Archive

Archive for April, 2009

Ubuntu jaunty upgrade: Encrypted home not mounting

April 27th, 2009

The Problem
I took the plunge to upgrade my laptop to Jaunty yesterday and upon reboot the first thing I noticed was that my encrypted home partition was no longer being mounted. After enabling pam_mount’s debug option and tracing through the problem it turned out to be that mount.crypt was now unable to mount my encrypted partition.

mount.crypt fails to mount the partition because when it calls cryptsetup it fails to pass the keysize parameter so cryptsetup uses the default (256), which is fine if you used a 256 bit encryption key, but unfortunately I’d used a 128-bit encryption key so therefore cryptsetup fails to setup the encrypted volume correctly thus causing the subsequent call to mount to fail.

The Solution
Fortunately I don’t let little things like that stop me from getting things working. Firstly I created a patched libpam-mount package (LP: #367577) that does pass the -s option through to cryptsetup, this then allows mount.crypt to successfully mount the encrypted volume.

However, pam_mount was still not able to mount the volume when I logged in, thankfully it only required a config tweak to match the new options that are now passed to mount.crypt, so my new pam_mount.conf.xml config block now looks like this:-

<volume
    user="kenny"
    fstype="crypt"
    path="/dev/sda3"
    mountpoint="/home/kenny"
    options="cipher=aes,hash=ripemd160,fsk_cipher=aes-128-ecb,fsk_hash=md5,
keyfile=/home/kenny.key"
/>

(Annoyingly hash=ripemd160 has to be passed because cryptsetup defaults to that but mount.crypt defaults to and passes through “plain” unless told otherwise.)

Once this change was made (and the fixed packages installed), pam_mount was once again able to mount my encrypted home directory when I log in.

Linux , , , ,