User Tools

Site Tools


How to set up an auto-mounted keyfile based luks partition for your home directory

Anyone that carries confidential data around on their laptop has probably considered encryption at some point or other.

However, the typical methods seem to generally entail either manual mounting of your encrypted volume (a pain) or volumes that automount when you login based on your login information (not exactly secure as anyone who forces you to login will have access).

So what I have done is to set up an encrypted volume that mounts using a keyfile that is stored on my flash drive.

The volume will automatically mount when I login IF the flash drive with the keyfile on it is plugged in.

If not, the volume will fail to mount and I will be logged in with a standard non-encrypted home directory (that obviously should not have any sensitive data stored on it).

The volume could still be mounted manually using the password if desired.

Obviously there are other ways to do this, but this works for me. :)

So here we go:

Step 1: Setup your flash drive to have a static device so you can work with it more easily.

First off, plug in your flash drive.

Once the device settles (check dmesg), run (with the path to your flash drive's partition of course):

udevinfo -p /sys/block/sdd/sdd1 -a > ~/flashdrive.txt

Now open up the text file to view the information about your drive.

Somewhere in the output you should see a section like the following:

looking at parent device '/devices/pci0000:00/0000:00:02.1/usb1/1-6':
    ATTRS{bNumInterfaces}==" 1"
    ATTRS{bMaxPower}==" 98mA"
    ATTRS{version}==" 2.00"
    ATTRS{product}=="USB Mass Storage Device"

The last line with the serial number is the one we care about.

Copy that line somewhere and then open up a udev rules file.

I use /etc/udev/rules.d/10-local.rules for my local rules to be processed before the other udev rules.

Add the following to your rules file:

KERNEL=="sd*", ATTRS{serial}=="YourDeviceSerial", SYMLINK+="YourDesiredDevName"

Now udev should create /dev/YourDesiredDevName when the flash drive is plugged in (you may have to restart udevd for this to take effect)

Step 2: Setup autofs to automount your flash drive somewhere

I know this could be done differently, or manually, but I've come to really like autofs. :)

In your /etc/autofs/auto.fs files (or wherever you define your mounts) add:

YourDesiredMountName     -fstype=vfat     :/dev/YourDesiredDevName

This next step may or may not be required, but I do it to make my life easier.

Supposedly autofs can create ghost directories for the mount points so the directories will always show up, but it has never worked for me.

To make my life easier, I have a /fs directory that contains symlinks to the actual autofs mount directories.

This gives me a nice easy way to access the mounts and to make autofs mount them on demand.

ln -sf /mnt/auto/YourDesiredMountName /fs/YourDesiredMountName

Step 3: Setup the encrypted partition.

Obviously you could do with with an encrypted volume file instead of an actual partition.

If you do the steps are a little different.

I used the information from for this part.

The page is actually talking about using a volume file instead of a partition, so I did things a tad differently.

Setup the Partition
cryptsetup -v -y luksFormat /dev/sda5

Open the partition as a device
cryptsetup luksOpen /dev/sda5 devicemapnameyouwant

Create a filesystem on it
mke2fs -j /dev/mapper/devicemapnameyouwant

Mount it
mount /dev/mapper/devicemapnameyouwant /home/youruser

Generate a keyfile
head -c 1000 < /dev/urandom | uuencode -m - | grep -v begin | head -c 32 >/fs/YourDesiredMountName/devicenameyouwant.key

Add the keyfile to the device
cryptsetup luksAddKey /dev/sda5 /fs/YourDesiredMountName/devicenameyouwant.key

Unmount it
umount /home/youruser

Step 4: Setup Sudoers

Normal users cannot run mount, unmount, cryptsetup, etc. so we need to allow the user to run the appropriate commands

Edit your /etc/sudoers to add:

youruser        ALL=(ALL)       NOPASSWD: /sbin/cryptsetup luksOpen /dev/sda5 devicemapnameyouwant --key-file /fs/YourDesiredMountName/devicenameyouwant.key
youruser        ALL=(ALL)       NOPASSWD: /bin/mount /dev/mapper/devicemapnameyouwant /home/youruser
youruser        ALL=(ALL)       NOPASSWD: /bin/umount /home/youruser
youruser        ALL=(ALL)       NOPASSWD: /sbin/cryptsetup luksClose devicemapnameyouwant

Step 5: Setup .bash_profile in non-encrypted /home/youruser

This will open the device with the keyfile and mount your home directory.

After mounted it runs cd to reswitch to your home dir.

If you don't do this the directory list does not update properly and ls will show the unmounted information.

if [ -f /fs/YourDesiredMountName/devicenameyouwant.key ]
sudo /sbin/cryptsetup luksOpen /dev/sda5 devicemapnameyouwant --key-file /fs/YourDesiredMountName/devicenameyouwant.key
sudo mount /dev/mapper/devicemapnameyouant /home/youruser
source .bash_profile
[[ -f ~/.bashrc ]] && . ~/.bashrc

Step 6: Setup .bash_logout and .bash_logout_stage2 in encrypted /home/youruser

Now we setup the user to unmount their home directory and close the encrypted volume when they logout.

Mount the volume to the home directory (you don't need to Open it if it's already open)

/sbin/cryptsetup luksOpen /dev/sda5 devicemapnameyouwant --key-file /fs/YourDesiredMountName/devicenameyouwant.key
mount /dev/mapper/devicemapnameyouwant /home/youruser

Setup the .bash_logout to copy .bash_logout_stage2 to /tmp and execute it when you log out.

cp .bash_logout_stage2 /tmp
cd /tmp
exec sh /tmp/.bash_logout_stage2

Setup .bash_logout_stage2 to kill all remaining process of your user (except for sh, since that's running the scripts), unmount the home directory, close the luks volume, and delete itself

echo "Pausing for processes to close"
sleep 5
echo "Killing all leftover processes"
kill -9 `ps -u youruser | grep -v '[ ][s][h]' | grep -v PID | grep -o '^[ ]\{0,4\}[0-9]\{1,5\}'`
sleep 1
sudo /bin/umount /home/youruser
sudo cryptsetup luksClose devicemapnameyouwant
rm /tmp/.bash_logout_stage2

Note that the logout scripts will run anytime you do a shell logout.

There should probably be something that checks to make sure it is your last login shell before running the stage2 so you don't accidentally kill yourself by logging out of an extra terminal/screen session/etc.

I'm open to suggestions!

And there you have it!

If you did everything right, when your user logs in the encrypted device should mount to /home/youruser if your flash drive is plugged in.

If the drive is not plugged in, you will get whatever /home/youruser you have setup on the base system.

– Main.MarkMontgomeryII - 12 Feb 2009

howtos/encrypted_home.txt · Last modified: 2017/07/02 10:11 (external edit)