Syntax Error - Press Play on Tape -

22May/120

Debian 6.0: Encrypt /home post installation

Debian installer provides an easy way of creating encrypted disk volumes during installation, including encrypted root partition. However, if you skip this step and decide to encrypt a disk partition later, you need to perform manual setup.

Fortunately, it's not too difficult. The following steps cover creating an encrypted /home, so you need to have a separate disk partition for it. Encrypting root filesystem is more sophisticated and it's not covered by this tutorial.

  1. Install cryptsetup:
    apt-get install cryptsetup
  2. Backup current /home contents and unmount the partition
  3. Create encrypted LUKS partition:
    cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sdb2
    (replace sdb2 with your partion name)
  4. Open LUKS partition and map it to 'crhome' (this name can be arbitrary):
    cryptsetup luksOpen /dev/sda2 encHome
  5. Format encrypted partition, e.g.:
    mkfs.ext4 /dev/mapper/encHome
  6. Mount it:
    mount /dev/mapper/encHome /home
  7. Restore /home contents from the backup
  8. Recreate initrd:
    update-initramfs -u
  9. Create /etc/crypttab entry for encrypted volume:
    #
    encHome /dev/sda2 none luks
  10. Change /etc/fstab entry for /home, .e.g:
    /dev/mapper/encHome /home ext4 defaults 0 2
  11. Reboot!

During system startup you will be prompted for password to access LUKS volume. If you have Plymouth installed, you'll see a nice graphical password prompt.

For more documentation, including Debian-specific docs, got to /usr/share/doc/cryptsetup and cryptsetup/crypttab man pages.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.