Instead of encrypting your entire drive and operating system you can encrypt just the data that matters, /home/
Full disk encryption (FDE) vs. data only /home/ + swap
– FDE cannot survive a remote reboot because it asks for the password before the system is fully running.
– FDE is more secure in the sense that it encrypts any possible user data. Temporary or cached files in /tmp/ or /var/ and swap will be automatically encrypted. Meta data or sensitive file names can be leaked with programs like mlocate or databases stored under /var/.
– Data-only encrypting with pam_mount is seamless, allowing someone to use a single password to simultaneously login and decrypt their data. (Psssst, its two passwords. One for login and one for decrypting. If they match, two birds one stone).
This is a vast subject and I have barely touched on it. Check out some other resources that can help formulate a proper solution for your needs.
Lastly, if you just want simple file/directory encryption (as opposed to file system encryption as laid out here) you might like EncFS.
At the end of the day we all have no excuse for not using encryption so just go ahead and implement something reasonable. And don’t use non-free encryption!
1. Backup /home to external drive
2. Install cryptsetup, libpam-mount
3. Format home partition
4. Open encrypted partition, make a filesystem inside and copy data back
5. Edit /etc/security/pam_mount.conf.xml
6. Remove “/home” from /etc/fstab
7. Change your password to match the crypt password
8. Alternately, encrypt swap
rsync -av /home /backup
apt-get install cryptsetup libpam-mount
cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX home
mkfs.xfs -L home /dev/mapper/home
mount /dev/mapper/home /home/
rsync -av /backup/home/ /home
Backup the default config
cp /etc/security/pam_mount.conf.xml /root/
add the following after “Volume definitions”.
<!-- Volume definitions --> <volume user="jason" fstype="crypt" path="/dev/disk/by-uuid/2a350c84-f047-4d17-a715-ddca5d9c0561" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>
blkid to determine the correct uuid for your path=
Remove /home from /etc/fstab. Comment it out with a little note that pam_mount is handling it.
Change your password to match the crypt password used in step 3.
Alternately, to be more secure you can encrypt swap.
Add the following to /etc/crypttab
sda3_crypt /dev/disk/by-id/ata-ST1000LM014-1EJ164_W7734HLY-part3 /dev/urandom cipher=aes-xts-plain64,size=256,swap
I use a clever program called cryptdisks_[start/stop] to start and stop these crypts. You need to stop your existing, unencrypted swap with
Now start the crypt
This creates /dev/mapper/sda3_crypt
Now replace your existing /etc/fstab swap line with something like the following:
/dev/mapper/sda3_crypt none swap sw 0 0
this turns on the swap, now its encrypted!
Filename Type Size Used Priority /dev/dm-0 partition 9769980 0 -1
Leave a Reply