can i use hal for an encrypted home?
Farkas Levente
lfarkas at bppiac.hu
Wed Jun 20 01:39:44 PDT 2007
hi,
after a long discussion on the udev list they suggest to ask it here.
the basic setup is that i like to encrypt me home partition but do it to
be as usable as possible:-) so i decided not to encrypt / neither other
part of my system. requirements:
- use my pc as a workstation.
- encrypted home dir for me (and even every other users),
- the home dir would be encrypted all the time ie. do not decrypt during
boot. these are my workstation on my different working place, but these
computers always running.
- when i like to login simple be able to "open" ie. decrypt my home dir.
- use it and when i finish my work and logout "close" the encrypted volume.
so my question how can you do it?
i just create a new partition create a luks ext3 on it and put my home
dir into this volume. at the same time i put the encryption key into a
file into my pendrive.
my home directory is a luks encrypted volume:
----------------------------------------
# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
34692928 5613204 27288956 18% /
/dev/sda1 101086 12297 83570 13% /boot
tmpfs 517532 0 517532 0% /dev/shm
/dev/mapper/home-lfarkas
39509616 27716680 11391540 71% /home/lfarkas
# cryptsetup status home-lfarkas
/dev/mapper/home-lfarkas is active:
cipher: twofish-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/VolGroup00-LogVol02
offset: 2056 sectors
size: 80279544 sectors
mode: read/write
----------------------------------------
the keyfile (ie. the password to the encrypted partition) is on the
pendrive hidden partition. _before_ i login i just plug in the pendrive
and udev recognize it and mount the pendrive and use the file which
contains the encryption key and mount my volume. when i unplug it it
close the luks partition. this's my udev rules:
----------------------------------------
# cat /etc/udev/rules.d/10-local.rules
ACTION=="add", KERNEL=="sd[a-z]", SUBSYSTEM=="block",
ATTR{size}=="2880", ATTRS{serial}=="07530736300A", ATTRS{product}=="USB
DISK Pro", SYMLINK+="lfarkas", RUN+="/root/bin/home-up
/dev/VolGroup00/LogVol02 lfarkas"
ACTION=="remove", KERNEL=="sd[a-z]", SUBSYSTEM=="block",
RUN+="/root/bin/home-down lfarkas"
----------------------------------------
and the used scripts:
----------------------------------------
# cat /root/bin/home-up
#!/bin/bash
if [ -z "`grep /home/$2 /proc/mounts`" ]; then
TMPDEV="/mnt/tmp"
mount -t vfat $DEVNAME $TMPDEV
KEY="$TMPDEV/.$2.key"
if [ ! -f $KEY ]; then
exit 1
fi
/root/bin/luks-up $1 /home/$2 < $KEY
RES=$?
umount $TMPDEV
exit $RES
fi
# cat /root/bin/home-down
#!/bin/bash
if [ -z "`ps -u $1|grep .Xclients|egrep -v grep`" ]; then
killall -u $1
umount /media/*
sleep 5
/root/bin/luks-down /home/$1
fi
----------------------------------------
this's working, but may be there is a better easier way to do this.
the problem is that my home is not accessible before i "open" my home so
any script or info is not usebale and it's not possible to "open" my
volume during the gnome login session since gnome login session requires
my gnome setting which is in my home dir:-(
any way i currently don't see any way to encrypt home dir for each
users, that can't see each other homes and be able to "decrypt" when
they'd like to use it.
i hope it's clear now.
--
Levente "Si vis pacem para bellum!"
More information about the hal
mailing list