Encrypting /home
This turned out to be really easy. By far not the most secure setup, but should stop the average thief from using the logins stored in my firefox ;-)
The following steps assume you have a recent Ubuntu (Debian might work as well) with a recent Kernel - 2.6.12 is known to work. As encryption works partition-wise, your /home
needs to be on it’s own partition, /dev/hda6
in my case.
These steps worked for me, but they might as well destroy all your data - but you sure do regular backups, don’t you ?
-
Go into single user mode and backup your home partition to some trusted media (e.g. another hard drive). We’ll need to restore from that backup later, so don’t skip this step ;-)
cp -a /home/* /some/mount/point
-
Install required tools (you need Universe in your apt sources)
apt-get install cryptsetup hashalot
-
Unmount the home partition:
umount /home
-
Initialize the encrypted device. This is the step which wipes out your original home partition, so double check your backup is ok. When asked for the passphrase, be sure to choose something strong. The passphrase will be used to encrypt the key which in turn is used to encrypt the partition. Read the Ubuntu encrypted fs howto for some background on passphrase strength.
cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/hda6
-
Edit
/etc/crypttab
and add a line like this:/dev/mapper/crypthda6 /dev/hda6 none cipher=aes-cbc-essiv:sha256 luksOpen /dev/ hda6 crypthda6
-
Edit
/etc/fstab
and change the device in the line which mounts/home
from/dev/hda6
to/dev/mapper/crypthda6
:/dev/mapper/crypthda6 /home ext3 defaults 0 2
-
Try out the cryptsetup initscript:
/etc/init.d/cryptdisks start
-
Mount your brand new encrypted home dir:
mount /home
-
To make sure everything works, create some file in /home, unmount, do
/etc/init.d/cryptdisks stop
, and start over with/etc/init.d/cryptdisks start
, mount/home
again and check the file you just created is there. -
If this worked, it’s time to restore the original contents of
/home
from your backup:cp -a /some/mount/point/* /home/
-
Reboot, type your passphrase if asked, and everything should be fine.