-=HOME-CRYPT-HOWTO=-

In this HOWTO I give a short hands-on descritpion, how to 
set up a user with an encrypted home-directory under Linux. 
For questions and commentaries please contact me under 
home-crypt@eckner.org.

==> patch util-linux:
--> copy the archive to /usr/src/:
laura:~ # cp util-linux-2.11n.tar.bz2 /usr/src/
laura:~ # cp util-linux-2.11n.patch.bz2 /usr/src/
laura:~ # cd /usr/src

--> untar the archive:
laura:/usr/src # tar xvjf util-linux-2.11n.tar.bz2
laura:/usr/src # cd util-linux-2.11n

--> Apply the crypto-patch to util-linux:
laura:/usr/src/util-linux-2.11n # cp ../util-linux-2.11n.patch.bz2 .
laura:/usr/src/util-linux-2.11n # bunzip2 util-linux-2.11n.patch.bz2
laura:/usr/src/util-linux-2.11n # patch -p1 < util-linux-2.11n.patch
patching file MCONFIG
patching file mount/Makefile
patching file mount/lomount.c
patching file mount/lomount.h
patching file mount/losetup.8
patching file mount/mount.8
patching file mount/mount.8~
patching file mount/mount.c
patching file mount/rmd160.c
patching file mount/rmd160.h
patching file mount/sundries.c

--> configure util-linux:
laura:/usr/src/util-linux-2.11n # vi MCONFIG

--> install util-linux:
laura:/usr/src/util-linux-2.11n # ./configure && make && make install 

==> patch the kernel (2.4.17):
--> copy the archive and the patches to /usr/src/:
laura:~ # cp linux-2.4.17.tar.bz2 /usr/src/
laura:~ # cp patch-int-2.4.17.0.bz2 /usr/src/
laura:~ # cp loop-jari-2.4.16.0.patch.bz2 /usr/src/

--> untar the kernel:
laura:/usr/src # tar xvjf linux-2.4.17.tar.bz2
laura:/usr/src # mv linux linux-2.4.17-crypto
laura:/usr/src # ln -s linux-2.4.17-crypto linux
laura:/usr/src # cd linux

--> Apply the Crypto Patches:
laura:/usr/src/linux # cp ../patch-int-2.4.17.0.bz2 .
laura:/usr/src/linux # cp ../loop-jari-2.4.16.0.patch.bz2 .
laura:/usr/src/linux # bunzip2 patch-int-2.4.17.0.bz2
laura:/usr/src/linux # bunzip2 loop-jari-2.4.16.0.patch.bz2
laura:/usr/src/linux # patch -p1 < patch-int-2.4.17.0
patching file crypto/Config.in
<--snip-->
patching file include/linux/wordops.h
laura:/usr/src/linux # patch -p1 < loop-jari-2.4.16.0.patch
patching file drivers/block/loop.c
Hunk #17 succeeded at 637 (offset 2 lines).
Hunk #18 succeeded at 765 with fuzz 2 (offset 2 lines).
Hunk #19 succeeded at 806 (offset 6 lines).
Hunk #20 succeeded at 827 (offset 6 lines).
Hunk #21 succeeded at 892 (offset 6 lines).
Hunk #22 succeeded at 1049 (offset 6 lines).
Hunk #23 succeeded at 1064 (offset 6 lines).
Hunk #24 succeeded at 1072 (offset 6 lines).
Hunk #25 succeeded at 1087 (offset 6 lines).
Hunk #26 succeeded at 1177 (offset 6 lines).
Hunk #27 succeeded at 1188 (offset 6 lines).
patching file include/linux/loop.h

--> Configure the Kernel:
laura:/usr/src/linux # make menuconfig
    Block devices  --->
    <*> Loopback device support
    Cryptography support (CryptoAPI)  --->
    <*> CryptoAPI support
    <*> Crypto Ciphers
    <*>  AES (aka Rijndael) cipher
    (or whatever cipher you prefer)

--> build your Kernel 
laura:/usr/src/linux # make dep clean bzImage modules modules_install
gcc -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -o scripts/mkdep scripts/mkdep.c
<-- snip -->

--> install the new kernel
laura:/usr/src/linux # mv arc/i386/boot/bzImage /boot/vmlinuz-2.4.17
laura:/usr/src/linux # mv System.map /boot/System.map-2.4.17
laura:/usr/src/linux # cp .config /boot/config-2.4.17

--> Tell lilo to boot the new kernel:
laura:/usr/src/linux # vi /etc/lilo.conf
laura:/usr/src/linux # lilo -v 
LILO version 22.2, Copyright (C) 1992-1998 Werner Almesberger
<--snip-->
Writing boot sector.

--> reboot:
laura:/usr/src/linux # /sbin/shutdown -r now


--> add a new user:
laura:~ # adduser foo
Adding user foo...
Adding new group foo (1004).
Adding new user foo (1004) with group foo.
Creating home directory /home/foo.
Copying files from /etc/skel
Enter new UNIX password: <login-password>
Retype new UNIX password: <repeat :)>
passwd: password updated successfully
Changing the user information for foo
Enter the new value, or press return for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [y/n] y

--> produce a large file (1024*20480=20MB) in /home/img/:
laura:~ # mkdir /home/img
laura:~ # cd /home/img
laura:/home/img # dd if=/dev/zero of=foo bs=1024 count=20480
20480+0 records in
20480+0 records out
laura:/home/img # chmod 600 /home/img/foo

--> encrypt the file with AES, 256 Bit Key-length:
laura:/home/img # losetup -e aes /dev/loop0 /home/img/foo
Available keysizes (bits): 128 192 256
Keysize: 256
Password: <File-System-password for $HOME, should differ from your login-password>

--> produce ext3 on the encrypted image:
laura:/home/img # mke2fs -j /dev/loop0
mke2fs 1.26 (3-Feb-2002)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
5136 inodes, 20480 blocks
1024 blocks (5.00%) reserved for the super user
First data block=1
3 block groups
8192 blocks per group, 8192 fragments per group
1712 inodes per group
Superblock backups stored on blocks:
        8193

Writing inode tables: done
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
laura:/home/img # losetup -d /dev/loop0

--> add the following to your /etc/fstab, so the user foo be able to mount his $HOME:
laura:/home/img # echo '/home/img/foo /home/foo ext3 noauto,user,rw,exec,encryption=aes,keybits=256' >> /etc/fstab

--> Remove unnecessary files from the users $HOME:
laura:/home/img # rm /home/foo/.*

--> Tell your Login-shell to mount the encrypted image at login:
--> bash:
laura:/home/img # echo 'mount $HOME && cd && /bin/bash' >> /home/foo/.bash_login
--> zsh:
laura:/home/img # echo 'mount $HOME && cd && /usr/bin/zsh' >> /home/foo/.zlogin

--> set the correct permissions:
laura:/home/img # chown foo:foo /home/foo/.bash_login (resp. /home/foo/.zlogin)
laura:/home/img # chmod 700 /home/foo
laura:/home/img # exit


--> Login as user foo:

Debian GNU/Linux 3.0 laura tty2

login: foo
Password: <login-Passwort>

Linux laura 2.4.17 #9 Fri Feb 8 12:48:34 CET 2002 i686 unknown
<--snip-->
Password: <File-System-password>
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.16, 02 Dec 2001 on loop(7,0), internal journal
EXT3-fs: mounted filesystem with ordered data mode.

--> Did it work?
foo@laura:~$ mount
<--snip-->
/home/img/foo on /home/foo type ext3 (rw,nosuid,nodev,loop=/dev/loop0,encryption=aes,keybits=256,user=foo)
foo@laura:~$ su -
Password: <root-password>

--> Copy Startup-files from /etc/skel to /home/foo (which is now mounted):
laura:~ # cp /etc/skel/.* /home/foo

--> To be shure, correct the permissions once more:
laura:~ # chown -R foo:foo /home/foo
laura:~ # chmod 700 /home/foo
laura:~ # exit

--> Tell your login-shell to unmount your $HOME when logging out:
--> bash:
foo@laura:~$ echo 'cd / && exec /bin/umount $HOME' >> ~/.bash_logout
--> zsh:
foo@laura:~$ echo 'cd / && exec /bin/umount $HOME' >> ~/.zlogout
foo@laura:~$ exit