Jens Krämer

Encrypting /home

 |  linux, security, ubuntu

This turned out to be really easy. By far not the most secure setup, but should stop the average thief from using the logins stored in my firefox ;-)

The following steps assume you have a recent Ubuntu (Debian might work as well) with a recent Kernel - 2.6.12 is known to work. As encryption works partition-wise, your /home needs to be on it’s own partition, /dev/hda6 in my case.

These steps worked for me, but they might as well destroy all your data - but you sure do regular backups, don’t you ?

  1. Go into single user mode and backup your home partition to some trusted media (e.g. another hard drive). We’ll need to restore from that backup later, so don’t skip this step ;-)

    cp -a /home/* /some/mount/point

  2. Install required tools (you need Universe in your apt sources)

    apt-get install cryptsetup hashalot

  3. Unmount the home partition:

    umount /home

  4. Initialize the encrypted device. This is the step which wipes out your original home partition, so double check your backup is ok. When asked for the passphrase, be sure to choose something strong. The passphrase will be used to encrypt the key which in turn is used to encrypt the partition. Read the Ubuntu encrypted fs howto for some background on passphrase strength.

    cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/hda6

  5. Edit /etc/crypttab and add a line like this:

    /dev/mapper/crypthda6 /dev/hda6 none cipher=aes-cbc-essiv:sha256 luksOpen /dev/ hda6 crypthda6

  6. Edit /etc/fstab and change the device in the line which mounts /home from /dev/hda6 to /dev/mapper/crypthda6:

    /dev/mapper/crypthda6 /home ext3 defaults 0 2

  7. Try out the cryptsetup initscript:

    /etc/init.d/cryptdisks start

  8. Mount your brand new encrypted home dir: mount /home

  9. To make sure everything works, create some file in /home, unmount, do /etc/init.d/cryptdisks stop, and start over with /etc/init.d/cryptdisks start, mount /home again and check the file you just created is there.

  10. If this worked, it’s time to restore the original contents of /home from your backup:

    cp -a /some/mount/point/* /home/

  11. Reboot, type your passphrase if asked, and everything should be fine.

Comments

You can use Markdown here.

For the sake of spam checking any data you submit, including your IP address, will be transferred to the US based Akismet web service (akismet.com). If that's not acceptable for you, you can also reach me by other means.