I'm trying to do this on 10.04 and it's not working. I've added the "truecrypt ..." line to the Default file per the directions, but I get no prompt or any sign that anything is different when restarting.
I solved the first problem. The trouble was that I installed the command-line only package, obviously nothing was going to pop up. So I passed the answers to all the mount questions as parameters.
Now some odd things are happening (like the gnome panel not functioning) when using the encrypted home folder. I suspect some permission issues, I'll be doing some more investigating.
I booted a live cd and mounted the partition containing /home and the truecrypt container. Then rsync'ed my existing home folder to the encrypted volume. On restart the previous strangeness was gone. I guess running rsync on an in-use home folder doesn't work (who woulda guessed).
Ubuntu 10.04 supports encrypted home folders out of the box (though not using TrueCrypt). All you need to do is pop open System>Users and Groups, hit the Add button, enter your name and check "Encrypt home folder to protect sensitive data". You can also during the initial install of Ubuntu 10.04, when you create the first user.
I don't know if you can convert an existing users account to encrypted, but it wouldn't be to hard to copy files across afterwards and chown them.
I don't know how secure this is compared to the TrueCrypt method, but as has been pointed out in this thread neither method is 100% secure, as swap and other parts of the system are not encrypted. If you want that, you're better of encrypting the whole drive, which I believe you can still do with the alternate cd (only tried it with earlier versions of Ubuntu).
A little step-by-step tutorial for the process I used (Ubuntu 10.04 x64):
Download the appropriate Standard Linux package for TrueCrypt from: http://www.truecrypt.org/downloads
This process can be done using the console package, but requires saving the encryption password in plaintext nullifying any improvement in security. (Of course there's probably a way to pass the password not in plaintext that I didn't discover.)
Extract the archive:
For some reason I had to make the file executable:Code:tar -xzvf truecrypt-7.0a-linux-x64.tar.gz
Run the installerCode:chmod u+x truecrypt-7.0a-setup-x64
Follow the simple installation procedure, then create your encrypted volume:Code:./truecrypt-7.0a-setup-x64
Now we need to copy your existing home folder into the encrypted volume, but we can't do that while you're logged in. If you already have another admin user you can log in to skip this step. Otherwise let's make a new user and allow it to sudo.Code:truecrypt -c
Log out and log back in as the new user or hit ctrl+alt+f1 to go straight to the commandline.Code:adduser tempuser adduser tempuser admin
Next we'll relocate your home folder and then recreate it, but now empty (to serve only as a mountpoint for the encrypted volume).
Now we need to copy your home folder data into the encrypted volume. First mount the encrypted volume.Code:sudo mv /home/<user> /home/backup sudo mkdir /home/<user>
Now copy the data.Code:sudo mkdir /mnt/tmp truecrypt –mount
Unmount the encrypted volume.Code:rsync -aHv /home/backup/ /mnt/tmp
Almost there, now we add the instructions for your encrypted volume to be mounted when gdm starts. Edit the gdm init scriptCode:truecrypt -d
Insert the following code with your username and path to your encrypted container inserted. I've added a check to make sure the volume isn't already mounted, otherwise gdm was hanging on startup for me when it crashed or I had to restart it. (I put these lines directly above "exit 0".)Code:sudo vi /etc/gdm/Init/Default
Finally you can restart gdm and see if it worked. (If you don't get any errors then it worked, the idea is that everything SHOULD look the same.)Code:if !(echo `mount` | grep -q "/home/<user> type") then truecrypt <path to encrypted volume> /home/<user> fi
There's some final cleanup worth doing.Code:sudo service gdm restart
1. If everything is working you should “sudo rm -rf /home/backup” since having an unencrypted copy of files you've just encrypted is silly. If you're really worried you could copy those files off to some other secured backup medium.
2. We also have created an extra admin account which you might want to remove (though it's generally a good idea to have a backup admin account).
Ideally there would be a pam module for handling the password/login. If the pam_ecryptfs one could be modified or used as is for Truecrypt then you could achieve the same integration at login.
Also, potentially gpg could be used to wrap the Truecrypt password with your normal login password so that the login process uses gpg to unwrap the Truecrypt password and open the volume.
By integrating with pam it would allow unmounting at logout as well. I don't have time today to look into this but I'm pretty sure it's doable.
I've been running swap-less for a while now and as long as you have ample memory it seems to work just fine. This removes the potential for data being left behind in swap.
I don't know that Truecrypt offers better encryption than ecryptfs but it does have the deniability factor and perhaps that could even be integrated with pam so that dual login passwords result in differing home mounts. And it does work a bit differently in that ecryptfs encrypts file by file with encrypted filenames, whereas Truecrypt would use a volume that is a bit more opaque regarding contents.
I hadn't thought of that. I'll look into it and see if I can incorporate it.Also, potentially gpg could be used to wrap the Truecrypt password with your normal login password so that the login process uses gpg to unwrap the Truecrypt password and open the volume.
I as well, swap is such a relic.I've been running swap-less for a while now and as long as you have ample memory it seems to work just fine. This removes the potential for data being left behind in swap.
Between cross-platform support and the significant additional paranoia factor in TrueCrypt's design it's a no-brainer for me.I don't know that Truecrypt offers better encryption than ecryptfs but it does have the deniability factor and perhaps that could even be integrated with pam so that dual login passwords result in differing home mounts. And it does work a bit differently in that ecryptfs encrypts file by file with encrypted filenames, whereas Truecrypt would use a volume that is a bit more opaque regarding contents.
I've used truecrypt for about a year and feel very safe.
It would take years to crack open my file.