LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-06-2011, 02:01 PM   #1
sadarax
Member
 
Registered: Sep 2005
Distribution: Ubuntu
Posts: 249

Rep: Reputation: 30
Automount other harddrives while encrypted home directory


UPDATE: This problem has been fixed.

SOLUTION: Thanks for the help. Tried auto-mounting things somewhere else than my /home/user directory. I did this (in /media/Data, etc. ), and then created symbolic links to there for my home. (Link from /media/Data to /home/user/Data).

I don't know how this will effect when I start encrypting specific directories on the Data drive, but since most of those are not needed for booting or Desktop-Startup, this should not be a problem.

ORIGINAL PROBLEM:

I am having a problem with auto-mounting data harddrives while using an encrypted home directory on another partition/drive.

I just installed Kubuntu 11.10 on my system, and for the first time used the "encrypt the home directory" feature. (Default settings. No changes made by me.) The Operating system is installed on /dev/sda1. My home is in /home/bob.

After the install process, I edited my /etc/fstab to automatically mount my other data drives (into folders in my home directory for convenience), such as /dev/sda3. Example from my /etc/fstab:

Code:
/dev/sda3 /home/bob/Sata  ext4  auto,defaults 0 0
However Kubuntu will auto-mount on boot-up OR after I login through KDM!

I really need to find a way to make Kubuntu/Ubuntu mount the drives IMMEDIATELY, either on start-up (since these are not files which need be secured), or IMMEDIATELY after I login through KDM but before KDE starts to load my user profile. I use symbolic links for various configuration files used by KDE, and if the drive is not ready (mounted) before KDE starts to load my user profile after login, most of my preferences are broken.

Some of my preference files are linked from this data drive into my home directory. (For example, my .bashrc and .vimrc).

Code:
$ ls -la

lrwxrwxrwx  1 bob bob   40 2011-10-18 21:24 .bashrc -> /home/bob/Sata/linux/conf/.bashrc
lrwxrwxrwx  1 bob bob   28 2011-10-17 19:43 documents -> /home/bob/Sata/Documents
Here is what my /etc/fstab looks like:

Code:
proc /proc proc nodev,noexec,nosuid 0 0
UUID=<long number for root partition> / ext4 errors=remount-ro 0 1
/dev/mapper/cryptswap1 none swap sw 0 0
# /dev/sda2 is swap
/dev/sda3 /home/bob/Sata  ext4  auto,defaults 0 0
That is all.

After I login and run the 'mount' command with no arguments, here is the output:
Code:
....
/dev/sda3 on /home/bob/Sata type ext4 (rw,commit=600)
....
/home/bob/.Private on /home/bob type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=<long number>, ecryptfs_fnek_sig=<long number>)
Even though mount claims /dev/sda3 is mounted, there is nothing actually there (and therefore none of the symbolic links are resolving correctly.) It only *actually* mounts after I manually run the mount command with all arguments 'mount -t ext4 /dev/....'.


Any suggestions for getting my non-secure drives to auto-mount on startup or IMMEDIATELY after I login through KDM (but before KDE loads my user profile)?

UPDATE: Added more fstab and mount command info.

Last edited by sadarax; 11-10-2011 at 01:49 AM. Reason: SOLVED
 
Old 11-06-2011, 04:16 PM   #2
Mavman
Member
 
Registered: Mar 2008
Location: Wasilla, Alaska
Distribution: CentOS
Posts: 36

Rep: Reputation: 1
I'm fairly certain that because the drive is encrypted, it WILL NOT mount until authentication is supplied, otherwise it kind of defeats the purpose of encryption. If you have enough disk space you could make another partition for whatever info you are wanting to start up automatically (outside of your home directory), or you could do something similar to a luks encrypted setup, so that it doesn't even boot the OS unless you pass login information so that it can mount the drive on startup.

For example, I'm not super familiar with how you'd do in on Ubuntu, but I'm pretty sure it'd go like this. (I'm using sda5 as my example partition here)
Code:
apt-get install cryptsetup
cryptsetup luksFormat /dev/sda5

WARNING!
========
This will overwrite data on /dev/sda5 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: <enter passphrase>

cryptsetup luksOpen /dev/sda5 [mapper_name]
Enter passphrase for /dev/sda5: <enter authentication>
That mapper_name is just whatever you want to call it. After it's created it'll exist at /dev/mapper/[mapper_name]

When you have that done, you'd edit /etc/crypttab and put in the following:
Code:
[mapper_name]   /dev/sda5   /path/to/passphrase/file
Note: That path to passphrase file should contain one line just listing the passphrase, this isn't very secure and defeats the purpose of encryption. You alternatively can set it to 'none' and it'll prompt you for the phrase before bootup.

Now, you need to format the /dev/mapper/[mapper_name] for the type of filesystem you want. It's useable at that point.

Next go to your /etc/fstab and add the following:
Code:
/dev/mapper/[mapper_name] /path/to/mount [filesystem_type] defaults 0 0
And if I'm not mistaken that should do it.

Last edited by Mavman; 11-06-2011 at 04:44 PM. Reason: Clarification
 
Old 11-06-2011, 06:05 PM   #3
sadarax
Member
 
Registered: Sep 2005
Distribution: Ubuntu
Posts: 249

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Mavman View Post
I'm fairly certain that because the drive is encrypted, it WILL NOT mount until authentication is supplied,
The drive I am trying to automount is NOT ENCRYPTED. Partition /dev/sda1 is encrypted, but /dev/sda2 is not.

Thanks for the alternative solution suggestion. I will look into that.
 
Old 11-06-2011, 06:19 PM   #4
Mavman
Member
 
Registered: Mar 2008
Location: Wasilla, Alaska
Distribution: CentOS
Posts: 36

Rep: Reputation: 1
I'm sorry, I must have misread, try moving the unencrypted drive line in your /etc/fstab file so that it sits above your encrypted one. I know that if you have multiple swap partitions the one on top becomes primary, perhaps that also could pertain to order in which the other partitions are mounted, and since the encrypted one by default is probably above the non-encrypted, it would stop the process? Let me know how that goes, I'm curious.
 
Old 11-06-2011, 08:20 PM   #5
sadarax
Member
 
Registered: Sep 2005
Distribution: Ubuntu
Posts: 249

Original Poster
Rep: Reputation: 30
Thanks for the idea Mavman. I don't think I try can your suggestion though. Here is what my /etc/fstab looks like:

Code:
proc /proc proc nodev,noexec,nosuid 0 0
UUID=<long number for root partition> / ext4 errors=remount-ro 0 1
/dev/mapper/cryptswap1 none swap sw 0 0
# /dev/sda2 is swap
/dev/sda3 /home/bob/Sata  ext4  auto,defaults 0 0
That is all.

After I login and run the 'mount' command with no arguments, here is the output:
Code:
....
/dev/sda3 on /home/bob/Sata type ext4 (rw,commit=600)
....
/home/bob/.Private on /home/bob type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=<long number>, ecryptfs_fnek_sig=<long number>)
Even though mount claims /dev/sda3 is mounted, there is nothing actually there (and therefore none of the symbolic links are resolving correctly.) It only *actually* mounts after I manually run the mount command with all arguments 'mount -t ext4 /dev/....'.

Last edited by sadarax; 11-06-2011 at 08:50 PM.
 
Old 11-06-2011, 08:59 PM   #6
Mavman
Member
 
Registered: Mar 2008
Location: Wasilla, Alaska
Distribution: CentOS
Posts: 36

Rep: Reputation: 1
Ok, I re-read your OP after your edits, I don't know that you can do it in that manner. Because the drive is encrypted, I don't believe it unlocks until you pass authentication, as a result, your other partitions can't mount up in an encrypted partition until you have authenticated it and it allows itself to mount. The only thing I could think of is if someone could possibly write a script that attempts to force it immediately after authentication before everything else, but I'm not familiar with all that happens in that time span to know if it's even possible.

For what it's worth though, that also means that the way I mentioned with luks would work, since it would allow decryption & use of the mount at boot. But you'd have to backup everything and re-write your partitions. It's not hard, but perhaps tedious. Also that method doesn't include the logical volume partition, but you absolutely can, just takes some extra configuration (set the partition type to linux lvm (type 8e), then use pvcreate against the partition, vgcreate against the partition, lvcreate against the vg group, then using the /dev/mapper/[lvgroup] as your "partition", run through the luks setup).

Hope that helps, if anyone else has other input, I'd love to hear it.
 
  


Reply

Tags
automount, ecryptfs, encrypted, hard drives, home directory


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to recover my encrypted Home directory pazzport Linux - Desktop 7 05-15-2012 12:30 AM
fsck or equivalent for my encrypted home directory cantab Ubuntu 2 09-20-2010 02:41 PM
Cannot mount unencrypted directory to encrypted home directory with fstab? Daravon Ubuntu 35 09-14-2010 04:50 AM
using encrypted home directory with xubuntu 9.10 live usb joe2748 Ubuntu 1 02-23-2010 05:54 AM
Change Default Home Directory with LDAP and Automount greslore Linux - General 3 06-23-2009 04:32 PM


All times are GMT -5. The time now is 04:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration