Difference between revisions of "setting up an encrypted home directory (on gentoo)"

From thelinuxwiki
Jump to: navigation, search
(Created page with "mybox ~ # ls /dev/sd* /dev/sda /dev/sda1 /dev/sda2 /dev/sdb install a kernel with needed dev mapper / crypto support (steps not covered here) install cryptsetup package ...")
 
 
(4 intermediate revisions by one user not shown)
Line 1: Line 1:
mybox ~ # ls /dev/sd*
+
This procedure was performed using a newly added virtual hard drive (/dev/sdb) in a VM. Substitute your device and number where appropriate.
/dev/sda /dev/sda1  /dev/sda2  /dev/sdb
+
  
install a kernel with needed dev mapper / crypto support (steps not covered here)
 
  
install cryptsetup package
+
Identify my newly added drive (sbb)
  mybox ~ # emerge -av --quiet cryptsetup
+
 
 +
mybox ~ # '''ls /dev/sd*'''
 +
/dev/sda  /dev/sda1  /dev/sda2  '''/dev/sdb'''
 +
 
 +
Install a kernel with needed dev mapper / crypto support (steps not covered here).  If you are using a distro other than gentoo then your kernel will most likely already have the needed support.
 +
 
 +
Install the cryptsetup package
 +
  mybox ~ # '''emerge -av --quiet cryptsetup'''
  
 
create a linux partition to encrypt
 
create a linux partition to encrypt
  mybox ~ # fdisk /dev/sdb
+
  mybox ~ # '''fdisk /dev/sdb'''
  
mine looked like this...
+
mine looked like this...
  
  Command (m for help): p
+
  Command (m for help): p<br>
 
+
Device Boot      Start        End      Blocks  Id  System
    Device Boot      Start        End      Blocks  Id  System
+
/dev/sdb1            2048    41943039    20970496  83  Linux
    /dev/sdb1            2048    41943039    20970496  83  Linux
+
  
 
encrypt the partition, set the passphrase (used to unlock it)
 
encrypt the partition, set the passphrase (used to unlock it)
  mybox ~ # cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1
+
  mybox ~ # '''cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1'''
 
+
<br>WARNING!
    WARNING!
+
 
     ========
 
     ========
     This will overwrite data on /dev/sdb1 irrevocably.
+
     This will overwrite data on /dev/sdb1 irrevocably.<br>
 
+
 
     Are you sure? (Type uppercase yes): YES
 
     Are you sure? (Type uppercase yes): YES
 
     Enter LUKS passphrase:  
 
     Enter LUKS passphrase:  
Line 29: Line 31:
 
     Command successful.
 
     Command successful.
  
move your home directory
+
move your home directory.  I did this on a running system without X11.  If you are root, stop X,  and drop to into one of the psuedo terminals, this should work for you just fine. 
 
   mybox home # mv /home/ /home_backup/
 
   mybox home # mv /home/ /home_backup/
  
 
open the encrypted partition and create dev mapper entry
 
open the encrypted partition and create dev mapper entry
     mybox home # cryptsetup luksOpen /dev/sdb1 home
+
     mybox home # '''cryptsetup luksOpen /dev/sdb1 home'''
 
     Enter passphrase for /dev/sdb1:  
 
     Enter passphrase for /dev/sdb1:  
 
  
 
make your filesystem
 
make your filesystem
     mybox home # mkfs.ext4 /dev/mapper/home
+
     mybox home # '''mkfs.ext4 /dev/mapper/home'''
  
 
now you can mount it :)
 
now you can mount it :)
     mybox home # mount /dev/mapper/home /home
+
     mybox home # '''mount /dev/mapper/home /home'''
  
 
copy your saved home dir data to the new encrypted home partition
 
copy your saved home dir data to the new encrypted home partition
     mybox home # rsync -pav /home_backup/ /home/
+
     mybox home # '''rsync -pav /home_backup/ /home/'''
  
 
configure you box to open the new home drive on boot.  You will be prompted for the password set above on every boot.
 
configure you box to open the new home drive on boot.  You will be prompted for the password set above on every boot.
     mybox home # vi /etc/conf.d/dmcrypt  
+
     mybox home # '''vi /etc/conf.d/dmcrypt'''
 +
 
 +
added lines...
  
    added lines...
 
 
     target=home
 
     target=home
 
     source='/dev/sdb1'
 
     source='/dev/sdb1'
 
      
 
      
 
configure dmcrypt service to load on boot
 
configure dmcrypt service to load on boot
     mybox home # rc-update add dmcrypt boot
+
     mybox home # '''rc-update add dmcrypt boot'''
 
     * service dmcrypt added to runlevel boot
 
     * service dmcrypt added to runlevel boot
  
 
configure fstab to mount home on boot
 
configure fstab to mount home on boot
     mybox home # vi /etc/fstab
+
     mybox home # '''vi /etc/fstab'''
  
    added or alter home line...
+
added or alter home line...
 
     /dev/mapper/home    /home    ext4    noatime        0 0
 
     /dev/mapper/home    /home    ext4    noatime        0 0
 
mybox home # cryptsetup luksAddKey /dev/sdb1 /root/hdpw
 
Enter any passphrase:
 
  
 
All done!  enjoy your new, secure computing environment.
 
All done!  enjoy your new, secure computing environment.
  mybox home # reboot
+
  mybox home # '''reboot'''
  
[[category:encryption]]
+
[[category:disk encryption]]

Latest revision as of 18:04, 12 April 2013

This procedure was performed using a newly added virtual hard drive (/dev/sdb) in a VM. Substitute your device and number where appropriate.


Identify my newly added drive (sbb) 

mybox ~ # ls /dev/sd*
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb

Install a kernel with needed dev mapper / crypto support (steps not covered here). If you are using a distro other than gentoo then your kernel will most likely already have the needed support.

Install the cryptsetup package 

mybox ~ # emerge -av --quiet cryptsetup

create a linux partition to encrypt 

mybox ~ # fdisk /dev/sdb

mine looked like this... 

Command (m for help): p

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    41943039    20970496   83  Linux

encrypt the partition, set the passphrase (used to unlock it) 

mybox ~ # cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1

WARNING!
   ========
   This will overwrite data on /dev/sdb1 irrevocably.

   Are you sure? (Type uppercase yes): YES
   Enter LUKS passphrase: 
   Verify passphrase: 
   Command successful.

move your home directory. I did this on a running system without X11. If you are root, stop X, and drop to into one of the psuedo terminals, this should work for you just fine. 

 mybox home # mv /home/ /home_backup/

open the encrypted partition and create dev mapper entry 

   mybox home # cryptsetup luksOpen /dev/sdb1 home
   Enter passphrase for /dev/sdb1:

make your filesystem 

   mybox home # mkfs.ext4 /dev/mapper/home

now you can mount it :) 

   mybox home # mount /dev/mapper/home /home

copy your saved home dir data to the new encrypted home partition 

   mybox home # rsync -pav /home_backup/ /home/

configure you box to open the new home drive on boot. You will be prompted for the password set above on every boot. 

   mybox home # vi /etc/conf.d/dmcrypt

added lines... 

   target=home
   source='/dev/sdb1'

configure dmcrypt service to load on boot 

   mybox home # rc-update add dmcrypt boot
    * service dmcrypt added to runlevel boot

configure fstab to mount home on boot 

    mybox home # vi /etc/fstab

added or alter home line... 

    /dev/mapper/home    /home    ext4    noatime         0 0

All done! enjoy your new, secure computing environment. 

mybox home # reboot
Retrieved from "http://www.thelinuxwiki.com/index.php?title=setting_up_an_encrypted_home_directory_(on_gentoo)&oldid=221"