Difference between revisions of "setting up an encrypted home directory (on gentoo)"
(Created page with "mybox ~ # ls /dev/sd* /dev/sda /dev/sda1 /dev/sda2 /dev/sdb install a kernel with needed dev mapper / crypto support (steps not covered here) install cryptsetup package ...") |
|||
Line 1: | Line 1: | ||
− | + | This procedure was performed using a newly added virtual hard drive (/dev/sdb) in a VM. Substitute your device and number where appropriate. | |
− | + | ||
− | |||
− | + | Identify my newly added drive (sbb) | |
− | mybox ~ # emerge -av --quiet cryptsetup | + | |
+ | mybox ~ # '''ls /dev/sd*''' | ||
+ | /dev/sda /dev/sda1 /dev/sda2 '''/dev/sdb''' | ||
+ | |||
+ | Install a kernel with needed dev mapper / crypto support (steps not covered here). If you are using a distro other than gentoo then your kernel will most likely already have the needed support. | ||
+ | |||
+ | Install the cryptsetup package | ||
+ | mybox ~ # '''emerge -av --quiet cryptsetup''' | ||
create a linux partition to encrypt | create a linux partition to encrypt | ||
− | mybox ~ # fdisk /dev/sdb | + | mybox ~ # '''fdisk /dev/sdb''' |
mine looked like this... | mine looked like this... | ||
Line 18: | Line 23: | ||
encrypt the partition, set the passphrase (used to unlock it) | encrypt the partition, set the passphrase (used to unlock it) | ||
− | mybox ~ # cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1 | + | mybox ~ # '''cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1''' |
WARNING! | WARNING! | ||
======== | ======== | ||
− | This will overwrite data on /dev/sdb1 irrevocably. | + | This will overwrite data on /dev/sdb1 irrevocably.<br> |
− | + | ||
Are you sure? (Type uppercase yes): YES | Are you sure? (Type uppercase yes): YES | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
Line 29: | Line 33: | ||
Command successful. | Command successful. | ||
− | move your home directory | + | move your home directory. I did this on a running system without X11. If you are root, stop X, and drop to into one of the psuedo terminals, this should work for you just fine. |
mybox home # mv /home/ /home_backup/ | mybox home # mv /home/ /home_backup/ | ||
open the encrypted partition and create dev mapper entry | open the encrypted partition and create dev mapper entry | ||
− | mybox home # cryptsetup luksOpen /dev/sdb1 home | + | mybox home # '''cryptsetup luksOpen /dev/sdb1 home''' |
Enter passphrase for /dev/sdb1: | Enter passphrase for /dev/sdb1: | ||
− | |||
make your filesystem | make your filesystem | ||
− | mybox home # mkfs.ext4 /dev/mapper/home | + | mybox home # '''mkfs.ext4 /dev/mapper/home''' |
now you can mount it :) | now you can mount it :) | ||
− | mybox home # mount /dev/mapper/home /home | + | mybox home # '''mount /dev/mapper/home /home''' |
copy your saved home dir data to the new encrypted home partition | copy your saved home dir data to the new encrypted home partition | ||
− | mybox home # rsync -pav /home_backup/ /home/ | + | mybox home # '''rsync -pav /home_backup/ /home/''' |
configure you box to open the new home drive on boot. You will be prompted for the password set above on every boot. | configure you box to open the new home drive on boot. You will be prompted for the password set above on every boot. | ||
− | mybox home # vi /etc/conf.d/dmcrypt | + | mybox home # '''vi /etc/conf.d/dmcrypt''' |
+ | |||
+ | added lines... | ||
− | |||
target=home | target=home | ||
source='/dev/sdb1' | source='/dev/sdb1' | ||
configure dmcrypt service to load on boot | configure dmcrypt service to load on boot | ||
− | mybox home # rc-update add dmcrypt boot | + | mybox home # '''rc-update add dmcrypt boot''' |
* service dmcrypt added to runlevel boot | * service dmcrypt added to runlevel boot | ||
configure fstab to mount home on boot | configure fstab to mount home on boot | ||
− | mybox home # vi /etc/fstab | + | mybox home # '''vi /etc/fstab''' |
− | + | added or alter home line... | |
/dev/mapper/home /home ext4 noatime 0 0 | /dev/mapper/home /home ext4 noatime 0 0 | ||
− | |||
− | |||
− | |||
All done! enjoy your new, secure computing environment. | All done! enjoy your new, secure computing environment. |
Revision as of 17:39, 12 April 2013
This procedure was performed using a newly added virtual hard drive (/dev/sdb) in a VM. Substitute your device and number where appropriate.
Identify my newly added drive (sbb)
mybox ~ # ls /dev/sd* /dev/sda /dev/sda1 /dev/sda2 /dev/sdb
Install a kernel with needed dev mapper / crypto support (steps not covered here). If you are using a distro other than gentoo then your kernel will most likely already have the needed support.
Install the cryptsetup package
mybox ~ # emerge -av --quiet cryptsetup
create a linux partition to encrypt
mybox ~ # fdisk /dev/sdb
mine looked like this...
Command (m for help): p
Device Boot Start End Blocks Id System /dev/sdb1 2048 41943039 20970496 83 Linux
encrypt the partition, set the passphrase (used to unlock it)
mybox ~ # cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1
WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
move your home directory. I did this on a running system without X11. If you are root, stop X, and drop to into one of the psuedo terminals, this should work for you just fine.
mybox home # mv /home/ /home_backup/
open the encrypted partition and create dev mapper entry
mybox home # cryptsetup luksOpen /dev/sdb1 home Enter passphrase for /dev/sdb1:
make your filesystem
mybox home # mkfs.ext4 /dev/mapper/home
now you can mount it :)
mybox home # mount /dev/mapper/home /home
copy your saved home dir data to the new encrypted home partition
mybox home # rsync -pav /home_backup/ /home/
configure you box to open the new home drive on boot. You will be prompted for the password set above on every boot.
mybox home # vi /etc/conf.d/dmcrypt
added lines...
target=home source='/dev/sdb1'
configure dmcrypt service to load on boot
mybox home # rc-update add dmcrypt boot * service dmcrypt added to runlevel boot
configure fstab to mount home on boot
mybox home # vi /etc/fstab
added or alter home line...
/dev/mapper/home /home ext4 noatime 0 0
All done! enjoy your new, secure computing environment.
mybox home # reboot