5

I'm trying to do something which seems obvious but nobody else seems to be doing. I want to keep my home directory on an encrypted USB drive, to be plugged and unplugged "on top of" a vanilla home directory on a vanilla Ubuntu installation.

It does work, sort of. My current workflow:

  1. At login screen, do ctrl+alt+f2 to new TTY. Log in as root (having set root password to allow this). Mount encryped volume at /home/me
  2. Back at TTY7, log in as me and work from correctly mounted home
  3. Log out to login screen, ctrl+alt+f2 back to terminal, log in as root and unmount /home/me

But at step 3, on trying to unmount my home directory I get Device busy, and doing an lsof reveals hundreds of processes using it. It seems this is because Ubuntu does not log you out when you "Log out" to the login screen. So instead I am just shutting down directly, not unmounting first. Seems not very clean.

NB: I have a hardware issue which makes my machine unusable if I modify the grub config to boot to a shell prompt. And anyway, that is supposedly not the Ubuntu way.

But there has to be a better way to do this. An idea?

Sqerstet
  • 701
  • 1
  • 8
  • 22
  • 1
    IMHO you should stop X server before unmounting. https://askubuntu.com/questions/65856/how-does-one-exit-the-x-server And shutting down in a controlled way (e.g. shutdown -h now) should unmount it correctly. – Melebius Feb 14 '17 at 12:41
  • 2
    Does the USB have to be hot-pluggable? It would probably easier to assume the USB drive is stationary and does not connect/disconnect while the computer is running, if possible. Also, maybe using an overlayfs (having a read-only home directory skeleton on the HDD and overlaying the encrypted files from your USB over it) might be something you could possibly like to look into. – Byte Commander Feb 14 '17 at 12:59
  • @Melebius Thanks, service lightdm stop does allow the umount. Overall process still messy. – Sqerstet Feb 14 '17 at 13:01
  • @ByteCommander Ideally hotplugging would be nice but no, not necessary. Will look into your read-only skeleton idea, thanks. But mounting a home on top of another is not in itself a problem, from what I understand. Works as expected anyway. – Sqerstet Feb 14 '17 at 13:05
  • @ByteCommander So would I add the USB drive as mounting, via LUKS, at /home/me in /etc/fstab? My worry is that this will prompt for the passphrase straight after booting, as my hardware has an issue where the keyboard is not available early in the boot process. – Sqerstet Feb 14 '17 at 13:15
  • Yes, fstab will probably ask you during boot for the passphrase. I am not sure how you could bypass that best... – Byte Commander Feb 14 '17 at 13:21

2 Answers2

1

Setup

Initially, you can do this to mount and copy the home directory:
mount drive: mount -o uid=user /dev/sdbx /temphomedir
Copy files: mount --bind /temphomedir /home/user
This assumes that /dev/sdbx is your USB drive and /home/user is your home directory.

Note

NOTE: make sure that your /home/user directory is empty before you mount the drive.

Adding start up script

According to this question you can use the command crontab -e to edit your cron, then you can add the following line @reboot /mount.sh. Now that we have done that we need to create the mount.sh script. You can do that by typing sudo nano /mount.sh. This will open the nano text editor. Then just past the following:

#!/bin/bash
mount --bind /dev/sdbx /home/user

What this will do is mount the USB to your home directory every time you boot your computer. Make sure /dev/sdbx and /home/user are correct, then type CTR+X to save and quit nano.
when you reboot your computer this should work. Please keep in mind that I have not actually tested this, so it may not work.

Hope this helps!

Community
  • 1
zoecarver
  • 131
0

There is now a systemd module called systemd-homed in the works to solve this very problem!

In the meantime, here is the solution. In use every day without issue.

First, copy the content of /home/you to the root of a LUKS-encrypted USB drive. Assuming no other USBs are present, lsblk will always show the drive as /dev/sda and the encrypted partition will be /dev/sda1.

Next ensure that if the USB drive is plugged in, then the encrypted partition will be available as a virtual block device. A password prompt will appear at boot time. In /etc/crypttab:

encryptedhome /dev/sda1 none luks,noauto

Now, make this virtual device mount, if available. If it is not plugged in, there will be a short wait for the timeout but the boot will then proceed as normal. In /etc/fstab:

/dev/mapper/encryptedhome /home/you ext4 defaults,nofail 0 2

Your external home directory will be mounted on top of the existing vanilla one. Mounting things on top of existing directories like this simply makes the existing one unavailable for the duration of the mount. All data in it remains safe.

Sqerstet
  • 701
  • 1
  • 8
  • 22