- Install cryptsetup: apt-get install cryptsetup
- Backup current /home contents and unmount the partition.
- Create encrypted LUKS partition: cryptsetup luksFormat /dev/sda2 (replace sda2 with your partion name).
- Open LUKS partition and map it to 'crhome' (this name can be arbitrary): cryptsetup luksOpen /dev/sda2 crhome
- Format encrypted partition, e.g.: mkfs.ext4 /dev/mapper/crhome
- Mount it: mount /dev/mapper/crhome /home
- Restore /home contents from the backup.
- Recreate initrd: update-initramfs -u
- Create /etc/crypttab entry for encrypted volume:
#
crhome /dev/sda2 none luks - Change /etc/fstab entry for /home, .e.g:
/dev/mapper/crhome /home ext4 defaults 0 2 - Reboot!
During system startup you will be prompted for password to access LUKS volume. If you have Plymouth installed, you'll see a nice graphical password prompt - see the screenshot. For more documentation, including Debian-specific docs, got to /usr/share/doc/cryptsetup and cryptsetup/crypttab man pages.
6 comments:
Your steps worked great. I had to install lvm2 though. That setup the kernel modules for me. I didn't do any crypto setup with the debian installer, I just installed everything to a smallish unencrypted root and swap. I put the rest of the diskspace into a large partition I left unused. That became my new encrypted file system. I mounted it under /srv/. For performance reasons I wanted to leave most of my rc files and swap unencrypted. For email, firefox and a few other sensitive files, I put them on my encrypted filesystem and symlinked to them from my home directory. This also makes backups easy since all the files I want to keep are under a single directory.
I'm running an unattended/monitor-less server that I want to encrypt. Is it possible to avoid the auto-mounting and input the passphrase manually after the server boots? what would be the command line?
Thanks, instructions worked fine under Sid. I'm pleasently surprised that I see no slowdown on my netbook since encrypting /home either.
Thank you for your guide. My Debian does not mount the encrypted partition automatically in the /dev/mapper/crhome. (manually it is okay) On booting, the fsck failed of course. I had a problem with update-initramfs. It returns error 127, "mkinitramfs: not found". Do you have any idea what to do? Thanks P.
Thank you for your guide. My Debian does not mount the encrypted partition automatically in the /dev/mapper/crhome. (manually it is okay) On booting, the fsck failed of course. I had a problem with update-initramfs. It returns error 127, "mkinitramfs: not found". Do you have any idea what to do? Thanks P.
This does not seem to work for Debian 7. Does debian 7 have some special magic? I can *manually* mount the file system, but debian won't mount it during boot up.
Post a Comment