Encrypt user home directory with gocryptfs
I'm a Team Lead and Solutions Architect during the day, lazy "Dev Sec Ops" at night with a passion for selfhosting and data privacy. Free and Open Source advocate since 2005, I sporadically write Blog or Gemlog posts and share short notes and bookmarks on my website.
Introduction
I (not so) recently received my clockworkpi uConsole and didn’t took the time to play with it yet as June, July and early August where full of way too many pro and personal things… But I took the time during the weekend to set it up using a custom debian ISO build for it that worked great. But more on all that later.
The first thing I wanted to do after the OS installation (and updates) was to encrypt my home directory. If I want to bring this device with me often, I want to make sure it is secure and my data are safe. Because it runs on a raspberrypi CM 4 with limited CPU and RAM resources, I thought that full disk encryption like I do on my {desk,lap}top(s) was too resource consuming and instead I would only encrypt my home directory. A little bit less secure but good enough in my opinion. If you think otherwise, feel free to reach out to me explaining why :).
To do so, I used gocryptfs for the encryption and I’m decrypting the folder and mounting it at login directly with pam.
Initial preparation
Nota: For the folder to be automaticly decrypted and mounted at login, it is mandatory to use the same password for your user and for the folder encryption.
Before doing anything crazy, let’s backup the existing home directory. This is important if you already have data you want to keep. In the case of the clockworkpi uConsole, it was because some settings in there are important, for example for the correct screen rotation.
cd /home
tar czf username.tgz username/
Change username with… well… your user name :). This is true for every time you’ll see username in the rest of this post!
Then, let’s remove everything in the home directory (if you haven’t created a backup yet as said above, do it now or it will be too late!):
rm -rf /home/username/* /home/username/.*
Now that the directory is empty, let’s create a file that will be there only when the encrypted files are not mounted (an easy way of checking if everything worked):
touch /home/username/gocryptfs_not_mounted
chown username:username /home/username/gocryptfs_not_mounted
Now, let’s create the directory where files will be encrypted:
cd /home
mkdir username.cipher
chown username:username username.cipher
Configuration
Ok, now we can install the required software:
sudo apt install libpam-mount gocryptfs
Then, edit /etc/fuse.conf and uncomment the user_allow_other line (remove the #). This will allow non root user to access a fuse mounted directory.
Edit /etc/security/pam_mount.conf.xml and add before </pam_mount>:
<volume
user="username"
fstype="fuse"
options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/bin/gocryptfs#/home/%(USER).cipher"
mountpoint="/home/%(USER)"
/>
Again, don’t forget to adapt the username.
EDIT: A nice reader (dllud) emailed me to indicate that by adding the idle=30s would automatically unmount your encrypted folder after log out. Reading the doc, it should, but for me it doesn’t work and the logs indicate that the device is busy. Not sure if lightdm or anything else is blocking the unmount, but I’m giving here the updated option line from the above pam_mount.conf.xml in case:
<volume
options="nodev,nosuid,quiet,nonempty,allow_other,idle=30s"
/>
To ensure best performance, we can check what is the fastest encryption algorithm with gocryptfs:
gocryptfs -speed
As an example, the result for the uConsole was:
root@clockworkpi:/home# gocryptfs -speed
gocryptfs 2.3; go-fuse 2.1.0+git20220822.58a7e14; 2023-04-09 go1.19.8 linux/arm64
cpu: unknown; no AES acceleration
AES-GCM-256-OpenSSL 44.04 MB/s (selected in auto mode)
AES-GCM-256-Go 23.68 MB/s
AES-SIV-512-Go 20.06 MB/s
XChaCha20-Poly1305-OpenSSL 165.63 MB/s (selected in auto mode)
XChaCha20-Poly1305-Go 149.44 MB/s
So the good choice here is using XChaCha encryption mechanism.
Now we know how to encrypt that username.cipher folder:
gocryptfs -xchacha -init username.cipher/
As said above, if you want the auto mount to work when you log in, use the same password as your user.
And then, let’s decrypt the folder in the home directory to test:
gocryptfs -nonempty /home/username.cipher/ /home/username
The -nonempty argument is needed because of the gocryptfs_not_mounted file we created above
One important thing that made me loose a lot of time (see below) was the fact that the gocryptfs.* files belonged to the root user and that was an issue as your user needs to access those.
chown username:username /home/username.cipher/gocryptfs.*
Then, if you had data to save and created the backup as said above, you can extract data back in the decrypted folder now:
cd /home && tar xzf username.tgz --strip-components=1 -C username
Also, I’m creating a file in the decrypted folder so looking for this file will let me know if decryption worked correctly:
touch /home/username/gocryptfs_mounted
chown username:username /home/username/gocryptfs_mounted
Tests
Then, let’s test the automated decryption:
root@clockworkpi:/home# su - username
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): Cannot open config file: open /home/username.cipher/gocryptfs.conf: permission denied
(pam_mount.c:522): mount of /usr/bin/gocryptfs#/home/username.cipher failed
Putting this here because I had this error. If you do as well, that’s because you forgot to change ownership to the gocryptfs.conf and gocryptfs.diriv files.
If you did change the ownership and the above command worked correctly, you can now list files in your user home and check that the gocryptfs_mounted file exist and the gocryptfs_not_mounted is not there.
Now you can reboot (well, not necessary, but just in case I did :)) your device and log in via the display manager and everything should be loaded as expected. If everything worked fine, you can remove your backup archive file:
rm -rf /home/username.tgz
Conclusion
Hope this helps, I will probably use this again each time I reinstall my uConsole or other similar device installed on a SD card!
Now that this is setup, I can now start thinking about the actual usage I’ll have for this device :D. I have some ideas but that will be for a later post.