As of libpam-encfs (>> 0.1.4.1-4) there is no longer need to manually edit /etc/pam.d/common-auth. Do not manually edit that file unless you know *very well* what you are doing, may break login. libpam-encfs (>> 0.1.4.1-4) package will take care of properly modifying /etc/pam.d/common-auth. Remember that: * User using this module must be member of 'fuse' group. * You may still need to enable user_allow_other in /etc/fuse.conf. Some other info, Automatic umount of encfs volume on end of session ================================================== To handle automatic umount of encfs volume on end of session, two methods are available, * In "/etc/security/pam_encfs.conf", pass an idle=X option to encfs (where X stands for minutes) to have encfs volume umounted after X minutes idle. Default configuration uses this method with a 1 minute delay. * Umount immediately by adding to "/etc/pam.d/common-session" a line session required pam_encfs.so This will umount encfs immediately after session end. While this may look more secure it has some possible drawbacks: - pam_encfs filesystem auto-unmount when user still has a login (multiple logins) (http://code.google.com/p/pam-encfs/issues/detail?id=11) Seems that under some shells if there are multiple logins by the same user and one of these sessions is terminated (and pam_encfs is setup in PAM against session, such that is unmounts the filesystem on logout) that pam_encfs dismounts the filesystem, even though the user still has a session and may be using the filesystem. - I have read that with graphical logins and things like some gnome apps, some stuff may still be written to home directory after session is over. If session is finished immediately this may be written unencrypted. (https://help.ubuntu.com/community/EncryptedHomeDirectoryHowto) Using idle should decrease this risk. Since this method unconditionally affects all users, makes idle a no-op for use under libpam-encfs and cannot be reverted by modifying files under "/etc", libpam-encfs does not provide an snippet for automatic handling of "/etc/pam.d/common-session". If this method was previously enabled, it may have disappeared and get disabled when upgrading pam and libpam-encfs to use pam-auth-update, if automatic mode is selected. If you want to keep this method enabled, so encfs volume is unconditionally umounted immediately on session end (Remember that it sets that option for all users and makes idle a no-op for use under libpam-encfs) you need to manually edit "/etc/pam.d/common-session" and put above session stanza *outside* the automatically generated block. This will enable this method for all password based login systems. If you want to enable it only for some of them, you will need to modify only relevant entries under /etc/pam.d. Change your password (Thanks https://wiki.edubuntu.org/EncryptedHomeFolder) =========================================================================== Prior to anything else, consider making a backup of your encfs volume in a safe place. First, change your account password like normal. Then change the filesystem password. Open a terminal and do the following. Remember to change "testuser" with your username. Change your account login password: * $ passwd o (current) UNIX password: Then you can change the encfs password: * $ encfsctl passwd /home/.enc/testuser * Enter current Encfs password * EncFS Password: You should reboot to fully test as the folder often doesn't unmount at logout if you're not on a text login. Security Notes (Thanks https://wiki.edubuntu.org/EncryptedHomeFolder) ===================================================================== Normally fuse only allows access to the user who mounted an encrypted share; this is irrespective of the filesystem permissions. Because we used allow_root, the root user will be able to access your decrypted mount point so long as your files are mounted. Unfortunately, this is necessary for the pam module as the mounting is done by the root user. Sometimes pam fails to unmount your folder (esp if use graphical login), leaving it open even though your logged out. As stated, root will have access, but other users won't be able to access the folder (unless you set allow_other as a parameter). So as long as you're the only user with sudo access, you're fine. Otherwise you should reboot after logout to be sure, or log in as the root user and check with the mount command. Truthfully, if your this concerned, you should probably be doing something like dmcrypt instead. Without an encrypted swap partition, its possible for unencrypted file parts, passwords, or even the encfs key to be written to your swap partition. If swap is not encrypted, this can all be read by an attacker. Downside of this is that hibernate will no longer function. Enjoy. -- Agustin Martin Domingo , Thu, 17 May 2012 16:03:53 +0200