/dev/zero
Linux, Unix and Technology for the mere mortal
/dev/zero
Linux, Unix and Technology for the mere mortal
Ramblings

Encrypted Home Folders with ssh key authentication

by |Published

Recently I encrypted all my home folders on my Linux machines hosted in public clouds. See article Sysadmins Behaving Badly part 1.

One thing that I wasn’t anticipating was the fact that when the user is logged out, sshd can’t read the authorized key file which sits inside the home folder.

If you’ve configured sshd to only accept key authentication and not allow keyboard interactive, you’ll find yourself locked out of the machine.

To get around this you can place a copy of the authorized_keys file outside of the encrypted directory and configure sshd to look for it there.

dvnt@icecream:~$ sudo mkdir /home/ssh/dvnt
dvnt@icecream:~$ sudo chown dvnt:dvnt /home/ssh/dvnt
dvnt@icecream:~$ cp ~/.ssh/authorized_keys /home/sshd/dvnt/
dvnt@icecream:~$ ln -s /home/ssh/dvnt/authorized_keys ~/.ssh/authorized_keys

Modify /etc/ssh/sshd_config

Before:

#AuthorizedKeysFile %h/.ssh/authorized_keys

After :

#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile /home/ssh/%u/authorized_keys

At this stage you’ll get authorized for the login but your home folder will probably still be encrypted and look like this

dvnt@icecream:~$ ls -la
total 8
dr-x------ 2 dvnt dvnt 4096 Mar 27 16:51 .
drwxr-xr-x 6 root root 4096 May 16 15:47 ..
lrwxrwxrwx 1 dvnt dvnt 56 Mar 27 16:51 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
lrwxrwxrwx 1 dvnt dvnt 30 Mar 27 16:51 .ecryptfs -> /home/.ecryptfs/dvnt/.ecryptfs
lrwxrwxrwx 1 dvnt dvnt 29 Mar 27 16:51 .Private -> /home/.ecryptfs/dvnt/.Private
lrwxrwxrwx 1 dvnt dvnt 52 Mar 27 16:51 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
dvnt@icecream:~$ cat README.txt

Now just run ecryptfs-mount-private and enter you login pass phrase to decrypt the folder.

 

dvnt@icecream:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [32fa6bfbf60ccb6b] into the user session keyring

INFO: Your private directory has been mounted.
INFO: To see this change in your current shell:
 cd /home/dvnt

dvnt@icecream:~$ cd
dvnt@icecream:~$
dvnt@icecream:~$
dvnt@icecream:~$ ls
Desktop Documents Downloads examples.desktop java_project Music Pictures Projects Public share snap Templates Videos

 

You may also like

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.