This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.

Please visit our production wiki at https://wiki.gentoo.org

Ext4 encryption

From Gentoo Wiki (test)
Jump to:navigation Jump to:search

This article provides instructions on encrypting a home partition using the ext4 filesystem built-in encryption.

Overview

Ext4 supports file based encryption, which was more suitable for my needs. Better performance and ability to exclude folders from encryption on one filesystem (open-source project repositories etc. aren't required to be encrypted)

This scenario will work only with single user computer (specified in Systemd service file) and Wayland is not supported (since it won't run Xsession file before touching /home/$user directory)

Basics

https://wiki.archlinux.org/index.php/ext4#Using_file-based_encryption you can find them here.

Decryption before login

Since ext4 uses kernel keyring, which is divided into session keyring (everytime you login into console / X / wayland) and user keyring (persist for user, but only as user keep logged in).

Systemd

So you'll need to run systemd unit before login screens (imposible with systemd). So, I just cut tty6 for password prompt.

No need to use all 6 VT's.. So you need modify logind.conf and reduce number of reserved VTs.

FILE /etc/systemd/logind.conf
...
[Login]
NAutoVTs=3
ReserveVT=1
...

Create systemd service

FILE /etc/systemd/system/decrypt.service
[Unit]
Description=Decrypt
Wants=multi-user.target

[Service]
Type=oneshot
User=REPLACEWITH_USERNAMEOFYOURUSER
ExecStart=/usr/local/sbin/decrypt.sh
KeyringMode=inherit
StandardInput=tty-force
TTYPath=/dev/tty6
TTYReset=yes
TTYVHangup=yes
TTYVTDisallocate=yes
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

and script - wait for display manager loads itself, then switch to VT 6, ask password and save it to @s (session), set permissions to allow link it to @u (user keyring) and change back to VT 7 (display manager). Sleep infinity, because at moment, when this script ends, user keyring is wiped and it has no point.

Into script you have to fill number, which you'll get after you run /usr/sbin/e4crypt add_key under normal circumstances and then run keyctl list @s.

FILE /usr/local/sbin/decrypt.sh
#!/bin/bash
sleep 10
chvt 6
systemd-ask-password | /usr/sbin/e4crypt add_key -k @s
keyctl setperm `keyctl search @s logon ext4:_THIS_NUMBER_YOU_GET_FROM_keyctl list @u_` 0x3d3d0000
keyctl link `keyctl search @s logon ext4:_THIS_NUMBER_YOU_GET_FROM_keyctl list @u_` @u
sleep 1
chvt 7
sleep infinity

Last thing, you need link from @u (user keyring) to @s (session keyring), because otherwise ext4 is not able to detect key (no idea why).

So in my case

FILE /etc/gdm/Xsession
... somewhere in beggining of file...
keyctl link @u @s
... rest of it ....

Issues

  • When is e4crypt issued with -k @u (user keyring), kernel is not able decrypt content
  • Didn't found how to make it work under Wayland session
Retrieved from "https://wikitest.gentoo.org/index.php?title=Ext4_encryption&oldid=713552"