[Howto] graphical login and encrypted directories on FC6

fedora-logo-bubble
This howto shows how to create an EncFS-encrypted directory and how to automatically decrypt and mount it through the normal login using PAM.

The background

There are typically two ways to encrypt files on a Linux machine: the first way is to create an encrypted block device which is roughly like a container, the second way is to use a pass through file system encryption, meaning that you have a transparent encryption layer and encrypt file by file on the fly. Both have benefits and downsides, for more information read this comparison.
This howto deals with the second technique using EncFS.

The next step is to integrate encryptinon techniques into the GUIs – and on Linux there are hardly any graphical solutions for any task. Gnome can make a GUI password query when a LUKS device was attached, however KDE is still not there. Also, if you have some directories on your machine encrypted you normally have to input two passwords: one for the normal login, and later or earlier one password into an external script for the encrypted directories.
This howto will address that last part.

The last words before we start: this Howto aims at Fedora Core 6 – if you use other versions or distributions, be a bit more careful. Also, make a backup copy of each file before you modify it. You will do everything at your own risk, and if your system fails, well, there will be the backup files only. I will not help you!

EncFS

First you need the encfs software. It is part of the Fedora repositories, so get it with yum install fuse-encfs. The next step is to add your user to the fuse group – use system-config-users for example. After that it helps to get at least a bit familiar with EncFS, the homepage has some examples like this one:

$ mkdir ~/tmp/crypt-raw
$ mkdir ~/tmp/crypt
$ encfs ~/tmp/crypt-raw ~/tmp/crypt
Volume key not found, creating new encrypted volume.
Password: [password entered here]
Verify: [password entered here]

After that, drop some files into the new directory and unmount it with fusermount -u /tmp/crypt. If you are sure that everything works as expected, go on with #echo "user_allow_other" >> /etc/fuse.conf. You need that for the gdm login.

PAM and EncFS

As already mentioned, we will use PAM to bind the GDM login to the EncFS-encrypted directories. The module needed is called pam_encfs and is unfortunatelly not available as a package for Fedora. Get it from the homepage, unpack it and run make && make install as root. There is also an example configuration file which we will use. Copy pam_encfs.conf to /etc/security/.
The next step is to modify exactly that file. The best is to first use some dummy directory to really test all that stuff. It makes sense to use the directories you already created and played around with in the EncFS section. In any case there is one important thing: when you are asked for a password, enter your user password!
Now, open the file (/etc/security/pam_encfs.conf), comment out the line with encfs_default --idle=1 and modify the last line according to your needs: change the source and target directories and add your name as a user.

PAM must be configured as well – on Fedora you want to modify the file /etc/pam.d/system-auth (there might be a better way, please point out if you know one). Add these lines to the appropriate fields: auth required pam_encfs.so and session required pam_encfs.so. The second makes sure that you unmount the directory at logout, btw.

That’s it – try to log off and log in again, and check if you have access to the directory.

Trouble shooting

If something doesn’t work …. well, you are screwed😉
No, honestly, I’m not a big expert on PAM or fuse or encfs, so don’t bother to ask me. All I can tell you is: check again if you added yourself to the fuse-group, check if the encfs-system is really working, and check if you use the same password for the normal login and for the encrypted directory.

Further information

I haven’t tried encrypting the entire home directory, but it is possible. Read the README file which was in the pam_encfs package, there you will find information about that task. Also, I use the default login manager of Fedora, which is GDM, although I use KDE in the end. The KDE login manager can also be used with the pam module, however there are problems mentioned in the readme file when you encrypt the entire directory.

The main question remaining now is: how secure is it? Well, that depends on your login password (because pam uses that). If it is more a phrase than a password, and if the storage type of the system is a secure one, than you have good cards. For more information, read this interview.
I appreciate every comment on this topic because I’m not sure about the real security of this technique either!

But, in any case, it secures the files against other users on the system as well as against fast attacks. If someone wants to crack the files he definitely needs time and strong hardware.

8 thoughts on “[Howto] graphical login and encrypted directories on FC6”

  1. Actually, I’ve been writing a similar article using the first technique you mention (create an encrypted block device). Unfortunately, it uses mountloop and drakloop which may not be available in any distribution. I speak about encrypted swap as well. http://yoho.wordpress.com/2006/08/22/mountloop/. Thank you for this quite interesting article, I’ll update mine by linking to yours🙂

  2. My /etc/fstab contains one line like this :
    /dev/sda6 swap swap encrypted 0 0

    According to comments I read in my init files, supporting encrypted swap is up to “swapon”. However, my swapon manpage doesn’t mention anything specific about this. I don’t know if it requires any patch. I think you should just try by yourself.

  3. Well, if I add this line to fstab it doesn’t complain, but that is true for otehr strings as well.
    I will maybe into using dm-crypt for that…

  4. This is what I get in my dmesg :

    loop: loaded (max 8 devices, max 1 partitions per device)
    Adding 1050796k swap on /dev/loop0. Priority:0 extents:1 across:1050796k
    Adding 1050800k swap on /dev/sda6. Priority:-2 extents:1 across:1050800k

Comments are closed.