Encrypted Home

From UbuntuPhone
Jump to navigation Jump to search

Create an encrypted /home/user/ directory, this needs some additional packages to be installed, see Install Packages, set the wanted username as an environmental variable first:

sudo -i
export NEWUSER="username"

Create a file to use as a disk (set the size as required, it is 1G in this example) and encrypt and format it:

fallocate -l 1G /home/$NEWUSER.img
cryptsetup luksFormat /home/$NEWUSER.img
cryptsetup luksOpen /home/$NEWUSER.img $NEWUSER
mkfs.ext4 /dev/mapper/$NEWUSER
mkdir /home/$NEWUSER
mount /dev/mapper/$NEWUSER /home/$NEWUSER

Add the new user and add them to the sudo group:

adduser --disabled-password $NEWUSER
addgroup $NEWUSER
usermod -a -G sudo $NEWUSER

After doing the above you can su to the new user:


And you now have a user account with an encrypted filesystem.

You can add the following to /home/phablet/.bash_aliases for mounting the disk in future (change $NEWUSER to your username first!):

alias mnt-$NEWUSER='sudo cryptsetup luksOpen /home/$NEWUSER.img $NEWUSER; sudo e2fsck /dev/mapper/$NEWUSER ; sudo mount /dev/mapper/$NEWUSER /home/$NEWUSER'

Random encrypted ~/tmp/

If you would like a ~/tmp/ directory which is randomly encrypted and therefore impossible to decrypt after the device has been power cycled then you can create /home/phablet/bin/mktmpfs as follows:


if [[ $1 ]]; then
  echo "Please supply a username for the temp partition"

umount /home/$USER/tmp
cryptsetup luksClose $USER-tmp

RANDOM_FILE=/tmp/$(pwgen -n 12)
chmod 600 $RANDOM_FILE
echo $(pwgen -n 128) > $RANDOM_FILE

dd if=/dev/urandom of=/home/$USER.tmp.img iflag=fullblock bs=1M count=6
#fallocate -l 10M /home/$USER.tmp.img 
chmod 700 /home/$USER.tmp.img
cryptsetup luksFormat /home/$USER.tmp.img $RANDOM_FILE
cryptsetup luksOpen /home/$USER.tmp.img $USER-tmp --key-file $RANDOM_FILE
mkfs.ext2 /dev/mapper/$USER-tmp
mount /dev/mapper/$USER-tmp /home/$USER/tmp
chmod 700 /home/$USER/tmp
chown -R $USER:$USER /home/$USER/tmp

And then run it as the phablet user:

sudo bash ~/bin/mktmpfs USER