WARNING:

This code and the method may be error prone and should be considered as a Proof of Concept.

Basically, the idea is following: Then you login your home directory should be decrypted and mounted automatically and then you logout the process should be reversed.

What I’v done is modified original login_passwd to make first part, e.g. decryption and mounting.

The second part is done by sudo and .bash_logout.

Setup:

1. 1.Download the code. make , make install
   

2. 2.add login class into login.conf
   

3. 3.create encrypted image and add user to the system
   

4. 4.modify sudoers
   

5. 5.install bash (default OpenBSD install does not contains bash)
   

6. 6.login as user and create .bash_logout
   

7. 7.try to logout and login again
   

8. 8.NOTES
   

1. 1.Is self explained.
   

2. 2.Following needs to be added to the login.conf:
   

    vnd:\

            :auth=-vnd:\

            :tc=default:

3. 3.Image is created as follows:
   

    touch /home/.en (the string after ‘.’ is a username and should match the user we about to add to the system. In this example the username is ‘en’)

    dd if=/dev/zero of=/home/.en bs=1024 count=10000 (result is about 10M file)

    /sbin/vnconfig -ck -v svnd0 /home/.en (vnd setup. NOTE: password should be the same as for user we are about to add to the system. So the user will have same password both for login and decryption of the image)

    Now we have to init the disk and make a new filesystem on it.

    fdisk -i svnd0

    disklabel -E svnd0 (create only one partition - ‘a’)

    newfs /dev/rsvnd0a

    It can be good idea to test-mount it, like mount /dev/svnd0a /mnt/vnd_test. Don’t forget to umount /mnt/vnd_test and vnconfig -u svnd0

    Now it is time to add new user.

    useradd -d /home/en -L vnd (adds user ‘en’ with the login-class ‘vnd’. Remeber login.conf-part?)

    passwd en (pick the same password as you picked up for encrypted image)

4. 4.sudoers file will be modified to allow this user do some operations at root-level. Following goes to sudoers file:
   

    # Cmnd alias specification

    Cmnd_Alias      DROP_HOME= /sbin/umount /home/en

    Cmnd_Alias      DROP_VND= /sbin/vnconfig -u svnd0

    # User privilege specification

    root    ALL=(ALL) SETENV: ALL

    en      ALL=(root) NOPASSWD: DROP_HOME

    en      ALL=(root) NOPASSWD: DROP_VND

5. 5.Installation of the bash is out the scope. This step is just pointing out that we need bash to make everything work.
   

6. 6. Now, before we can login as user ‘en’ we need to some minor mini-setup:
   

    mkdir /home/en; chown en /home/en

    vnconfig -ck svnd0 /home/.en

    mount -t ffs /dev/svnd0a /home/en

    Now we should be able to login as user ‘en’ and create .bash_logout

    touch .bash_logout

    vi .bash_logout and add following:

    cd /tmp

    sudo /sbin/umount $HOME

    sudo /sbin/vnconfig -u svnd0

    and logout.

7. 7.If everything is done correctly user ‘en’ should be able to login into encrypted $HOME and logout making bash do the clean-up job.
   

8. 8.Notes
   

    This setup is tightly bound to how the login_-vnd-code works. So it is good idea to take look in it.

    For instance, svnd0a is expected to be and hardcoded in the code as well as path and name of the encrypted image, e.g. /home/.username .

That’s all. Enjoy!

Comments and questions can be sent to me. (You know how to use Google, right?)