Mumbai Airport has a really stupid security policy.

• If you're at the airport to see someone off, you have to do it from the road/pavement.
• One can enter the airport lounges only on producing a ticket for flying that day.
• The ticket holder cannot come out of the lounge after collecting the boarding pass.
• There is nothing which announces this. You get to know it only when the ticketholder is inside and you're not.

Why this is stupid :

• There is no security involved in the check-in process, or at entry into the lounge. A person does not cross a trust boundary in any of these procedures. A checked-in passenger is as untrusted as a non checked-in person. Yet, non checked-in persons can come out and checked-in ones cannot.
• There's nothing special about boarding passes. I hope their reasons are better than "someone with a fake boarding pass can enter the lounge". It's easier to print a fake ticket. E-tickets are just printouts and you can make your own. Or you can just buy a valid ticket with that nice bomb. Maybe there's a free-ticket-with-a-bomb offer as well.
• It gives a false sense of security. When only "valid" passengers are allowed inside, securitymen lower their guards. So do the people. There's this sense that the are is secure and the bad elements are out, which might lead to suspicious behaviour being overlooked or go unreported. The reality of course is that this setup doesn't *make* anything secure. Its worse than having no security at all.
• Of course, the airport loses a small stream of revenue. Visitors have, and will pay money to be longer with the passengers.

The CSIA website is another piece of turd. Weird javascript and generally borked.]]>

I use encfs, which is a FUSE filesystem. This might be better as a step by step HOWTO.

1. Make sure you have a big enough partition where the actual encrypted data would be stored. Make an entry in /etc/fstab mounting it at /real_home.

2. Make user directories in /real_home/. The only one I have is mine, /real_home/gera/

3. On the / filesystem, make a stub directory /home/gera - this will be the mountpoint for the encrypted filesystem.

4. Set up encfs - something like

$ encfs /real_home/gera /home/gera

You can choose the preconfigured paranoia mode.

5. install pam_encfs. The standard config will do, with very few changes. Here's mine :

gera@gera-laptop:~$ cat /etc/security/pam_encfs.conf | egrep -v '^(#|$)'
drop_permissions
encfs_default --idle=1
fuse_default nonempty
gera            /real_home/gera /home/gera      -v,--idle=1     allow_other,nonempty

Note the "allow_other" option. X will give you trouble if you don't do that.

6. Modify the common-auth and common-session files in /etc/pam.d - here are mine :

gera@gera-laptop:~$ cat /etc/pam.d/common-auth | egrep -v '^(#|$)'
auth    sufficient      pam_encfs.so
auth    required        pam_unix.so nullok_secure use_first_pass

gera@gera-laptop:~$ cat /etc/pam.d/common-session | egrep -v '^(#|$)'
session required        pam_encfs.so
session required        pam_unix.so
session optional        pam_foreground.so

7. Now you're set. You can log in from a console and the encrypted partition will be mounted at $HOME. Go ahead, try it. I said console. GDM doesn't work yet. For that, there are a couple of more tweaks.

8. Edit /etc/security/pam_env.conf to set up your ICEAUTHORITY environment variable. When you're logging in, your $HOME doesn't have the .ICEAuthority file, and GDM/Gnome fail. We'll tell them to look for it in an alternate location. Here's my /etc/security/pam_env.conf :

gera@gera-laptop:~$ cat /etc/security/pam_env.conf | egrep -v '^(#|$)'
LOGNAME         DEFAULT="gera"  OVERRIDE=${LOGNAME}
ICEAUTHORITY    DEFAULT=/real_home/${LOGNAME}/.ICEauthority

9. Try it out. If something doesn't work, please let me know. I might have forgotten something. Oh, and remember to set a root password on ditros like Ubuntu which encourage only the sudo way. I'd also recommend keeping a root session open in a console (or two) during this whole setup, in case anything goes wrong.

It should be clear that these are guidelines only. I am an idiot, and shouldn't be held responsible if you lose your data, your hardware, your privacy, or your job. Proceed at your own risk. :)]]>