Create an Encrypted Samba Share

by Mike on January 1, 2009 · 5 comments

in samba

Create a Script for Login to Samba Share
Here is a scenario where you have Windows users who need to log into an encrypted directory that is mounted on a Linux Samba share.  This provides an interesting option for security.
The Linux user, who has sudo access logs in and when they do  are asked to mount the truecrypt volume and also restart samba server because the volume will exist on a Samba share.  It is imperative that the user who mounts the share is in the adm group so they are able to enter the sudo commands to run programs as root.

Verify that the user is in the /etc/group file and listed in the “adm” group.  Here we have two users mike and sue in the adm group.

adm:x:4:mike , sue

Edit the Samba Server

Edit your /etc/samba/smb.conf file to allow the user mike to login to the encrypted directory.  Be sure your workgroup is the same for your Windows machines.  Notice that passwords are encrypted and the more secure tdbsam is used for the database backend.

This is a copy of what you need in your /etc/samba/smb.conf file.
netbios name = linuxserver
workgroup = WORKGROUP
server string = Public File Server
security = user
encrypt passwords = yes
passdb backend = tdbsam

comment = Truecrypt  Directory
path = /media/truecrypt3
valid users = mike
browsable = no
guest ok = no
read only = no

Create a smbpasswd Account
Be sure that the user you are using has their password on both the Linux system account and also on samba as they are separate databases.

smbpasswd -a mike
New SMB password:
Retype new SMB password:
Added user mike.

Edit the User’s .bashrc File
Each user that logs in to the Linux box has their environment created by the hidden .bashrc file which is in every user home directory.  What you want to do is at the end of the .bashrc file you want to add a line that will execute the script that you create.  Here is the information needed for the user mike to execute the script that will be in the user’s home directory.

sh /home/mike/

Create the truecrypt Script
This simple script will ask for the password of the sudo user (the password for the user mike in this example who has sudo rights), then it will mount the directory and restart samba so the directory is available with Samba.

# Truecrypt Script
truecrypt -k “” –protect-hidden=no –mount /protect/ /media/truecrypt3

sudo /etc/init.d/samba restart

Here is the output.

Last login: Thu Jan  1 06:59:09 2009 from
Enter password for /protect/
Enter system administrator password:
[sudo] password for mike:
* Stopping Samba daemons                                                [ OK ]
Starting Samba daemons                                                [ OK ]

Verify that the mount is running with this command:

truecrypt -l
3: /protect/ /dev/mapper/truecrypt3 /media/truecrypt3

Login from another Linux box with this command or with samba from a Windows machine, this is the Linux example.

smbclient //
Enter mike’s password:
Domain=[WK] OS=[Unix] Server=[Samba 3.2.3]
smb: \> ls
.                                   D        0  Fri Dec 26 05:49:43 2008
..                                  D        0  Thu Jan  1 11:39:10 2009
debconf.conf                              2969  Fri Dec 26 05:49:42 2008
sensors.conf                             85602  Fri Dec 26 05:49:43 2008
adduser.conf                              2986  Fri Dec 26 05:49:42 2008
nsswitch.conf                              475  Fri Dec 26 05:49:42 2008
ltrace.conf                              13144  Fri Dec 26 05:49:42 2008
xinetd.conf                                289  Fri Dec 26 05:49:43 2008
host.conf                                   92  Fri Dec 26 05:49:42 2008

47157 blocks of size 2048. 41816 blocks available
smb: \>


Phill Rogers January 2, 2009 at 3:21 pm

Perhaps I’m missing something but wouldn’t that scenario mean that any file which the Windows user opens will be decrypted on-the-fly between TrueCrypt and Samba before passing across the network with it’s unencrypted content visible to any network sniffer?

mike January 2, 2009 at 5:47 pm

One of the aspects of truecrypt is that while the volume is active the data is not encrypted, thus over the wire on a Samba transfer a sniffer could retrieve the data like any other data transfer with Samba. However, when the volume is not mounted it is encrypted and thus offers additional protection against theft or access when the owner is not accessing the share….it certainly is not a perfect solution.

jhansonxi January 3, 2009 at 10:02 pm

Your title is a little misleading. To encrypt data to a Samba share you need “smb transport encryption” which is being added to Samba. For mounting the truecrypt volume at login you can use pam_mount (

cjk March 9, 2009 at 1:19 pm

re jhansonxi: pam_mount cannot use truecrypt because tc is terribly broken with regards to its password prompt, leading to an infinite loop on EOF.
The safest solution for remote encryption is to create a plain dm-crypt image using pmt-ehd(8), export the crypto container, and then mount it on a remote Windows using FreeOTFE (or on Linux with dm-crypt).

oes tsetnoc September 25, 2009 at 11:52 pm

as a simple user on a netra 1, I took a lot of time to get “samba on SPARC/Solaris 10″ working. Your blog was very useful ;-) Thanx a lot

Previous post:

Next post: