Securing your laptop

I assume that you store things on your laptop that you do not want other people to read. Especially, you may store important accounting information about your bank etc in cache files or config files. A laptop is also more probable to be stolen than a normal desktop machine. Therfore you may want to encrypt your home directory and swap partition. Ideally you encrypt everything except /boot.

There is a good how to in the Ubuntu wiki. It explains how to to things in a breath perspective. I followed those instructions and complemented with usages of pam_mount. The pam_mount module automatically mounts your encrypted home directory when you login and uses your password as the encryption key.

Encrypting the swap is straight forward from the wiki, therefore I will not write more about it here.

To encrypt your home directory you have to do some extra things, that may not be too easy to read from the wiki. I will try to point out things I think might need to be clarified.
I use LVM to handle my harddisk, so I created a logical volume (partition) for my user called magru:
sudo lvcreate -L 20G -n magru /dev/Ubuntu/
Change the value of -L to the size you want your home directory to be, I wanted 20 Gigabyte. The device node for my logical volume is /dev/mapper/Ubuntu-magru.

Run cryptsetup on this device node:
sudo cryptsetup -y create magru-crypt /dev/mapper/Ubuntu-magru
The command will ask you for a password, use the same password as for login. Otherwise pam_mount will not work. cryptsetup gives you a new device called /dev/mapper/magru-crypt.

Create a file system on your encrypted device. The how to uses reiserfs, but I prefers ext3:
sudo mkfs.ext3 /dev/mapper/magru-crypt
sudo tune2fs -c 0 -i 0 /dev/mapper/magru-crypt
I use tune2fs to configure my file system so I do not do any file system checks. checks on the file system is not necessary on ext3 since you have a journal.

Mount your encrypted filesystem under /mnt:
sudo mount /dev/mapper/magru-crypt /mnt

Copy everything in your home directory including hidden dot-files to /mnt. Then unmount /mnt.

Now we want that our home directory is automagically mounted when we logging in. First you have to install libpam-mount from universe using Synaptic.
Then add a line in /etc/security/pam_mount.conf below the comments about "Linux encrypted home directory examples, using dm_crypt" that look like this:
volume magru crypt - /dev/mapper/Ubuntu-magru /home/magru nodev,nosuid - -

Change magru to your own user name. Not that the path to the device shall be to the raw encrypted device, and not to the device you used above to mount under /mnt.

Remove all the files in your home directory under /home. Note that it is VERY good to have a backup, if something goes wrong. Verify that you are the owner of your home directory, GDM will otherwise complain.

Replace the word optional on the two last lines in your /etc/common-pammount to required. Add last in the two files /etc/pam.d/gdm and /etc/pam.d/login the line:
@include common-pammount

If you have an ssh-server installed, add the same line last in /etc/pam.d/ssh.

Some final notes
  • A draw back with pam_mount is that your home directory is not unmounted when you are logging out.
  • You are still vulnerable when you are logged in, or if some one succeed to get your password.
  • Some important information may be stored in /etc or in /var, and these are not encrypted. For instance ESSID and WEP-keys for wireless connection are stored in /etc, and if you accidentally enter your password instead of your user name the password will be stored in /var/log/auth.log.
  • If you think someone has got access to your password, change it.
  • Always handle your security updates properly.

Comments

Hans Persson said…
Since you say that you are still vulnerable if you are logged in, does that mean that this is (more or less) meaningless if you just suspended your laptop before you lost it (instead of shutting it down)?

I don't log out from my laptop just because I want to lug it somewhere; I just suspend it. On the other hand I haven't encrypted anything either so it's really a moot point, but still an interesting question.
December 30, 2006 at 7:24 PM
Magnus Runesson said…
Yes and no. If you have to provide your password to get back to your desktop/login, then you are pretty safe. If you don't have to give your password, then you are unsafe.
This, of course, assumes that you do not have any vulnerabilities that provide exploits that makes your computers file system accessible without login in to an account.

So if you have to give password after suspend and regularly update your computer, encryption is not useless.
December 30, 2006 at 8:03 PM
Post a Comment

Popular posts from this blog

Circles in PostGIS

Image
OGC and PostGIS has no data type to represent a circle. Instead one use ST_Buffer(geom, distance) to get a geometry that covers the area within the distance to geom . So if geom is a point you get a circle. But it does not return an exact circle. The circle is approximated represented by a polygon using eight points. One can increase the precission by adding a third argument to ST_buffer that is the number of points in the polygon returned. The unit for distance depends on what SRID is used. But what if you have a geometry that you know is a circle created with the method above? There is no exact method as far as I know, but her comes a good approximation. First we want the origo of the circle. ST_Centroid(geom) comes to handy. It returns the centeroid point of the geometry, in this case the origo of the circle. To get the radius we pick out the first point in the polygon returned by ST_Buffer with PointN(ExteriorRing(geom),1) . We need to call ExteriorRing to get the polygon of
Read more

Create your own CA with TinyCA2 (part 1)

Image
A Certificate Authorities (CA) issues certificates to people and organization that gives us the possibility to know that we surf to the right web site and not a phising site. This concept can be nice to use on your private sites too, but you may not want to spend a lot of money to get a certificate for your site. Most common when one installs a web-mail server at home is using a self signed certificate. When one surf to the web-mail server from a friends computer one can not be sure that nobody listens to the traffic if one not verifies the signature of the self signed certificate. Maybe an easier and definitely a more scalable solution to this is to create ones own CA structure. When we are ready with this how to you will have installed a certificate on your web server, installed the root certificate into your Firefox, and you will have the root certificate stored on a USB-memory stick. First time you want to read your mail from a friends computer you install the root certificate f
Read more

Create your own CA with TinyCA2 (part 2)

Image
In part one of this series we created a root CA, a sub-CA and a certificate for our web site All certificates are stored in TinyCA2 s configuration. In this part we will: export the root CA:s certificate import the root CA:s certificate into Firefox export the certificate for the web site configure our web server to use the web site certificate To be able to import the root CA certificate to Firefox we must export it from TinyCA2. In the main window of TinyCA2, open the CA-menu and select Open CA. Select your root CA. Select Export CA Certificate in the toolbar, which is the second icon from the right. You may change the file name. Press Save when ready. Start Firefox, select the Edit-menu and Preferences. Click the Advanced icon and then the Encryption tab. Select View certificates and then the Authorities tab. You can see all the CA:s you trust. Click Import and select the file with your exported root certificate. You can in the Downloading Certificate window control what purpo
Read more