I'm evaluating (x)ubuntu client for my companies software developer. We must use full disk encryption because of software, which doesn't save their files in /home (like databases). The company uses "active directory" as LDAP solution.
At system start I would want the LDAP user authentication to unlock the encryption. Is this easily possible with Linux tools?
I know of LVM with Luks, but afaik that's one password and not connectable with ldap.
A similar solution for Windows is "DriveLock".
Solution 1: Using a crypttab script to query LDAP
Full-disk encryption needs the key before the user authenticates. For that reason, you need to write/find a script that gets executed by crypttab when you use default Ubuntu full-disk encryption. A very simple example (without LDAP) can be found here. An example LDAP authentication python script can be found here. If you require multiple users to use the machine, you will have to get creative to see how the LDAP authentication will provide the same disk key all the time (e.g. multiple encrypted copies of the key locally, decrypt with user password?).
Solution 2: mapping the files/direction to an encrypted home directory
If I understand you correctly, you need a solution which essentially extends an encrypted home directory with a couple of other locations that are accessed by software run by the user. You can then use standard LDAP authentication to do the initial user login.
Solution 2a: using
ln -sln -screate symbolic links. If you only plan on having a static setup where the same one user uses the machine all the time, this setup could work. Useln -sto redirect the files/folders that the software is writing to (redirect to the encrypted home directory). Or simply try to find out if you can re-condigure (through re-compilation?) the output dir of the software.Solution 2b: using loopfs
The last solution is similar to encrypted home directories: use loop-back file systems stored in the home directory of the user, and encrypt the home directory. If you know exactly where your sofware stores the data, you can write a script to mount the loopback filesystems to those locations. I will sketch out a solution now, you can adapt it to your specific needs then.
For example, lets assume your software needs to store sensitive data at /opt/foo. I assume that /opt/foo is currently empty. I am not 100% sure about the current ubuntu way to do this, but essentially you need to:
create an empty file of appropriate size with
dd, lets call that one myLoopFSuse
losetup /dev/loop0 yourfileor similar to connect your file to the loopback device (like /dev/loop0). You could even encrypt that file withlosetup -e AES, but that is not needed as it will be stored in the encrypted home directory.Then format /dev/loop0 with ext4.
Then mount it at /opt/foo when the user logs in.
Software then writes to the /dev/loop0, which goes into your myLoopFS file.
Make sure that /dev/loop0 is unmounted again when the user logs out.
That system should meed your requirements, unless your software is writing sensitive data all over the place.
Summary
I did not find a ready-made software to solve your problem, but is seems easy enough to solve with default linux tools like
ln -s,losetup, or using crypttab scripts.