Quick Head Up: This is a current work in progress and is being tested by a couple of users that I know. In the future I'll have it packaged in a .deb, but don't want to go the hassle while it's still under bug fixes.
So after searching high and low for an easier to use security system for linux I decided to roll my own. The following requirements had to be met:In addition I also configured a random key swap and tmp directory, but that is covered in many other places on the internet and a little Googling will find it for you.
- Fully encrypted home directory
- Ability to have a plausible deniability drive (even if never used)
- Encrypted drive not have to be used (say if your wife/kids/friends want to look something up on the internet)
- Be fairly user friendly
- Keep all stateful session information for each drive
I went through quite a few revisions before coming up with the following soliution. Basically what I decieded to do was make it so that after a login the user is prompted for the encryption password. This password is used to remount the login home directory with the TrueCrypt partition that the key unlocks. If you are familiar with TrueCrypt, this means that there is just one password prompt and it will either mount the encrypted drive or the hidden drive (which is the plausible deniability drive.)
Preconfiguration not currently scripted:Now is where the fun starts:
- Create a TrueCrypt drive in /home that is named [login_name]_home.tc
- Create a hidden TrueCrypt partition inside of the original partition
- Format the first partition to your liking (I choose ext3)
- Format the second partition to your liking (again I choose ext3)
Now when you login you will be asked for an encryption password before your Xsession starts to load. Not hooking in before the Xsession causes major problems since files are already being written to in your home directory. If you hit 'Cancel' no encrypted drive is mounted and you can simply use your computer as normal.
- Create a /usr/share/truehomecrypt directory
- Create a /usr/share/truehomecrypt/scripts directory
- In the /usr/share/truehomecrypt/scripts directory make a file named PostLogin with the following:
Code:#!/bin/bash appname="TrueHomeCrypt" loginname=$1 mount_error_text="" do_window_popup() { password_line=`zenity --entry --hide-text=* --text="$1" --title=$appname` retcode=$? if [ $retcode -ne 0 ]; then if [ $retcode -eq 1 ]; then zenity --info --text="Proceeding without a secure home directory" --title=$appname return 0 fi return -1 fi do_truecrypt_mount $loginname $password_line return $? } do_truecrypt_mount() { password_line=$2 mount_error_text=`truecrypt -p $password_line /home/${loginname}_home.tc /home/${loginname}` retcode=$? return $retcode } do_ask_for_password() { function_return=-2 while [ $function_return -ne 0 ]; do if [ "$mount_error_text" != "" ]; then zenity --error --text="An Error has occured:\n\n${mount_error_text}" --title=$appname fi mount_error_text="" do_window_popup "Enter Secure Storage Password" $loginname function_return=$? done } check_for_crypt_file() { if [ -e "/home/${loginname}_home.tc" ]; then return 0 fi zenity --error --text="File /home/${loginname}_home.tc does not exists" --title=$appname return -1 } check_for_crypt_file "$loginname" num=0 ( while [ -e /dev/mapper/truecrypt* ] && [ $num -lt 100 ]; do truecrypt -d (( num++ )) echo $num sleep 1 done) | stopper=`zenity --progress --text="Cleaning up old mounted drives" --title=$appname --auto-close` if [ "${PIPESTATUS[0]}" != "0" ]; then zenity --error --text="Session is not secured." --title="Error" exit 1 fi if [ $? -eq 0 ]; then #We have a file to process now we need to try to get a password do_ask_for_password $loginname if [ "$mount_error_text" != "" ]; then zenity --error --text="Password is incorrect" --title=$appname fi fi exit 0- Rename /etc/gdm/PostLogin/Default.sample to /etc/gdm/PostLogin/Default
- Change /etc/gdm/PostLogin/Default to contain the following:
Code:#!/bin/sh # # Note: this is a sample and will not be run as is. Change the name of this # file to <gdmconfdir>/PostLogin/Default for this script to be run. This # script will be run before any setup is run on behalf of the user and is # useful if you for example need to do some setup to create a home directory # for the user or something like that. $HOME, $LOGNAME and such will all be # set appropriately and this script is run as root. cd /etc/gdm/PostLogin /usr/share/truehomecrypt/scripts/PostLogin $LOGNAME- Edit /etc/gdm/PostSession/Default and put the following before the "exit 0":
Code:if [ -e /dev/mapper/truecrypt* ]; then loginname=`whoami` umount -f /home/${loginname} truecrypt -d fi
Known Issues:
Please post any comments or code changes. This was a 4 hour hack and will get supported more and hopefully make it into distribution. It's especially useful for one user laptop installs.
- The PostSession doesn't actually do anything unless you don't have things such as trackerd running.
- This is NOT multiuser friendly yet, meaning that two or more users can't be logged in at the same time with encrypted home directories, however if one is logged in, the other simply won't be able to mount another encrypted home directory after the first.
- Once your drive is mounted it may not get unmounted after logout. Only shutting down your computer or relogging in without using an encryption password will force it
- Files in your home directory can't be accessed between session (meaning you can't have cron jobs that run from there or other such things)
ephro
Bookmarks