Conditionally mounted encryted volume
|
| Author | Content |
|---|---|
| techiem2 Feb 11, 2009 8:29 PM EDT |
Ok, I figure I should do an encrypted /home since I tend to have work data on my laptop.
Now what my friend has done, and what I would like to do, is to setup a conditionally mounted /home.
But as he's not online much or often, I figured I'd ask you guys how to do it. :) The idea is to have an encrypted /home with the keyfile on a usb flash drive (or maybe the key IS the flash drive? - I don't remember what he told me). If the flash drive is plugged in on boot, the encrypted /home is mounted. If not, a generic one is mounted. Anyone know how to accomplish this? My searches haven't been useful.... I know I should also encrypt the swap part, but there's a million howtos out there for that (actually...why do I even have a swap part on a laptop with 2GB ram?). |
| ColonelPanik Feb 11, 2009 8:54 PM EDT |
Cool idea. I await the answer with unprotected data. Truth, there isn't much there /home but my dear wife thinks this is what she has been looking. |
| gus3 Feb 11, 2009 9:38 PM EDT |
If you're the only one using the system, how about having /home/techiem2 as the mount point? Here's my idea, in rough structure: In /home/techiem2/.bash_profile (not encrypted): [ set up basic env vars ] if USB partition exists: --mount usb-partition /mnt/usb --cryptsetup luksOpen -d /mnt/usb/keyfile encrypted-volume home/techiem2 --umount /mnt/usb --mount /dev/mapper/home/techiem2 /home/techiem2 If the USB partition doesn't exist, then do nothing; /home/techiem2 will stay as-is. Un-mounting will be trickier. In .bash_logout (on the encrypted volume): cp .bash_logout_stage2 /tmp/ exec /tmp/.bash_logout_stage2 # exec during logout may need to be "exec sh ..." And in .bash_logout_stage2 (on encrypted volume): umount /home/techiem2 cryptsetup luksClose home/techiem2 rm /tmp/.bash_logout_stage2 #final clean-up If the encrypted volume isn't mounted (because USB key was absent), these .bash_logout* files won't do anything, because they won't be available. The trick will be to transfer control to a file outside /home/techiem2, so that it may be umount'ed. If you have any leftover CORBA processes for GNOME or KDE, they will need to be killed before the umount. Note: I have not tried the above, but if I were to do so, those would be my starting points to bear in mind. |
| techiem2 Feb 12, 2009 12:27 AM EDT |
Wooo
Thanks gus3! Here we go (I'll blog and wiki this up in more detail later): Step 1: Setup udev rule for flash drive using it's serial number to give it a static dev name Step 2: Setup autofs to mount it and (probably optional - I do this with my mounts to make life easier) make a symlink from where you like to access it to the actual autofs mount dir for it - i.e. I use /fs/Patriot > /mnt/auto/Patriot - I partly do this because the ghost option for autofs doesn't like me, so this works nicely) Step 3: Luks up your partition and add a keyfile to it so you don't have to use the password. I used the steps from http://www.linuxfreax.net/doku.php?id=wiki:cryptsetup-luks slightly modified (i.e. I don't do loopback cuz I was doing a full partition, not a luks in a file) Step 4: Setup the user related stuff setup the bash_profile, bash_logout, etc. like you said with a few changes. 1. You need to use sudo for the commands since users don't have access to mount, umount, cryptsetup, etc. So use sudo and setup sudoers to allow your user to run the full commands with no pass. 2. In the bash_profile I ended it by running cd and then clear. If you don't do a cd, it doesn't update the directory listing right so if you do an ls it will show what was there pre-mount. 3. In the bash_logout you need to cd elsewhere (I used /tmp) before execing the other script (which needed to use exec sh) or else it won't unmount the partition since it's still in use. |
| gus3 Feb 12, 2009 12:48 AM EDT |
Cool! You might look into adding "user" to your mount options in /etc/fstab. That allows ordinary users to run "mount". When you get this working, I'm looking forward to a detailed HOWTO. I promise, a good, detailed report will draw hits to your website. |
| techiem2 Feb 12, 2009 1:55 AM EDT |
I just tried with the user option in fstab and it didn't like it.
I.E. it still said "only root can do that" when it tried to mount.
So I'll leave it at the sudo setup for now. I've got an initial version of the Howto up on my wiki. http://www.techiem2.net/cgi-bin/twiki/bin/view/Main/HowToLuk... I'll clean it up a little later and then post it to the actual blog so it will be easily visible (with a link to the wiki copy of course for easy reference). |
| Sander_Marechal Feb 12, 2009 3:46 AM EDT |
Do add your blog article to the LXer newswire as well when you're done :-) |
| gus3 Feb 12, 2009 9:14 AM EDT |
And then you'll see the aritcle translated into Russian, Bulgarian, Romanian, Ukrainian... And you too can tell people you're a translated author! ;-) |
| techiem2 Feb 12, 2009 3:17 PM EDT |
Ok, I found a little bug.
The unmount doesn't work if there's still processes running (duh).
So how do I kill all processes from the user except the running .bash_logout_stage script?
I tried kill -9 `ps -u techiem2 -o "pid="`, but that kills the script running it, so it never makes it to the next step.
lol. |
| gus3 Feb 12, 2009 3:39 PM EDT |
"fuser -s -k -m /home/patriot" You can also specify which signal as its own parameter: "fuser -s -k -TERM -m /home/patriot" |
| techiem2 Feb 12, 2009 4:12 PM EDT |
I figured it out a bit differently.
Here's my new top of the logout
Pause a few so most processed will close on their own, then kill everything but sh since that's running the scripts and will die itself when appropriate.
aaah.
The wonders of grep and regex.
I tried using cut first to just get just the PIDs but apparently it outputs differently so kill doesn't see the PIDs properly, so I have grep cutting out everything after the PIDs in the list. [quote] echo "Pausing for processes to close" sleep 5 echo "Killing all leftover processes" kill -9 `ps -u techiem2 | grep -v '[ ][s][h]' | grep -v PID | grep -o '^[ ]{0,4}[0-9]{1,5}'` sleep 1 [quote] |
| Sander_Marechal Feb 12, 2009 4:30 PM EDT |
techiem2: Take a look at my cifs article here: http://www.jejik.com/articles/2007/07/automatically_mounting... The init script I built for it can look at a filesystem and kill all processes that use that file system. Processes that do not use that filesystem are left running normally. If you do that instead of killing *all* processes you could do even niftier stuff. |
| techiem2 Feb 12, 2009 4:38 PM EDT |
Cool.
I'll have to look into that. I have the initial version of the article blogged. I'll toss it onto the newswire. |
| techiem2 Feb 12, 2009 4:45 PM EDT |
Another bug I just realized is that .bash_logout needs to be sure it is your last shell login before running .bash_logout_stage2 or else logging out of say a screen session or a secondary shell login will kill you.... |
You cannot post until you login.