This turned out to be really easy. By far not the most secure setup, but should stop the average thief from using the logins stored in my firefox ;-)
The following steps assume you have a recent Ubuntu (Debian might work as well) with a recent Kernel - 2.6.12 is known to work. As encryption works partition-wise, your
/home needs to be on it’s own partition,
/dev/hda6 in my case.
These steps worked for me, but they might as well destroy all your data - but you sure do regular backups, don’t you ?
Go into single user mode and backup your home partition to some trusted media (e.g. another hard drive). We’ll need to restore from that backup later, so don’t skip this step ;-)
cp -a /home/* /some/mount/point
Install required tools (you need Universe in your apt sources)
apt-get install cryptsetup hashalot
Unmount the home partition:
Initialize the encrypted device. This is the step which wipes out your original home partition, so double check your backup is ok. When asked for the passphrase, be sure to choose something strong. The passphrase will be used to encrypt the key which in turn is used to encrypt the partition. Read the Ubuntu encrypted fs howto for some background on passphrase strength.
cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/hda6
/etc/crypttaband add a line like this:
/dev/mapper/crypthda6 /dev/hda6 none cipher=aes-cbc-essiv:sha256 luksOpen /dev/ hda6 crypthda6
/etc/fstaband change the device in the line which mounts
/dev/mapper/crypthda6 /home ext3 defaults 0 2
Try out the cryptsetup initscript:
Mount your brand new encrypted home dir:
To make sure everything works, create some file in /home, unmount, do
/etc/init.d/cryptdisks stop, and start over with
/etc/init.d/cryptdisks start, mount
/homeagain and check the file you just created is there.
If this worked, it’s time to restore the original contents of
/homefrom your backup:
cp -a /some/mount/point/* /home/
Reboot, type your passphrase if asked, and everything should be fine.