Home documentation how tos privacy Solution
Privacy Solution PDF Print E-mail

We implemented a privacy solution, in order to let VDD users the possibility to have an encrypted volume at their disposal on any VMs they log in. The encrypted volume (a LVM logical one) is mounted on server filesystem and shared via Samba on any VMs.


We use a dmcrypt-LUKS solution. We need also samba server to be installed for the following share activation.

root@serv1:~# apt-get install dmsetup
root@serv1:~# modprobe aes
root@serv1:~# modprobe crypt
root@serv1:~# apt-get install cryptsetup
root@serv1:~# apt-get install samba

Encrypted Logical Volume Creation

We create the LV with lvcreate, check its status with badblocks, encrypt it with cryptsetup

As an example we use the following features: interested user: user1 (be sure this user does exist on system) LV name & tag: user1_enc LV size: 1 Gb existing VG name: serv1

root@serv1:~# lvcreate -n user1_enc -L 1G --addtag user1_enc serv1
root@serv1:~# badblocks -c 10240 -s -w -t random -v /dev/serv1/user1_enc
root@serv1:~# cryptsetup --verbose -c aes-cbc-essiv:sha256 --verify-passphrase luksFormat /dev/serv1/user1_enc

Filesystem Creation on Encrypted Volume

As an example we create an ext3 filesystem

root@serv1:~# cryptsetup luksOpen /dev/serv1/user1_enc user1_enc
root@serv1:~# mke2fs -j /dev/mapper/user1_enc
root@serv1:~# cryptsetup luksClose user1_enc

Mounting the encrypted volume through pam-mount feature

As an example we mount the encrypted device for user1 on his folder /home/user1/share (be sure it does exists and has user1 as owner). We need libpam-mount to be installed.

root@serv1:~# apt-get install libpam-mount
root@serv1:~# mount.crypt /dev/serv1/user1_enc /home/user1/share
root@serv1:~# chown -R user1.user1 /home/user1/share

Activating the share

We use the samba 3 "usershare" feature in order to let the final user the possibility to activate his own share. The share is accessed providing user and password. First we need to add the user to sambashare group and create a corresponding samba user with smbpasswd.

root@serv1:~# adduser user1 sambashare
root@serv1:~# smbpasswd -a user1
New SMB password:
Retype new SMB password:
Added user user1.
root@serv1:~# su user1
user1@serv1:~$ net usershare add user1_share /home/user1/share "user1 share" user1:F