How to secure your home

By Ralph on April 11, 2009 12:55 PM | No Comments | No TrackBacks
One of the many advantages of the Linux operating system is its separation of user data from system files. Traces of your daily use of the system will show up in your home directory located in the home folder alongside other user's playgrounds. Over time various assets will assemble inside your home directory, which are not equally important to you.

Things like your archived email messages, your financial records or outlines of your secret plans are mangled with the latest downloads of music or fresh software versions, all in one place. To secure your home you need to separate your core files (and configurations) from everything else that has been sourced from a public place like the internet and does not need protection.


What we need to do is to separate the sensitive data from everything else in your home directory and put it into a secure container that is left encrypted until access to the data inside is needed.

So this is our plan:

  • Setup an encrypted container with a filesystem to use.
  • Transfer all sensitive data to the container
  • Create links to the container in our home directory
  • Use our new tool with care
As you will expect the second step will be the most challenging, because we will easily miss some of our sensitive data to transfer to the container.

Don't worry about step one and three, I'll lend you a hand to perform these steps without much trouble. 		img1.jpg
But why don't we simply transfer all of our home directory to the encrypted container?

This obvious solution is really not the best one. The security of our sensitive data relies on the fact that the container is encrypted almost all the time, when sensitive data is not used. If we'd put our home into the container we would not even be able to log in. Or we had to open up the container for the duration of our entire session, leaving the sensitive data unencrypted for a long time. This is clearly not what we want to protect our core files.

Preparing the safe

Let's go ahead and start preparing our encrypted container that will be a very big file holding all our valuable data. We have to decide where to store the big file (i.e /home/safe) and we need to make sure that whatever backup we make, this file is included. Issue the following commands as superuser (root):

dd if=/dev/urandom of=/home/safe bs=1M count=2000
LOOP=$(losetup -f)
/sbin/losetup $LOOP /home/safe
/sbin/cryptsetup create safe $LOOP
ls -l /dev/mapper

The first command is used to create the file and fill it with pseudo-random data. Feel free to adapt the amount of blocks that are being written to the file to suit your needs, count=2000 will create a 2 gigabyte file. The following commands find out a free loop device, attach our file to the device and finally create a new block device representing the decrypted bunch of data. Make sure that you use a good passphrase for the container.

By now you should have a device file called /dev/mapper/safe that can be treated just like any ordinary disk partition, ie /dev/sda1. So we can create a filesystem on this new device now and can mount it on the mountpoint /safe, which we create for this purpose.

mkfs -t ext3 -c /dev/mapper/safe
mkdir /safe
mount /dev/mapper/safe /safe


Our container is now mounted on the directory /safe and is ready to be filled up with our valuables.

Making life easier

But before we get to the tricky part of deciding which data shall be moved to the safe it's time to make using our safe a little easier. Usually you would not be logged in as the superuser (root) when you need to open up your encrypted safe. Let's set up two simple scripts that help you using the safe while working as a normal user on the system. Apart from knowing the passphrase to unlock the safe there is one more requirement to restore the unencrypted content of your safe. Creating device files and mounting them on directories is a job for root, not for ordinary users. As a consequence the two scripts must change their permissions to run as root, which can be achieved by adding the following two lines to the file /etc/sudoers:

joe ALL = NOPASSWD: /root/safeon
joe ALL = NOPASSWD: /root/safeoff


Joe is now permitted to run the two scripts as root, once he prefixed the script names with the sudo command:

sudo /root/safeon
sudo /root/safeoff


Make sure that the scripts are at their proper place in /root

/root/safeon

#!/bin/bash

LOOP=$(/sbin/losetup -f)
echo $LOOP > /home/joe/loopdevice
/sbin/losetup $LOOP /home/safe
/sbin/cryptsetup create safe $LOOP
mount /dev/mapper/safe /safe
ls -la /safe


/root/safeoff

#!/bin/bash

umount /dev/mapper/safe
LOOP=$(cat /home/joe/loopdevice)
/sbin/cryptsetup remove safe
/sbin/losetup -d $LOOP
rm /home/joe/loopdevice
ls -la /safe

Filling up the safe with valuables

Now that our safe is working well we don't have any excuses not to fill it with data that should be protected. If you know where your email software stores its archived messages move the folder to the safe completely and create a symbolic link to the new destination like this:

mkdir /safe/joe
chown joe /safe/joe
mv $HOME/mail /safe/joe
ln -s /safe/joe/mail $HOME/mail


What makes moving our valuables to the safe so tricky is that we do not exactly know where they are. Seriously, you can expect some of them in obvious places, but be aware that most software store their data in dot-directories like .evolution .ssh .gnupg and so on. So keep on searching. And enjoy your safe.


Categories:

No TrackBacks

TrackBack URL: http://linuxcoaching.ie/cgi-bin/mt/mt-tb.cgi/3

Leave a comment

 

Search

Recent Entries

Categories

Monthly Archives

OpenID accepted here Learn more about OpenID