特殊:Badtitle/NS100:EncryptedHomeDirectoryHowto:修订间差异
小 新页面: {{From|https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto}} {{Languages|UbuntuHelp:EncryptedHomeDirectoryHowto}} == Encrypted Home Directory with EncFS, pam_mount, pam_encfs, w... |
小无编辑摘要 |
||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto}} | {{From|https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto}} | ||
{{Languages|UbuntuHelp:EncryptedHomeDirectoryHowto}} | {{Languages|UbuntuHelp:EncryptedHomeDirectoryHowto}} | ||
== Encrypted Home Directory with EncFS | == Encrypted Home Directory with EncFS and pam-encfs, with working X and Gnome == | ||
Should also work for KDE - edit /etc/pam.d/kdm instead of /etc/pam.d/gdm . | |||
Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder . | Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder . | ||
Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1 | Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1 | ||
第8行: | 第9行: | ||
* I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information. | * I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information. | ||
* I use EncFS for a long time now and i didn't hit a single problem. | * I use EncFS for a long time now and i didn't hit a single problem. | ||
* You | * I use pam-encfs and not pam-mount because pam-mount had problems i don't remember exactly with the FUSE EncFS mount | ||
* You must have a second account (root or sudo) handy to log into a console and fix things up | |||
=== Required packages === | === Required packages === | ||
<ol><li>encfs | <ol><li>encfs | ||
</li><li>libpam-encfs (DO NOT INSTALL VIA APT (if you are on Hardy) - broken in the Hardy repos - see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )</li></ol> | |||
</li><li>libpam-encfs (broken in the Hardy repos | |||
Install | Install encfs from the Ubuntu repositories: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aptitude install encfs | sudo aptitude install encfs | ||
</nowiki></pre> | </nowiki></pre> | ||
Install libpam-encfs from | Install libpam-encfs from: | ||
http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb | http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb | ||
=== /etc/security/pam_encfs.conf === | === /etc/security/pam_encfs.conf === | ||
The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and | The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and allow_root is set in the automatic encfs mount per user. These two options cannot be specified together! | ||
It looks like | It looks like EncFS Options and FUSE Options cannot be left empty, so i just use -v for EncFS (just verbose output) and allow_other for FUSE (you need either allow_other or allow_root for gdm to work). | ||
This is what it looks like for me, username jakob: | This is what it looks like for me, username jakob: | ||
<pre><nowiki> | <pre><nowiki> | ||
drop_permissions | drop_permissions | ||
encfs_default | encfs_default | ||
fuse_default | fuse_default | ||
#USERNAME SOURCE TARGET EncFS Options FUSE Options | |||
jakob /home/jakob.encfs /home/jakob -v allow_other | |||
#USERNAME | |||
jakob /home/jakob.encfs /home/jakob -v allow_other | |||
</nowiki></pre> | </nowiki></pre> | ||
=== /etc/fuse.conf === | === /etc/fuse.conf === | ||
Uncomment or add the following line to ''/etc/fuse.conf''. | Uncomment or add the following line to ''/etc/fuse.conf'' so that the allow_other option in pam_encfs.conf can take effect. | ||
<pre><nowiki> | <pre><nowiki> | ||
user_allow_other | user_allow_other | ||
</nowiki></pre> | </nowiki></pre> | ||
Make sure the user is in the group "fuse" as well, or else | Make sure the user is in the group "fuse" as well, or else he won't be able to use FUSE mounts like EncFS. | ||
=== /etc/pam.d/gdm === | === /etc/pam.d/gdm === | ||
pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, | pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, EncFS needs to be mounted before this happens. | ||
Insert "auth requisite pam_encfs.so" just before "@include common-auth". | |||
For me this file looks like this: | For me this file looks like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
第70行: | 第58行: | ||
</nowiki></pre> | </nowiki></pre> | ||
=== /etc/pam.d/login === | === /etc/pam.d/login === | ||
(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you | (Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you want the encrypted home to work even when logging in through the text mode console. | ||
WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of | WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of EncFS, as the mountpoint is no more empty. You have to delete this file as root to fix this. | ||
=== Create encrypted folder === | === Create encrypted folder === | ||
*Log out and | * Log out and log in as a different user (sudo-enabled or root) | ||
*Create necessary directories and set permissions (replace " | * Create necessary directories and set permissions (replace "jakob" with your username). | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo -s | |||
mv /home/john /home/jakob.original | |||
mkdir /home/jakob.encfs /home/jakob | |||
chown jakob:jakob /home/jakob /home/jakob.encfs | |||
</nowiki></pre> | </nowiki></pre> | ||
*Create encrypted folder | * Create encrypted folder | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo -u jakob encfs /home/jakob.encfs /home/jakob | |||
</nowiki></pre> | </nowiki></pre> | ||
*Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently. | * Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently. | ||
*'''The Password does not have to be the same as the login password''' | * '''The Password does not have to be the same as the login password''' | ||
*Copy your home folder into the encrypted folder | * Copy your home folder contents into the encrypted folder | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo -u jakob rsync -a --progress /home/jakob.original/ /home/jakob/ | |||
</nowiki></pre> | </nowiki></pre> | ||
* | * Reboot | ||
*You will be asked for your | * You will be asked first for your EncFS password and then for your login password | ||
Your home folder should now be encrypted. If it works, log in and delete your | Your home folder should now be encrypted. If it works, log in and delete your jakob.original folder. | ||
=== Known Issues === | === Known Issues === | ||
* The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of | * The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of trouble for me. Most of the time, unmounting won't work anyway because some gnome apps take long to terminate and have files open when the unmount should happen. Another thing i experienced is some gnome app creating a file (saved_state) after encfs is unmounted ( ! ). This file is created in the mountpoint. Then the mountpoint will be non-empty and subsequent logins will fail! You have to empty it again using a root shell to fix this. | ||
* Upgrading to intrepid will break the setup: https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/234818 . | |||
Workaround: | |||
<ol><li>Log in to another (unencrypted) sudo/root account | |||
</li><li>Copy your home directory's contents to another (not encrypted) folder | |||
</li><li>Upgrade to Intrepid | |||
</li><li>Create a new EncFS volume and copy your home dir contents into it - see instructions above</li></ol> | |||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年5月12日 (二) 16:40的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/af | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Afrikaans| [[::EncryptedHomeDirectoryHowto/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ar | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|العربية| [[::EncryptedHomeDirectoryHowto/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/az | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|azərbaycanca| [[::EncryptedHomeDirectoryHowto/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/bcc | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|جهلسری بلوچی| [[::EncryptedHomeDirectoryHowto/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/bg | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|български| [[::EncryptedHomeDirectoryHowto/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/br | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|brezhoneg| [[::EncryptedHomeDirectoryHowto/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ca | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|català| [[::EncryptedHomeDirectoryHowto/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/cs | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|čeština| [[::EncryptedHomeDirectoryHowto/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/de | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Deutsch| [[::EncryptedHomeDirectoryHowto/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/el | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Ελληνικά| [[::EncryptedHomeDirectoryHowto/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/es | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|español| [[::EncryptedHomeDirectoryHowto/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/fa | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|فارسی| [[::EncryptedHomeDirectoryHowto/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/fi | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|suomi| [[::EncryptedHomeDirectoryHowto/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/fr | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|français| [[::EncryptedHomeDirectoryHowto/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/gu | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|ગુજરાતી| [[::EncryptedHomeDirectoryHowto/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/he | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|עברית| [[::EncryptedHomeDirectoryHowto/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/hu | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|magyar| [[::EncryptedHomeDirectoryHowto/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/id | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Bahasa Indonesia| [[::EncryptedHomeDirectoryHowto/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/it | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|italiano| [[::EncryptedHomeDirectoryHowto/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ja | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|日本語| [[::EncryptedHomeDirectoryHowto/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ko | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|한국어| [[::EncryptedHomeDirectoryHowto/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ksh | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Ripoarisch| [[::EncryptedHomeDirectoryHowto/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/mr | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|मराठी| [[::EncryptedHomeDirectoryHowto/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ms | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Bahasa Melayu| [[::EncryptedHomeDirectoryHowto/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/nl | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Nederlands| [[::EncryptedHomeDirectoryHowto/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/no | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|norsk| [[::EncryptedHomeDirectoryHowto/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/oc | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|occitan| [[::EncryptedHomeDirectoryHowto/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/pl | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|polski| [[::EncryptedHomeDirectoryHowto/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/pt | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|português| [[::EncryptedHomeDirectoryHowto/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ro | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|română| [[::EncryptedHomeDirectoryHowto/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/ru | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|русский| [[::EncryptedHomeDirectoryHowto/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/si | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|සිංහල| [[::EncryptedHomeDirectoryHowto/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/sq | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|shqip| [[::EncryptedHomeDirectoryHowto/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/sr | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|српски / srpski| [[::EncryptedHomeDirectoryHowto/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/sv | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|svenska| [[::EncryptedHomeDirectoryHowto/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/th | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|ไทย| [[::EncryptedHomeDirectoryHowto/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/tr | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Türkçe| [[::EncryptedHomeDirectoryHowto/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/vi | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|Tiếng Việt| [[::EncryptedHomeDirectoryHowto/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/yue | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|粵語| [[::EncryptedHomeDirectoryHowto/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/zh | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|中文| [[::EncryptedHomeDirectoryHowto/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/zh-hans | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|中文(简体)| [[::EncryptedHomeDirectoryHowto/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto | UbuntuHelp:EncryptedHomeDirectoryHowto | {{#if: | :}}EncryptedHomeDirectoryHowto}}/zh-hant | • {{#if: UbuntuHelp:EncryptedHomeDirectoryHowto|中文(繁體)| [[::EncryptedHomeDirectoryHowto/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:EncryptedHomeDirectoryHowto|:EncryptedHomeDirectoryHowto|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedHomeDirectoryHowto/zh | | {{#ifexist: EncryptedHomeDirectoryHowto/zh | | {{#ifeq: {{#titleparts:EncryptedHomeDirectoryHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedHomeDirectoryHowto|1|-1|}} | zh | | }}
Encrypted Home Directory with EncFS and pam-encfs, with working X and Gnome
Should also work for KDE - edit /etc/pam.d/kdm instead of /etc/pam.d/gdm . Adapted from http://www.ubuntu-eee.com/wiki/index.php5?title=Transparent_Encryption_for_home_folder . Tested under Ubuntu EEE 8.04.1, Ubuntu 8.04.1
Notes
- This uses pass-through filesystem encryption with EncFS. You don't need an encrypted partition nor do you need to decide how large the encrypted portion should be. See http://www.arg0.net/encfsintro for a detailed explaination.
- I don't use ecryptfs because it can't encrypt filenames. This is unacceptable for me as the filenames contain private information.
- I use EncFS for a long time now and i didn't hit a single problem.
- I use pam-encfs and not pam-mount because pam-mount had problems i don't remember exactly with the FUSE EncFS mount
- You must have a second account (root or sudo) handy to log into a console and fix things up
Required packages
- encfs
- libpam-encfs (DO NOT INSTALL VIA APT (if you are on Hardy) - broken in the Hardy repos - see https://bugs.launchpad.net/ubuntu/+source/libpam-encfs/+bug/205783 )
Install encfs from the Ubuntu repositories:
sudo aptitude install encfs
Install libpam-encfs from: http://ppa.launchpad.net/andrearatto/ubuntu/pool/main/libp/libpam-encfs/libpam-encfs_0.1.4.1-3~ppa1_i386.deb
/etc/security/pam_encfs.conf
The default pam_encfs.conf has a conflicting option that will cause your mounts to fail every time. Allow_other is specified in fuse_default, and allow_root is set in the automatic encfs mount per user. These two options cannot be specified together! It looks like EncFS Options and FUSE Options cannot be left empty, so i just use -v for EncFS (just verbose output) and allow_other for FUSE (you need either allow_other or allow_root for gdm to work). This is what it looks like for me, username jakob:
drop_permissions encfs_default fuse_default #USERNAME SOURCE TARGET EncFS Options FUSE Options jakob /home/jakob.encfs /home/jakob -v allow_other
/etc/fuse.conf
Uncomment or add the following line to /etc/fuse.conf so that the allow_other option in pam_encfs.conf can take effect.
user_allow_other
Make sure the user is in the group "fuse" as well, or else he won't be able to use FUSE mounts like EncFS.
/etc/pam.d/gdm
pam_encfs needs to be the first module because it doesn't take any "use_first_pass" options. Also, gdm creates a .Xauthority file in the home directory after pam_unix, EncFS needs to be mounted before this happens. Insert "auth requisite pam_encfs.so" just before "@include common-auth". For me this file looks like this:
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale auth requisite pam_encfs.so @include common-auth auth optional pam_gnome_keyring.so @include common-account session required pam_limits.so @include common-session session optional pam_gnome_keyring.so auto_start @include common-password
/etc/pam.d/login
(Optional) Edit /etc/pam.d/login like /etc/pam.d/gdm if you want the encrypted home to work even when logging in through the text mode console. WARNING: If you don't enable pam_encfs in /etc/pam.d/login you will be still able to login. You will then get an empty home directory. Bash will create a file .bash_history that will prevent subsequent mounts of EncFS, as the mountpoint is no more empty. You have to delete this file as root to fix this.
Create encrypted folder
- Log out and log in as a different user (sudo-enabled or root)
- Create necessary directories and set permissions (replace "jakob" with your username).
sudo -s mv /home/john /home/jakob.original mkdir /home/jakob.encfs /home/jakob chown jakob:jakob /home/jakob /home/jakob.encfs
- Create encrypted folder
sudo -u jakob encfs /home/jakob.encfs /home/jakob
- Accept default options, or tinker with the encryption settings. I just used the default security rather than paranoid mode because paranoid mode doesn't support hard links apparently.
- The Password does not have to be the same as the login password
- Copy your home folder contents into the encrypted folder
sudo -u jakob rsync -a --progress /home/jakob.original/ /home/jakob/
- Reboot
- You will be asked first for your EncFS password and then for your login password
Your home folder should now be encrypted. If it works, log in and delete your jakob.original folder.
Known Issues
- The home directory is not unmounted at logout. While it's possible (see /usr/share/doc/libpam-encfs/README.gz ), this caused a lot of trouble for me. Most of the time, unmounting won't work anyway because some gnome apps take long to terminate and have files open when the unmount should happen. Another thing i experienced is some gnome app creating a file (saved_state) after encfs is unmounted ( ! ). This file is created in the mountpoint. Then the mountpoint will be non-empty and subsequent logins will fail! You have to empty it again using a root shell to fix this.
- Upgrading to intrepid will break the setup: https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/234818 .
Workaround:
- Log in to another (unencrypted) sudo/root account
- Copy your home directory's contents to another (not encrypted) folder
- Upgrade to Intrepid
- Create a new EncFS volume and copy your home dir contents into it - see instructions above