with encrypted home directories, however if one is logged in, the other simply won't be able to mount another encrypted home directory after the first. Once your drive is mounted it may not get unmounted after logout. Only shutting down your computer or relogging in without using an encryption password will force it Files in your home directory can't be accessed between session (meaning you can't have cron jobs that run from there or other such things) Please post any comments or code changes. This was a 4 hour hack and will get supported more and hopefully make it into distribution. It's especially useful for one user laptop installs. ephro

December 20th, 2007	#2
HDave Ubuntu Extra Shot Join Date: Nov 2007 Location: Boston, USA Beans: 367 Ubuntu 9.04 Jaunty Jackalope	Re: HOWTO: Remounting home directory with truecrypt drive on session start Thanks a lot for this -- just tried it out and it works. I booted Gutsy into single user mode in order to copy all my files from my old home directory to the TC volume. Hit "exit" and the boot continued as normal and I was able to log in...viola. Been a long time TC user (2+ years on WIndows and 2+ months on Ubuntu). However, I did notice that for some reason the read/write performance to my home directory is really slow. Any thoughts?

December 22nd, 2007	#3
andreyka First Cup of Ubuntu Join Date: Dec 2007 Beans: 3	Re: HOWTO: Remounting home directory with truecrypt drive on session start ephro, thanks for your solution! but at my ubuntu 7.10 gdm postlogin script doesn't work (yes, I rename Default.sample to Default and use gnome) how I can fix them ?

January 2nd, 2008	#6
HDave Ubuntu Extra Shot Join Date: Nov 2007 Location: Boston, USA Beans: 367 Ubuntu 9.04 Jaunty Jackalope	Re: HOWTO: Remounting home directory with truecrypt drive on session start I found another approach to doing this that uses the PAM facility that comes with Ubuntu. It worked great: http://www.fstab.de/twiki/bin/view/Main/PamTruecrypt Please note that in order to get it to compile I needed add: Code: #include <sys/syslog.h> in the pam_truecrypt.c file. Other than this little glitch it works exactly like TCGINA -- and reuses your login password to mount the truecrypt partition -- without storing your password anywhere! Cool, eh?

July 16th, 2008	#7
IamAcoconut Way Too Much Ubuntu Join Date: Dec 2006 Location: Europe Beans: 231	Re: HOWTO: Remounting home directory with truecrypt drive on session start Any idea on how to do this with KDE? BTW http://www.fstab.de/twiki/bin/view/Main/PamTruecrypt is unavailable Yet cached here: http://cc.msnscache.com/cache.aspx?q...0bbb&FORM=CVRE

August 17th, 2009	#8
_madman_ First Cup of Ubuntu Join Date: Aug 2009 Beans: 2	Re: HOWTO: Remounting home directory with truecrypt drive on session start is anyone have same issue on truecrypt usage http://forums.truecrypt.org/viewtopic.php?t=15761 ?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode