Last updated $Date: 2009-01-27 08:43:07 $
Martti Kuparinen <martti.kuparinen@iki.fi>
http://www.iki.fi/kuparine/comp/ubuntu/en/cryptohomeswap.html
According to our company policy all laptop computers must use hard drive encryption to protect the sensitive data in case the computer (or just its hard drive) is lost or stolen. This document describes how I created the disk partitions on my Dell Latitude D630 to conform to the company policy. After the initial installation I used my own installation helper script to finish the installation and configuration.
I wanted deploy hard drive encryption just for /home and swap but leave the operating system itself not encrypted as there's nothing secret in there. During the initial Ubuntu installation I created a separate file system for /home. After installation I used my own installation helper script to finish the installation and configuration.
Next I set the root password, rebooted just to be sure e.g. no gvfsd processes are locking user's home directory.
sudo passwd root sudo reboot
After reboot I logged in as root (not as the normal user!) and backed up the existing (almost empty) /home directory.
cd /home tar czf /var/tmp/home.tgz * cd
Next I modified /etc/fstab not to use UUID for /home and swap. The UUID will be invalid after encryption so it's better to use the real device names (/dev/sdXY) for these two. I umounted /home and stopped swapping on the swap partition during the encryption setup.
fdisk -l /dev/sda Disk /dev/sda: 160.0 GB, 160041885696 bytes 255 heads, 63 sectors/track, 19457 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x41ab2316 Device Boot Start End Blocks Id System /dev/sda1 * 1 4864 39070048+ 7 HPFS/NTFS /dev/sda2 4865 6080 9767520 83 Linux /dev/sda3 6081 6202 979965 82 Linux swap / Solaris /dev/sda4 6203 19457 106470787+ 83 Linux vi /etc/fstab proc /proc proc defaults 0 0 /dev/sda2 / ext3 relatime,errors=remount-ro 0 1 /dev/sda3 none swap sw 0 0 /dev/sda4 /home ext3 relatime 0 2 /dev/sda1 /windows ntfs-3g defaults 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0 swapoff /dev/sda3 umount /dev/sda4
Next performed the encyption setup.
aptitude install cryptsetup modprobe dm_crypt ## Optionally fill the old /home and swap with random data #dd if=/dev/urandom of=/dev/sda3 #dd if=/dev/urandom of=/dev/sda4 vi /etc/crypttab # <target name> <source device> <key file> <options> swap /dev/sda3 /dev/urandom swap home /dev/sda4 none luks cryptsetup --key-size 256 luksFormat /dev/sda4 cryptsetup luksOpen /dev/sda4 home /etc/init.d/cryptdisks restart
Next I created the file system, restored the home directories and rebooted to test the system.
mkswap /dev/mapper/swap mkfs.ext3 /dev/mapper/home sed -i 's#/dev/sda3#/dev/mapper/swap#' /etc/fstab sed -i 's#/dev/sda4#/dev/mapper/home#' /etc/fstab cat /etc/fstab proc /proc proc defaults 0 0 /dev/sda2 / ext3 relatime,errors=remount-ro 0 1 /dev/mapper/swap none swap sw 0 0 /dev/mapper/home /home ext3 relatime 0 2 /dev/sda1 /windows ntfs-3g defaults 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0 swapon -a mount /home cd /home tar xpzf /var/tmp/home.tgz reboot
That's it, now upon every reboot I get a passphrase prompt to unlock my /home file system.