The Asus Eee PC is sufficiently small and portable that it is easy to take with you when you’re out and about. Which also increases the risk of it getting lost or stolen. The data on the Eee may be more valuable that the computer itself so I wanted to set up my Home directory with encryption using LUKS and PAM-MOUNT. After many failed attempts to get this working it turns out that it need not have been so difficult.
Hopefully these simple instructions should help others that want to encrypt their home partition with Ubuntu. These instructions are based on my 701 4G running Ubuntu-Eee. However I am now running Eeebuntu 2 and have also tested these instructions with this distro as well:
1 – Install Luks & Pam-Mount by typing the following at the Terminal:
apt-get install cryptsetup libpam-mount
2 – Inset a blank SD card into the internal card reader… I found SanDisk Ultra 4gb SDHC class 4 to be the most reliably card in this temperamental card reader.
3 – Edit /etc/security/pam_mount.conf.xml (I used sudo gedit to do this). Insert the following line in the “volume” section of the document (replace username with your username)
<volume user=“username” fstype=“crypt” path=“/dev/sdb1” mountpoint=“/home/username” />
4 – If this is a clean libpam-mount install then add the following line to the start of the /etc/pam.d/common-auth file:
auth optional pam_mount.so use_first_pass
NB – the use_first_pass keywork can be omitted with Ubuntu 9.04 as it appears that this keyword has been removed from pam-mount.
5 – Then add the following line to the /etc/pam.d/common-session file:
session optional pam_mount.so
6 – reboot and use GRUB to enter recovery mode, drop to terminal as root when given the option and then make remaining changes from this location. Alternatively you could use sudo to run a lot of this whilst logged in as the user.
7 – In the terminal move your existing user’s home folder to a temporary location (replace username with your user’s account name)
mv /home/username /home/username.original
8 – Create a new empty home folder for the user for use as a mount point of the encrypted drive:
mkdir /home/username
9 – Set ownership of the new home:
chown username.username /home/username
10 – Create the encrypted volume
cryptsetup –c aes-cbc-essiv:sha256 –y –s 256 luksFormat /dev/sdb1
11 – Open the encrypted volume
cryptsetup luksOpen /dev/sdb1 chome
12 – Create the file system
mkfs.resierfs /dev/sdb1
13 – Mount the filesystem to the user’s home (or any other location you wish) and then copy the files from username.original into the encrypted home:
mount /dev/mapper/chome /home/username
cp –a /home/username.original /home/username
14 – Close the volume
cryptsetup luksClose /dev/sdb1
15 – Reboot Eee PC and log in as normal. If you get errors about permissions on then repeat step 11 and then type chown username.username /dev/mapper/chome and then try again.
If using with Ubuntu-eee then because USB_PERSIST is not fully configured if you suspend the EeePC it will loose it’s connection to home on the SD card when it is woken up again. On Eeebuntu 2 this issue does not occur and suspend works as you would expect.