setting up an encrypted home directory (on gentoo)
This procedure was performed using a newly added virtual hard drive (/dev/sdb) in a VM. Substitute your device and number where appropriate.
Identify my newly added drive (sbb)
mybox ~ # ls /dev/sd* /dev/sda /dev/sda1 /dev/sda2 /dev/sdb
Install a kernel with needed dev mapper / crypto support (steps not covered here). If you are using a distro other than gentoo then your kernel will most likely already have the needed support.
Install the cryptsetup package
mybox ~ # emerge -av --quiet cryptsetup
create a linux partition to encrypt
mybox ~ # fdisk /dev/sdb
mine looked like this...
Command (m for help): p
Device Boot Start End Blocks Id System /dev/sdb1 2048 41943039 20970496 83 Linux
encrypt the partition, set the passphrase (used to unlock it)
mybox ~ # cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sdb1
WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
move your home directory. I did this on a running system without X11. If you are root, stop X, and drop to into one of the psuedo terminals, this should work for you just fine.
mybox home # mv /home/ /home_backup/
open the encrypted partition and create dev mapper entry
mybox home # cryptsetup luksOpen /dev/sdb1 home Enter passphrase for /dev/sdb1:
make your filesystem
mybox home # mkfs.ext4 /dev/mapper/home
now you can mount it :)
mybox home # mount /dev/mapper/home /home
copy your saved home dir data to the new encrypted home partition
mybox home # rsync -pav /home_backup/ /home/
configure you box to open the new home drive on boot. You will be prompted for the password set above on every boot.
mybox home # vi /etc/conf.d/dmcrypt
added lines...
target=home source='/dev/sdb1'
configure dmcrypt service to load on boot
mybox home # rc-update add dmcrypt boot * service dmcrypt added to runlevel boot
configure fstab to mount home on boot
mybox home # vi /etc/fstab
added or alter home line...
/dev/mapper/home /home ext4 noatime 0 0
All done! enjoy your new, secure computing environment.
mybox home # reboot