Thursday, June 16, 2011

Debian 6.0: encrypting /home partition after installation

Debian installer provides an easy way of creating encrypted disk volumes during installation, including encrypted root partition. However, if you skip this step and decide to encrypt a disk partition later, you need to perform manual setup. Fortunately, it's not too difficult. The following steps cover creating an encrypted /home, so you need to have a separate disk partition for it. Encrypting root filesystem is more sophisticated and it's not covered by this tutorial.

  1. Install cryptsetup: apt-get install cryptsetup
  2. Backup current /home contents and unmount the partition.
  3. Create encrypted LUKS partition: cryptsetup luksFormat /dev/sda2 (replace sda2 with your partion name).
  4. Open LUKS partition and map it to 'crhome' (this name can be arbitrary): cryptsetup luksOpen /dev/sda2 crhome
  5. Format encrypted partition, e.g.: mkfs.ext4 /dev/mapper/crhome
  6. Mount it: mount /dev/mapper/crhome /home
  7. Restore /home contents from the backup.
  8. Recreate initrd: update-initramfs -u
  9. Create /etc/crypttab entry for encrypted volume:
    crhome                  /dev/sda2                    none              luks
  10. Change /etc/fstab entry for /home, .e.g:
    /dev/mapper/crhome   /home          ext4    defaults        0       2
  11. Reboot!
During system startup you will be prompted for password to access LUKS volume. If you have Plymouth installed, you'll see a nice graphical password prompt  - see the screenshot. For more documentation, including Debian-specific docs, got to /usr/share/doc/cryptsetup and cryptsetup/crypttab man pages.