Saturday, December 30, 2006

Securing your laptop

I assume that you store things on your laptop that you do not want other people to read. Especially, you may store important accounting information about your bank etc in cache files or config files. A laptop is also more probable to be stolen than a normal desktop machine. Therfore you may want to encrypt your home directory and swap partition. Ideally you encrypt everything except /boot.

There is a good how to in the Ubuntu wiki. It explains how to to things in a breath perspective. I followed those instructions and complemented with usages of pam_mount. The pam_mount module automatically mounts your encrypted home directory when you login and uses your password as the encryption key.

Encrypting the swap is straight forward from the wiki, therefore I will not write more about it here.

To encrypt your home directory you have to do some extra things, that may not be too easy to read from the wiki. I will try to point out things I think might need to be clarified.
I use LVM to handle my harddisk, so I created a logical volume (partition) for my user called magru:
sudo lvcreate -L 20G -n magru /dev/Ubuntu/
Change the value of -L to the size you want your home directory to be, I wanted 20 Gigabyte. The device node for my logical volume is /dev/mapper/Ubuntu-magru.

Run cryptsetup on this device node:
sudo cryptsetup -y create magru-crypt /dev/mapper/Ubuntu-magru
The command will ask you for a password, use the same password as for login. Otherwise pam_mount will not work. cryptsetup gives you a new device called /dev/mapper/magru-crypt.

Create a file system on your encrypted device. The how to uses reiserfs, but I prefers ext3:
sudo mkfs.ext3 /dev/mapper/magru-crypt
sudo tune2fs -c 0 -i 0 /dev/mapper/magru-crypt
I use tune2fs to configure my file system so I do not do any file system checks. checks on the file system is not necessary on ext3 since you have a journal.

Mount your encrypted filesystem under /mnt:
sudo mount /dev/mapper/magru-crypt /mnt

Copy everything in your home directory including hidden dot-files to /mnt. Then unmount /mnt.

Now we want that our home directory is automagically mounted when we logging in. First you have to install libpam-mount from universe using Synaptic.
Then add a line in /etc/security/pam_mount.conf below the comments about "Linux encrypted home directory examples, using dm_crypt" that look like this:
volume magru crypt - /dev/mapper/Ubuntu-magru /home/magru nodev,nosuid - -

Change magru to your own user name. Not that the path to the device shall be to the raw encrypted device, and not to the device you used above to mount under /mnt.

Remove all the files in your home directory under /home. Note that it is VERY good to have a backup, if something goes wrong. Verify that you are the owner of your home directory, GDM will otherwise complain.

Replace the word optional on the two last lines in your /etc/common-pammount to required. Add last in the two files /etc/pam.d/gdm and /etc/pam.d/login the line:
@include common-pammount

If you have an ssh-server installed, add the same line last in /etc/pam.d/ssh.

Some final notes

  • A draw back with pam_mount is that your home directory is not unmounted when you are logging out.
  • You are still vulnerable when you are logged in, or if some one succeed to get your password.
  • Some important information may be stored in /etc or in /var, and these are not encrypted. For instance ESSID and WEP-keys for wireless connection are stored in /etc, and if you accidentally enter your password instead of your user name the password will be stored in /var/log/auth.log.
  • If you think someone has got access to your password, change it.
  • Always handle your security updates properly.

2 comments:

Hans Persson said...

Since you say that you are still vulnerable if you are logged in, does that mean that this is (more or less) meaningless if you just suspended your laptop before you lost it (instead of shutting it down)?

I don't log out from my laptop just because I want to lug it somewhere; I just suspend it. On the other hand I haven't encrypted anything either so it's really a moot point, but still an interesting question.

Magnus Runesson said...

Yes and no. If you have to provide your password to get back to your desktop/login, then you are pretty safe. If you don't have to give your password, then you are unsafe.
This, of course, assumes that you do not have any vulnerabilities that provide exploits that makes your computers file system accessible without login in to an account.

So if you have to give password after suspend and regularly update your computer, encryption is not useless.