Searching for Signal

the n01se blog

encrypted /home

I've done this now on a few systems, mostly laptops. My reasoning is that any data I care about (particularly email) are stored in my home directory. If the laptop were to get out of my possession, it would likely be shut off at the time, and I don't use suspend/resume. So encrypting /home suffices to protect me if the laptop is lost or stolen. It's also easier and more performance-friendly than encrypting the root dir or swap.

When I installed my current laptop, I knew I'd encrypt /home eventually so I left a spare partition, hda3. If you don't have one, you'll need to shrink a filesystem to create a new partition or logical volume. When you're ready with that, the next step is to create the encrypted mapping.

modprobe aes # or aes-i586 on x86 systems
emerge cryptsetup-luks
cryptsetup --verify-passphrase luksFormat /dev/hda3
cryptsetup luksOpen /dev/hda3 home
mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/home

Next copy the existing /home to the encrypted filesystem. Be sure not to alter any important data in /home since you'll lose any changes made after the copy. You can enforce this by switching to single user mode but I don't bother personally.

mkdir /mnt/newhome
mount /dev/mapper/home /mnt/newhome
cp -ax /home/. /mnt/newhome
umount /mnt/newhome

Next let Gentoo know about it, then reboot to start using the encrypted /home:

printf 'mount=home\nsource=/dev/hda3\ntype=luks\n' >> /etc/conf.d/cryptfs
echo '/dev/mapper/home /home ext3 noatime 0 0' >> /etc/fstab
echo 'aes' >> /etc/modules.autoload.d/kernel-2.6  # or aes-i586
mv /home /oldhome
mkdir /home
reboot

Finally, when you've verified that it's working, be sure to remove the old home which still contains unencrypted data!

rm -rf /oldhome