Thursday, June 16, 2011

Debian 6.0: encrypting /home partition after installation

Debian installer provides an easy way of creating encrypted disk volumes during installation, including encrypted root partition. However, if you skip this step and decide to encrypt a disk partition later, you need to perform manual setup. Fortunately, it's not too difficult. The following steps cover creating an encrypted /home, so you need to have a separate disk partition for it. Encrypting root filesystem is more sophisticated and it's not covered by this tutorial.

  1. Install cryptsetup: apt-get install cryptsetup
  2. Backup current /home contents and unmount the partition.
  3. Create encrypted LUKS partition: cryptsetup luksFormat /dev/sda2 (replace sda2 with your partion name).
  4. Open LUKS partition and map it to 'crhome' (this name can be arbitrary): cryptsetup luksOpen /dev/sda2 crhome
  5. Format encrypted partition, e.g.: mkfs.ext4 /dev/mapper/crhome
  6. Mount it: mount /dev/mapper/crhome /home
  7. Restore /home contents from the backup.
  8. Recreate initrd: update-initramfs -u
  9. Create /etc/crypttab entry for encrypted volume:
    #
    crhome                  /dev/sda2                    none              luks
  10. Change /etc/fstab entry for /home, .e.g:
    /dev/mapper/crhome   /home          ext4    defaults        0       2
  11. Reboot!
During system startup you will be prompted for password to access LUKS volume. If you have Plymouth installed, you'll see a nice graphical password prompt  - see the screenshot. For more documentation, including Debian-specific docs, got to /usr/share/doc/cryptsetup and cryptsetup/crypttab man pages.

6 comments:

Anonymous said...

Your steps worked great. I had to install lvm2 though. That setup the kernel modules for me. I didn't do any crypto setup with the debian installer, I just installed everything to a smallish unencrypted root and swap. I put the rest of the diskspace into a large partition I left unused. That became my new encrypted file system. I mounted it under /srv/. For performance reasons I wanted to leave most of my rc files and swap unencrypted. For email, firefox and a few other sensitive files, I put them on my encrypted filesystem and symlinked to them from my home directory. This also makes backups easy since all the files I want to keep are under a single directory.

Anonymous said...

I'm running an unattended/monitor-less server that I want to encrypt. Is it possible to avoid the auto-mounting and input the passphrase manually after the server boots? what would be the command line?

Anonymous said...

Thanks, instructions worked fine under Sid. I'm pleasently surprised that I see no slowdown on my netbook since encrypting /home either.

Pavel said...

Thank you for your guide. My Debian does not mount the encrypted partition automatically in the /dev/mapper/crhome. (manually it is okay) On booting, the fsck failed of course. I had a problem with update-initramfs. It returns error 127, "mkinitramfs: not found". Do you have any idea what to do? Thanks P.

Anonymous said...

Thank you for your guide. My Debian does not mount the encrypted partition automatically in the /dev/mapper/crhome. (manually it is okay) On booting, the fsck failed of course. I had a problem with update-initramfs. It returns error 127, "mkinitramfs: not found". Do you have any idea what to do? Thanks P.

Robert Heller said...

This does not seem to work for Debian 7. Does debian 7 have some special magic? I can *manually* mount the file system, but debian won't mount it during boot up.