HOWTO: Encrypted Home and Swap Partitions

kbmonkey · 2011-01-16 19:33:23

= = = = = = = = = = < Encrypted Home and Swap Partitions > = = = = = = = = = = =

Update (May 2011): This update is to affirm that this method still works. This update includes:

* A new section for encrypted swap
* simplified some instructions
* style reformat

Thanks for reading :-)

 -  -  -  INTRO -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

This deals with securing your data in case your hardware falls in mallicious hands. I want to feel safe that if my Netbook goes missing, my personal files stay personal.

- Our system will prompt for a password during boot, before gdm login, and decrypt our /home.
- As /home is encrypted, we will setup auto login, so we only enter one (boot-time) password.
- The process itself will take less than 20 minutes max, I just commented much of what is being done.
- This should work on any distro where you can install cryptsetup and ecryptfs-utils.
- Double check your commands - I'm not responsibile for data loss. But don't worry too much, just back up, and take your time smile

Hint: Save this page to a usb drive, for easy reading during the live install.

 -  -  -  BACKUP   -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

Always backup your data when working with your partitions. Accidents do happen.
You can use rsync: http://crunchbanglinux.org/wiki/howto/ssh_rsync_backup
or dd: http://www.linuxquestions.org/questions … nd-362506/

I like dd, as you can backup a whole drive, or just a partition, byte-for-byte, including the boot loader and all.

 -  -  -  INDEX -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

- Encrypted Swap
- Phase 1: install the OS (skip this phase for existing installations)
- Phase 2: setup the encrypted /home partition
- Phase 3: move old /home to the new /home
- Phase 4: configure auto login and keyrings (optional)

## IMPORTANT NOTES ##
- If you forget the encryption password, your data stays encrypted, and even you won't get to it. It's a good idea to remember your password!

- This boot-time password is not your user account password, but for the purpose of ease-of-use, I will be using the same password for my encrypted /home, as my user account.

- If you ever change your user password, the boot-time password will stay the same. You can't change the luks password either, however you can recreate the luks device with a new password, and move your data across.

- When working with the luks (encrypted) volume, we call it by name. I chose to use 'vault', as it doesn't conflict with any other names and it makes it pretty clear what the volume for.

 -  -  -  ENCRYPTED SWAP -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

We use ecryptfs to setup an encrypted swap. It uses the same method as our encrypted home, but the process is done automagically via a setup script.

install ecryptfs-utils

:~$ sudo apt-get install ecryptfs-utils

run the setup

sudo ecryptfs-setup-swap

That's it! It creates a /dev/mapper/cryptswap luks entry in /etc/crypttab, it uses random data each boot to encrypt instead of a passphrase.

** Note this does break hibernation (RAM written to swap doesn't work), however suspend will still work as that doesn't write RAM to disk.

Reboot and verify your new encrypted swap with

:~$ swapon -s
Filename   Type       Size    Used  Priority
/dev/dm-1  partition  3583992 0     -1

 -  -  -  PHASE 1  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

Existing installation users please read this phase.

You must know the new /home will need it's own partition. If you have a seperate /home partition then just re-use it (backup first!). If you don't have seperate /home, you may need to repartition and/or reinstall.

Boot the live USB and start the installation process. Partition your drive based off the basic structure below: /, swap, and /home. But _don't_ map /home to any mount points. We will do this manually afterwards, just reserve that space in a partition for now.

sda1 = /    (10 GiB)
sda2 = swap (2 GiB)
sda3 = none (140 GiB) <-- this is our future encrypted /home

* Write your partition paths on paper like so:
ROOT /dev/sdaX
SWAP /dev/sdaY
HOME /dev/sdaZ

(of course you will replace X/Y/Z with your own numbers)

I will refer to them as /dev/ROOT and /dev/HOME, you will then know to replace them with your own values. Finish the install and reboot into your new OS.

 -  -  -  PHASE 2  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

* You are now logged into your new install, with a fresh user profile, and a fresh cup of coffee big_smile

become root for a while (**PLEASE** double check your commands)

:~$ sudo -i

install cryptsetup

:~# apt-get install cryptsetup

load the device mapper kernel module

:~# modprobe dm_mod

setup a new encrypted container on /dev/HOME

:~# cryptsetup luksFormat /dev/HOME -c aes -s 256 -h sha256

The passphrase it prompts is for the boot-time decryption of /home.

open the luks container under the name of 'vault'

:~# cryptsetup luksOpen /dev/HOME vault

/dev/mapper/vault now points to our luks container. Format it as ext4 (you may format to any other file system type you prefer)

:~# mke2fs -t ext4 -j /dev/mapper/vault -L vault

(The '-L vault' option simply labels the fs as such)

mount the formatted container to /mnt/vault/

:~# mkdir /mnt/vault && mount /dev/mapper/vault /mnt/vault

lets see the mount contents

:~# ls /mnt/vault
lost+found

Great it worked!

Now we copy our backup/home files across. If you don't have a backup (a brand new first time installer) then you would copy from /home.

** NOTE ** /mnt/vault must contain your user profile starting with the $USER/ directory, not /home. Thus you want to see a structure like: /mnt/vault/kbmonkey (and not /mnt/vault/home/kbmonkey). *This is important*

Ensure this by adding a trailing slash to our rsync source, '/home/' and not just '/home'.

# For new profiles without backed-up files:
:~# rsync -a /home/ /mnt/vault

# For users with backed-up files:
:~# rsync -a /mnt/your-backup-device/ /mnt/vault

-a is archive mode, it preserves file ownership and other options.

See the copied files

:~# ls -l /mnt/vault/

drwxr-xr-x 33 kbmonkey kbmonkey  4096 Jan 16 20:22 kbmonkey

That's what we want to see: our user profile directory in /mnt/vault.

Edit /etc/fstab to point /home to /dev/mapper/vault

# <file system>         <mount point>   <type>  <options>               <dump>  <pass>
/dev/mapper/vault       /home           ext4    rw,errors=remount-ro    0       0

Add a line to /etc/crypttab to make the boot process aware that it must decrypt the luks container (replace /dev/HOME)

# <target name>   <source device>  <key file>  <options>
vault             /dev/HOME        none        luks

sync disks, unmount and close the encrypted container

:~# sync && umount /mnt/vault
:~# cryptsetup luksClose /dev/mapper/vault

To ensure we work with the correct /home, let us create an empty file called 'old-home' in the current profile. It will help us differenciate the current user profile from the soon-to-be encrypted profile.

:~$ touch ~/old-home

 -  -  -  PHASE 3  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

We now have two copies of our user files: one in /dev/ROOT (old-home) and one in /dev/HOME (encrypted).
Now let us move the current /home files out of the way, so that the encrypted /home can take it's place.
Reboot with the ** live ** CD/USB - I will wait here until you get back to PHASE 3 ...

reboot

(Continued in Live environment ...)

enter a root console

:~$ sudo -i

mount /dev/ROOT

:~# mkdir /mnt/disk && mount /dev/ROOT /mnt/disk/

ls /mnt/disk/home/USER you will see the file 'old-home', an indication this is our old profile files.

move old home out of the way

:~# mv /mnt/disk/home/ /mnt/disk/home_old

recreate the /home directory (needed by fstab) and unmount

:~# mkdir /mnt/disk/home && umount /mnt/disk

Done!

reboot

 -  -  -  PHASE 4  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

On boot you are prompted for a password before you get to the gdm login. This will decrypt the /home partition.

You will then be greeted by the gdm login. All that's left is to setup auto login, so that we only enter the one password (to decrypt our /home), and it boots us straight into our user profile.

# Verify our mounted luks device:

:~$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             9.7G  2.0G  7.2G  22% /
/dev/mapper/vault     136G  234M  129G   1% /home

Fantastic! /home is mounted to /dev/mapper/vault, which is our encrypted partition on /dev/HOME smile

We can also check with cryptsetup status:

:~$ sudo cryptsetup status vault

  /dev/mapper/vault is active:
  cipher:  aes-cbc-plain
  keysize: 256 bits
  device:  /dev/sda3
  offset:  2056 sectors
  size:    287999992 sectors
  mode:    read/write

The tricky part: Automatic Login

I use Openbox, for me I do: [Super + Space] -> System -> GDM Login Setup

Security tab: I check 'Enable Automatic Login' and choose myself as the user.

Remember that all our files and settings under /home are still encrypted, so you won't even get to the desktop without your password.

So let's reboot and try it out...

reboots ...

You will notice your keyring (if set to auto-login) won't work anymore. That's because automatic login disables the automatic keyring functionality. It's a well designed security measure, but in this case I want both automatic login, and no keyring prompt. (Both are already covered by our encrypted /home).

The only way to stop the keyring from asking for a password, so far as I know, is to use a blank password for your keyring.
To remove my current keyring data, I delete the login.keyring file - This will clear all saved keyring passwords.
You don't have to use a blank keyring password, if you don't want, but if you do:

:~$ rm ~/.gnome2/keyrings/login.keyring 
:~$ rm ~/.gnome2/keyrings/user.keystore

Log out/in, enter any network/wireless creds, if the keyring asks you to enter a new password, use a blank one. It will warn you that it is unsafe, and accept.

 -  -  -  COMPLETE    -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

That is pretty much it. Hang on to /home_old for a few days, and delete it when you are happy everything is running.

 -  -  -  ANECTDOTE   -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

For the novelty, here's an idea of what it might take someone to decrypt your data without your passphrase:

“Imagine a computer that is the size of a grain of sand that can test keys against some encrypted data. Also imagine that it can test a key in the amount of time it takes light to cross it. Then consider a cluster of these computers, so many that if you covered the earth with them, they would cover the whole planet to the height of 1 meter. The cluster of computers would crack a 128-bit key on average in 1,000 years.”

(taken from http://www.interesting-people.org/archi … 00058.html)

That is for a 128-bit key. We use 256-bit for our /home.

 -  -  -  NOTES    -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

- I used the intructions at https://help.ubuntu.com/community/Encry … nIntrepid, but it hangs the #! installer. As the 'miniroot' partition in the link is 512 MiB it's too small for the #! OS files.

- I then searched how to encrypt partitions, and then applied that to what I knew about migrating your /home to another partition. The final clue was adding that line to crypttab to prompt for the passphrase during boot.

- I'd like to hear your thoughts, good or bad, either way - as long as it's constructive or improves this process smile

 -  -  -  LINKS -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

http://code.google.com/p/cryptsetup/wik … dQuestions

Last edited by kbmonkey (2011-05-18 10:59:52)

Unia · 2011-01-16 19:36:53

You had better posted this in the Tips & Tricks section. I'm not really into encrypting disks, so I can't give you any criticism on that.

kbmonkey · 2011-01-16 20:08:11

Oops my mistake. Can a moderator move this to the Tips & Tricks section please? I'd appreciate it smile

tRiCk · 2011-01-27 15:58:46

I hope that reading this old post will be very interesting for you.

http://crunchbanglinux.org/forums/topic … artitions/

I have applied it in my netbook with Statler. It works and I have root, swap and home partition encrypted.
Never gave the thanks to hdk. I do it now.

Regards
Ric

Last edited by tRiCk (2011-01-27 16:00:04)

kbmonkey · 2011-01-28 06:36:50

Hi Ric, yes I did see that post, and followed it. At some stage it failed, reading it now I cannot remember at which step though. I waded through so much documentation and tuts at the time tongue

There are few differences, you can skip phase 1 for this tut, if you already have #! installed, and I don't encrypt the OS files, just /home.

I learned plenty from this, and will retry this other method again for and cross-compare methods smile

tRiCk · 2011-01-30 08:03:44

To remove my current keyring data, I delete the login.keyring file.
Note that this *will* clear your saved keyring settings (like wireless passwords).
_If anyone knows another way to blank the keyring password, please share your ideas.

Use "seahorse" (in repos) for changing the keyring password. Also if you mark the most used networks as available for all users in the "network-manager applet" connect without asking password.

Regards
Ric

Last edited by tRiCk (2011-01-30 14:44:51)

Tunafish · 2011-03-14 22:42:35

@kbmonkey:
I just installed my system this way.... works fine. So thank you for the guide.

I used an old Statler disc, because i think your method doesn't work when plymouth is enabled. Or does it?

kbmonkey · 2011-03-15 19:53:19

Glad to hear it worked, I used Statler 2011-01-05 for this method, it should work with most distros I recon. I do wish there was a easy one-click process :-)

SabreWolfy · 2012-04-14 15:06:02

@kbmonkey: Thanks for this guide. I have an installation with Windows on /dev/sda1, #! / on /dev/sda2, /home on /dev/sda3 and swap on /dev/sda4. I don't have any spare partitions, unless I remove /home and make an extended partition there. I'd like to encrypt /home, without reinstalling. Or, would it be better/easier just to create say, a 64GB container in /home and encrypt that instead?

Last edited by SabreWolfy (2012-04-14 15:06:40)

kbmonkey · 2012-04-14 20:42:54

SabreWolfy wrote:

@kbmonkey: Thanks for this guide. I have an installation with Windows on /dev/sda1, #! / on /dev/sda2, /home on /dev/sda3 and swap on /dev/sda4. I don't have any spare partitions, unless I remove /home and make an extended partition there. I'd like to encrypt /home, without reinstalling. Or, would it be better/easier just to create say, a 64GB container in /home and encrypt that instead?

@SabreWolfy, that depends on what you want to secure. If you want to secure your gpg keys, mail and certain sensitive configuration files, you can install ecryptfs-utils and use this guide to setup a ~/Private directory (which links to ~/.Private). Everything placed in here gets encrypted and it auto-mounts on login. You can then move all your sensitive configs (say ~/.cache or ~/.muttrc) into there, and symlink them out to their expect location. Note that backups will still copy the unencrypted data (If you backup inside your logged-in session)

Creating a 64GB container would also work, and is pretty much the same idea I just explained, but then you're limited to a fixed size, so the above method is more flexible than a fixed container.

If you do want to secure your entire /home, I see the ecryptfs-utils has a script named 'ecryptfs-migrate-home'. Neat! Only problem is the utils version in the repo (for my squeeze at least) doesn't have this newer script, so you'll need to get the latest ecryptfs utils from the source.

As an experimental idea, and just throwing this out there:
- backup all your ~ to an external (use a cmd to get _all_ files. look this up.)
- make a temporary home in your system root (say /tmp_home on sda2)
- use 'adduser --home /tmp_home' to make a temporary user home in your sda2 root partition
- change your fstab to use /tmp_home as home
- reboot and login with your temp account

At this point your sda3 home is not mounted any more and freed up for Phase 2 of the guide. Setup sda3 with luks, and when all done copy your original home back from the external. That is all.

As always, backup everything. Let us know what you do!

You're welcome :]

SabreWolfy · 2012-04-15 10:35:47

@kbmonkey: Thanks for the detailed reply smile I'm keen to try your suggestions as soon as I get a chance. I'll let you know how it goes...

SabreWolfy · 2012-04-25 19:22:43

@kbmonkey: As I'll be trying your suggestion from a few posts back on a "production" machine, I've been reading through your first post in detail before starting. I'm not clear on the end of phase 2 and the start of phase 3 -- it seems as though you move your data back twice?

Tunafish · 2012-04-25 21:41:03

There's a lot of great info in this thread:
http://madduck.net/docs/cryptdisk/
I even managed to set up encrypted swap with (encrypted) hibernate.

kbmonkey · 2012-04-26 15:37:11

SabreWolfy wrote:

I'm not clear on the end of phase 2 and the start of phase 3 -- it seems as though you move your data back twice?

Do you mean this part here? You only run one of those commands, depending if it was a brand new install, or if you want to move your backed-up data across.

# For **new profiles** without backed-up files:
:~# rsync -a /home/ /mnt/vault

# For **users with backed-up files**:
:~# rsync -a /mnt/your-backup-device/ /mnt/vault

SabreWolfy · 2012-04-27 02:27:33

^ I meant the start of phase 3 where you boot into a live environment to copy your files across. Haven't you just done that in phase 2 (as you indicated above)? Or is phase 3 pointing /home to where the encrypted partition is so that it is available after a reboot?

(ecryptfs-utils in the Squeeze repos for me (version 83) contains the migration script. This script encrypts the /home/user folder, rather than the entire /home partition.)

Last edited by SabreWolfy (2012-04-27 02:35:59)

SabreWolfy · 2012-04-27 19:59:58

@kbmonkey: Seems to have worked smile For reference, this is what I did:

I created the temporary user you mentioned a few posts back, created /TEMPUSER folder, edited /etc/fstab (as I thought it should be) and rebooted. It didn't like "ext4" for /TEMPHOME folder in /etc/fstab and dropped me to a root prompt, which was actually fine, because /dev/sda3 wasn't mounted now anyway, so I started with Phase 2, which went fine.

After creating the new /home/username, I didn't copy anything across to it for now. I skipped Phase 3 because I didn't understand it and didn't think I needed to do it -- this was what my recent question was about.

I restarted and was prompted for the encryption password during the boot sequence, booted into a "fresh" install now because /home/username was empty. I was happy with this as it indicated that everything was working. I restarted and selected a recovery console, deleted all the files just created in /home/username, copied the backup of my home into /home/username and rebooted. Everything was fine smile

I skipped the auto-login section as I'm happy to type the password at login. I skipped the encrypted swap section too, as I'd like to be able to hibernate on occassion.

Was easier than I thought smile My external HDD is encrypted at the device level (/dev/sdX, not /dev/sdX1), with cryptsetup, so this was actually quite similar to setting this up, in retrospect smile

Last edited by SabreWolfy (2012-04-27 20:02:06)

SabreWolfy · 2012-04-27 20:03:56

Any idea about the performance impact of running cryptsetup on /home? I'm running an Intel Core Duo 2.0GHz with 1GB DDR2 RAM.

kbmonkey · 2012-05-01 04:20:51

@SabreWolfy

Glad you got it done! I didn't notice here were replies, the forums 'new posts' flags seem to vanish lol

The part you were confused about, you did not need to do (so good move). It only moves the old home out of the way. Leaving it is fine because as you know, mounting a device into a directory with existing files, will hide those files.

@Tunafish

Thanks for that informative link!

SabreWolfy · 2012-05-01 10:07:49

@kbmonkey: Thanks. Any comments on this:

SabreWolfy wrote:

Any idea about the performance impact of running cryptsetup on /home? I'm running an Intel Core Duo 2.0GHz with 1GB DDR2 RAM.

greyproc · 2012-05-01 11:36:24

@SabreWolfy: For what it's worth, I'm running dm_crypt+lvm for my whole system on a core2duo, 4gb DDR2, and I honestly can't see any difference whatsoever--- and I haven't even recompiled my kernel yet. The whole system just flies. If you're only encrypting your home partition, I wouldn't think you'd notice any difference. (Also, I don't have a swap _file_, yet. I skipped doing a partition for it, figuring it'll be easier this way. YMMV.)

SabreWolfy · 2012-05-01 11:51:31

^ Yeah, I can't say I've noticed any drop in performance with encrypted /home on my Core Duo with 1GB RAM. /swap is not encrypted.

About a yer ago I was running Xubuntu on an Acer Aspire One (D250) netbook with encrypted /home and performance was noticeably poorer on occasion. I tried to quantify it and posted a question here (with related links) but never arrived at a clear answer. Some results suggest an encrypted /home results in a massive (20x) performance penalty on the netbook.

Last edited by SabreWolfy (2012-05-01 12:28:16)

kbmonkey · 2012-05-01 16:49:20

I don't even notice performance hits. My netbook has this setup too, Intel Atom @1.6GHz and no slow downs. Full-disk encryption will add more performance hits, I can't say how much though. Consider luks encryption is geared to RAID arrays for large servers, and we get an idea of the low overhead only by using it on your personal machine wink

SabreWolfy · 2012-06-06 19:42:51

^ I've noticed that my machine has an idling load average of over 1.It's an Intel Core Duo with encrypted /home. I've ruled out Iceweasel and conky and compositing. It seems to be related to Xorg. I know encryption != X, but have you noticed an increase in your load average on machines with encryption?

machinebacon · 2012-06-07 12:39:32

Deserves a wiki page -> http://crunchbanglinux.org/wiki/howto/e … _home_swap

Thanks for this excellent guide!

Piraja · 2012-12-05 06:47:08

I encrypted my swap with

ecryptfs-setup-swap

and this produced the proper changes in /etc/fstab, too, i.e. the previous swap is now commented out and

/dev/mapper/cryptswap1 none swap sw 0 0

was automatically added. So everything seems alright. However, I noticed that Conky no longer shows swap information and there is no swap present:

# swapon -s
Filename				Type		Size	Used	Priority

# swapon -a
swapon: /dev/mapper/cryptswap1: stat failed: No such file or directory

What is more,

dmesg | grep -i swap

gives nothing. Any ideas?

CrunchBang Linux

SEARCH

#1 2011-01-16 19:33:23

HOWTO: Encrypted Home and Swap Partitions

#2 2011-01-16 19:36:53

Re: HOWTO: Encrypted Home and Swap Partitions

#3 2011-01-16 20:08:11

Re: HOWTO: Encrypted Home and Swap Partitions

#4 2011-01-27 15:58:46

Re: HOWTO: Encrypted Home and Swap Partitions

#5 2011-01-28 06:36:50

Re: HOWTO: Encrypted Home and Swap Partitions

#6 2011-01-30 08:03:44

Re: HOWTO: Encrypted Home and Swap Partitions

#7 2011-03-14 22:42:35

Re: HOWTO: Encrypted Home and Swap Partitions

#8 2011-03-15 19:53:19

Re: HOWTO: Encrypted Home and Swap Partitions

#9 2012-04-14 15:06:02

Re: HOWTO: Encrypted Home and Swap Partitions

#10 2012-04-14 20:42:54

Re: HOWTO: Encrypted Home and Swap Partitions

#11 2012-04-15 10:35:47

Re: HOWTO: Encrypted Home and Swap Partitions

#12 2012-04-25 19:22:43

Re: HOWTO: Encrypted Home and Swap Partitions

#13 2012-04-25 21:41:03

Re: HOWTO: Encrypted Home and Swap Partitions

#14 2012-04-26 15:37:11

Re: HOWTO: Encrypted Home and Swap Partitions

#15 2012-04-27 02:27:33

Re: HOWTO: Encrypted Home and Swap Partitions

#16 2012-04-27 19:59:58

Re: HOWTO: Encrypted Home and Swap Partitions

#17 2012-04-27 20:03:56

Re: HOWTO: Encrypted Home and Swap Partitions

#18 2012-05-01 04:20:51

Re: HOWTO: Encrypted Home and Swap Partitions

#19 2012-05-01 10:07:49

Re: HOWTO: Encrypted Home and Swap Partitions

#20 2012-05-01 11:36:24

Re: HOWTO: Encrypted Home and Swap Partitions

#21 2012-05-01 11:51:31

Re: HOWTO: Encrypted Home and Swap Partitions

#22 2012-05-01 16:49:20

Re: HOWTO: Encrypted Home and Swap Partitions

#23 2012-06-06 19:42:51

Re: HOWTO: Encrypted Home and Swap Partitions

#24 2012-06-07 12:39:32

Re: HOWTO: Encrypted Home and Swap Partitions

#25 2012-12-05 06:47:08

Re: HOWTO: Encrypted Home and Swap Partitions

Board footer