11 KiB
title | description | published | date | tags | editor | dateCreated |
---|---|---|---|---|---|---|
Encrypt the directory that contains virtual disk images | true | 2022-12-09T22:03:54.501Z | markdown | 2022-01-31T12:30:06.985Z |
Encrypt virtual disk images
Integration of filesystem-level encryption in Phyllome OS is a work-in-progress {.is-warning}
Introduction
This guide will show you how to compile 1 and configure fscrypt
to encrypt virtual disk images. It will also show you how to configure PAM to work alongside fscrypt
fscrypt
provides filesystem-level encryption and its library is part of the Linux kernel. It is widely used by Android-based devices, but only compatible with a handful of filesystems {.is-info}
Installation
Building from source
- Install dependencies to compile
fscrypt
:
sudo dnf install -y git golang pam-devel m4 authselect
- Fetch the source code:
go install github.com/google/fscrypt/cmd/fscrypt@latest
- Move to the installation folder (assuming v.0.3.3):
cd ~/go/pkg/mod/github.com/google/fscrypt\@v0.3.3/
If a new version is released, for instance
v0.3.4
, update the above path accordingly {.is-info}
- Run
make install
sudo make install
[...]
install -d /usr/local/bin
install bin/fscrypt /usr/local/bin
install -d /usr/local/lib/security
install bin/pam_fscrypt.so /usr/local/lib/security
m4 --define=PAM_INSTALL_PATH=/usr/local/lib/security/pam_fscrypt.so < pam_fscrypt/config > bin/config
install -d /usr/local/share/pam-configs
install bin/config /usr/local/share/pam-configs/fscrypt
install -Dm644 cmd/fscrypt/fscrypt_bash_completion /usr/local/share/bash-completion/completions/fscrypt
- Move
pam_fscrypt.so
to/usr/lib64/security/
, where it belongs:
sudo mv /usr/local/lib/security/pam_fscrypt.so /usr/lib64/security/pam_fscrypt.so
Setup
- Identify the
root
partition (/
) using the command line utilitylsblk
:
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
zram0 251:0 0 7.8G 0 disk [SWAP]
nvme0n1 252:0 0 50G 0 disk
├─nvme0n1p1 252:1 0 128M 0 part /boot/efi
├─nvme0n1p2 252:2 0 384M 0 part /boot
└─nvme0n1p3 252:3 0 49.5G 0 part /
In this case, it is nvme0n1p3
but valid value may be sda3
or vda3
or system-root
for LVM-based systems
- Activate
tune2fs
by providing the absolute path to the root partition:
sudo tune2fs -O encrypt /dev/nvme0n1p3
tune2fs 1.45.6 (20-Mar-2020)
- Verify proper activation:
sudo zgrep -h ENCRYPTION /boot/config-$(uname -r) | sort | uniq
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
CONFIG_FS_ENCRYPTION_ALGS=y
CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
CONFIG_FS_ENCRYPTION=y
- setup
fscrypt
:
sudo fscrypt setup
Defaulting to policy_version 2 because kernel supports it.
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".
Metadata directories created at "/.fscrypt".
- Verify fscrypt status:
fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1
MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT
/ /dev/nvme0n1p3 ext4 supported Yes
/boot /dev/nvme0n1p2 ext4 not enabled No
PAM configuration
- Select the minimal profile with
authselect
:
sudo authselect select minimal --force
- Activate the
ecryptfs
feature:
sudo authselect enable-feature with-ecryptfs
- Create a new profile based on the minimal profile and call it phyllome:
sudo authselect create-profile phyllome --base-on=minimal
New profile was created at /etc/authselect/custom/phyllome
- Select the newly create profile:
sudo authselect select custom/phyllome --force
Backup stored at /var/lib/authselect/backups/2021-07-15-20-08-13.4Czqor
Profile "custom/phyllome" was selected.
The following nsswitch maps are overwritten by the profile:
- aliases
- automount
- ethers
- group
- hosts
- initgroups
- netgroup
- networks
- passwd
- protocols
- publickey
- rpc
- services
- shadow
- Modify the content of the system-auth file:
sudo nano /etc/authselect/custom/phyllome/system-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent >
auth sufficient pam_unix.so {if not "without-nullok">
auth required pam_faillock.so authfail >
auth required pam_deny.so
auth optional pam_fscrypt.so
account required pam_access.so >
account required pam_faillock.so >
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow {if not >
password required pam_deny.so
password optional pam_fscrypt.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_fscrypt.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so >
session [success=1 default=ignore] pam_succeed_if.so service in crond q>
session required pam_unix.so
According to fscrypt documentation: "The Auth and Session functionality of
pam_fscrypt.so
are used to automatically unlock directories when logging in as a user, and lock them when logging out [and] [t]he Password functionality [...] is used to automatically rewrap a user's login protector when their unix passphrase changes." {.is-info}
- Copy the content of system-auth file to the password-auth file.
Unsure which file is the canonic one {.is-info}
sudo cp system-auth password-auth
- Modify the postlogin file as well to match the following content
auth optional pam_fscrypt.so debug
password optional pam_fscrypt.so debug
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent>
session optional pam_lastlog.so silent noupdate showfailed
- Create the fscrypt file under the
/etc/pam.d/
directory and add the following line to it to allow PAM to be able to check the UNIX passphrase:
sudo nano /etc/pam.d/fscrypt
auth required pam_unix.so
- Finally, apply changes to phyllome profile:
sudo authselect apply-changes
Changes were successfully applied.
Tame SELinux
This is a work in progress. New policices will have to be designed for SELinux to work nicely with
fscrypt
. {.is-warning}
- Create a directory to store user-created SELinux policies and move there:
sudo mkdir /opt/selinux && cd /opt/selinux/
- Allow
systemd
to access 1000.count file:
sudo ausearch -c '(systemd)' --raw | audit2allow -M my-systemd
sudo semodule -X 300 -i my-systemd.pp
Test
- Create a directory called
secret
in your home directory:
mkdir ~/secret
- Encrypt the directory using your login passphrase:
fscrypt encrypt ~/secret --source=pam_passphrase
IMPORTANT: Before continuing, ensure you have properly set up your system for
login protectors. See
https://github.com/google/fscrypt#setting-up-for-login-protectors
Enter login passphrase for test:
"/home/groot/secret" is now encrypted, unlocked, and ready for use.
- Add a file to this directory:
touch ~/secret/recipe-for-pancakes-by-john-locke
- Reboot and make sure the file can be red after login:
cat ~/secret/recipe-for-pancakes-by-john-locke
Pancakes
* Take sweet cream 3/4 + pint.
* Flower a quarter of a pound.
* Eggs 7 leave out of 4 of the whites.
* Beat the Eggs very well.
* Then put in the flower, beat it a quarter of an hower.
* Then put in six spoonfulls of the Cream, beat it a litle Take new sweet butter half a pound. * Melt it to oyle, & take off the skum, power in all the clear by degrees beating it all the time.
* Then put in the rest of your cream. beat it well.
* Half a grated nutmeg & litle orangeflower water. Frie it without butter.
This is the right way
If a message like
key unavailable
appears, have a look a the troubleshooting section bellow. {.is-info}
Encrypt virtual disks
- Encrypt default directory containing virtual disks for the current user:
fscrypt encrypt ~/.local/share/libvirt/images --source=pam_passphrase
fscrypt
does not support in-place encryption. Only previously empty directories can be encrypted. If you wish to encrypt a directory which already contains files, move these files outside of the directory, encrypt it, and put the files back in {.is-warning}
- Ok, that's it, finally. All virtual disks created will benefit from this layer of encryption.
Resources
Troubleshooting
- You can use the following command to check for entries related to fscrypt in your log
journalctl -b | grep fscrypt
- If directories encrypted with
fscrypt
won't unlock, you could try to set SELinux in permissive mode and check error messages using thesetroubleshoot
software:
sudo nano /etc/selinux/config
SELINUX=permissive
Then reboot.
Paths
- Where authselect stores its default and vendor-specific configs:
/usr/share/authselect/
- Where PAM modules are stored:
/usr/lib64/security/
- Where authselect stores the current profile
/etc/authselect
- Documentation on developing PAM modules
/usr/share/doc/pam-devel
- Default directories fscrypt:
/usr/local/share/pam-configs/fscrypt
/etc/fscrypt.conf
~/.fscrypt
External Resources
fscrypt
official repo- PAM and Fedora
- fscrypt and Archlinux
-
As of now,
fscrypt
does not ship as an RPM package ↩︎