setting up an encrypted home directory (on gentoo)

From thelinuxwiki
Jump to: navigation, search

This procedure was performed using a newly added virtual hard drive (/dev/sdb) in a VM. Substitute your device and number where appropriate.


Identify my newly added drive (sbb) 

mybox ~ # ls /dev/sd*
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb

Install a kernel with needed dev mapper / crypto support (steps not covered here). If you are using a distro other than gentoo then your kernel will most likely already have the needed support.

Install the cryptsetup package 

mybox ~ # emerge -av --quiet cryptsetup

create a linux partition to encrypt 

mybox ~ # fdisk /dev/sdb

mine looked like this... 

Command (m for help): p

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    41943039    20970496   83  Linux

encrypt the partition, set the passphrase (used to unlock it) 

mybox ~ # cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1

WARNING!
   ========
   This will overwrite data on /dev/sdb1 irrevocably.

   Are you sure? (Type uppercase yes): YES
   Enter LUKS passphrase: 
   Verify passphrase: 
   Command successful.

move your home directory. I did this on a running system without X11. If you are root, stop X, and drop to into one of the psuedo terminals, this should work for you just fine. 

 mybox home # mv /home/ /home_backup/

open the encrypted partition and create dev mapper entry 

   mybox home # cryptsetup luksOpen /dev/sdb1 home
   Enter passphrase for /dev/sdb1:

make your filesystem 

   mybox home # mkfs.ext4 /dev/mapper/home

now you can mount it :) 

   mybox home # mount /dev/mapper/home /home

copy your saved home dir data to the new encrypted home partition 

   mybox home # rsync -pav /home_backup/ /home/

configure you box to open the new home drive on boot. You will be prompted for the password set above on every boot. 

   mybox home # vi /etc/conf.d/dmcrypt

added lines... 

   target=home
   source='/dev/sdb1'

configure dmcrypt service to load on boot 

   mybox home # rc-update add dmcrypt boot
    * service dmcrypt added to runlevel boot

configure fstab to mount home on boot 

    mybox home # vi /etc/fstab

added or alter home line... 

    /dev/mapper/home    /home    ext4    noatime         0 0

All done! enjoy your new, secure computing environment. 

mybox home # reboot
Retrieved from "http://www.thelinuxwiki.com/index.php?title=setting_up_an_encrypted_home_directory_(on_gentoo)&oldid=221"