Security at home – encrypted home directories


This isn’t directly server related at all, more for the home or office user who wants to make sure things are nice and secure.

At the office we like to also make sure our desktops are fairly safe to connect from as well, mostly  in case the machines ever get stolen, we know our data and ssh keys are safe.

So we set up encrypted /home dirs like this…

sudo su -
apt-get install libpam-encfs encfs
echo fuse >>/etc/modules
encusername= #put the username you want to setup to use fuse here (test user?)
adduser ${encusername} fuse
echo user_allow_other >>/etc/fuse.conf

 vim /etc/security/pam_encfs.conf and add the following

drop_permissions
encfs_default --idle=1
fuse_default allow_other,nonempty
- /home/.enc - -v allow_other

If you have ubuntu check it does not have allow_root earlier in the config.

vim /etc/pam.d/common-auth and make sure it contains only the following

auth sufficient pam_encfs.so
auth [success=2 default=ignore] pam_unix.so nullok_secure use_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so

Then follow these commands

mkdir -p /home/.enc/${encusername}
chown -R ${encusername}:${encusername} /home/.enc/${encusername}
mv /home/${encusername} /home/${encusername}.bak
mkdir -p /home/${encusername}
chown -R ${encusername}:${encusername} /home/${encusername}
su ${encusername}
rm -rf /home/${encusername}/*
encfs /home/.enc/${encusername} /home/${encusername} # Same password as the user!!!,  won't work with gdm since it will ask for a password again.
rsync -av --delete /home/${encusername}.bak/ /home/${encusername}
logout
fusermount -u /home/${encusername}
logout

Test the user login in tty and the encfs mount can be seen during login, also gdm should work.

Encfs should umount automatically the partition that spent idle more than 1 minute, works on my laptop (Debian) but does not seem to work ok on Ubuntu, do not know why, here is a quick and dirty hack to solve it:
Put this into /etc/cron.d/encfshomeautoumount

*/5 * * * *    root    mount | grep '^encfs on' | awk '{print $3}' | while  read home; do if ! w\
| grep -q $( getent passwd | grep ':'$home':' | awk  -F':' '{print $1}' ); then fusermount -u $home;\
 fi; done >/dev/null 2>&1

Once you are sure you can remove the backup home folder:

rm -rf /home/${encusername}.bak