Linux Home On Encrypted Partition

Date Tags linux

Goal: Mount an encrypted partition on a secondary disk to /home.

I needed more space for user files on my Linux desktop running on an SSD, so I wanted to use a second rotating disk to store user files. I also wanted to encrypt this disk.

Procedure

  1. Create the encrypted partition and file system on the new rotating disk
  2. Configure the system to unlock the encrypted partition during boot
  3. Mount the partition to /home

We want to create an encrypted partition on the rotating disk. This command helps to make sure we're picking the right disk. The ROTA field specifies if the device is a rotating disk.

$ lsblk -o NAME,UUID,TYPE,ROTA,FSTYPE,MOUNTPOINT

Let's say sdb is the SSD where the OS is installed, and sda is the rotating disk that we want to use.

Create a new partition

Create a partition table and a partition. If there is already a partition available on the disk to use for this setup, we can skip this step.

I'm assuming it's a brand new disk, and we're going to create only one partition using fdisk. Other partitioning schemes and tools may be used.

Warning

Creating a new partition table on a disk with existing data, will erase all the data. If there is existing data or partitions on the disk, make sure to backup the data or follow a more specific guide to create the target partition.

$ sudo fdisk /dev/sda  # sda is the new rotating disk
  # on the fdisk interactive prompt:
  #   to create a new partition table, press "o"
  #   to create new primary partition press "n" and then "p"
  #   we're using the whole disk for this partition so the default size is fine
  #   to write changes to disk, press "w"

Now /dev/sda1 is our target partition.

Setup the encrypted device

We're setting up dm-crypt encrypted partition in LUKS mode. First we need to make sure proper packages are installed and dm_crypt kernel module is loaded.

$ sudo apt-get install cryptsetup
$ lsmod | grep dm_crypt
$ # if dm_crypt was not loaded, load the module
$ sudo modprobe dm_crypt

Create encrypted block device

We'll use cryptsetup tool to setup dm-crypt managed mappings. I'm going to use default parameters, but other parameters may be used to customize the encryption setup (cipher, key size, etc.).

$ sudo cryptsetup -v luksFromat /dev/sda1
$ # enter the encryption passphrase

Note

The encryption passphrase will be required to access the data. If the passphrase is forgotten, it won't be possible to access the files on this partition, nor the meta data.

Now /dev/sda1 is an encrypted block device. Let's see the LUKS headers:

$ sudo cryptsetup luksDump /dev/sda1

Create the file system

The encrypted device should be unlocked to be accessed. Device mapper provides a new device which is mapped to the LUKS encrypted device. I'm going to name the mapped device sda1_crypt but it can be any valid name.

$ sudo cryptsetup luksOpen /dev/sda1 sda1_crypt
$ # or using a recent version of cryptesetup:
  # sudo cryptsetup open --type luks /dev/sda1 sda1_crypt

We'll be prompted for the encryption passphrase. A new block device is created in /dev/mapper named sda1_crypt with a new UUID. This is a block device and the rest of the operations (creating a file system, mounting) should use this device instead of directly working on /dev/sda1. Later we'll mount this device to /home.

No we can format the unlocked device with the desired file system. I'm using ext4 here, but any file system or formatting tool may be used.

$ sudo mkfs.ext4 /dev/mapper/sda1_crypt

Let's see our block device setup by far on this disk

$ lsblk -o NAME,UUID,TYPE,FSTYPE,MOUNTPOINT /dev/sda
NAME                     UUID                                   TYPE  FSTYPE      MOUNTPOINT
sda                                                             disk
└─sda1                   93d58349-5972-4f41-b384-a4b4c6e3ce2a   part  crypto_LUKS
  └─sda1_crypt           3e52fa81-5aa4-4f7e-9008-013c60961d9a   crypt ext4

This shows we have an encrypted partition sda1 (UUID 93d58349...), and and it's mapped to sda1_crypt (UUID 3e52fa81...).

Copy existing files

Our encrypted partition setup is ready to use. We can now mount this partition to move any existing files in /home there if any. If there is no need to copy the files, we may skip this section.

$ sudo mkdir /mnt/encrypted_disk
$ sudo mount -t ext4 /dev/mapper/sda1_crypt /mnt/encrypted_disk

I'm using cp -a to copy the files since it's a local copy and cp is simply available. Any other tool may be used.

$ sudo cp -axT /home/ /mnt/encrypted_disk/

Note

Make sure all the files are copied, specially hidden dot files. You may also want to remove existing files from /home since they are not stored encrypted.

When we're done copying files, we can unmount the partition and remove the temporary mount point.

$ sudo umount /mnt/encrypted_disk
$ sudo rmdir /mnt/encrypted_disk

Unlock and mount on boot

To configure the system to unlock the device during boot, we can use /etc/cryptab. This file is like fstab but is read before fstab to unlock encrypted devices before they are mounted.

Add the encrypted partition device (sda1) UUID, and the mapped device name to /etc/crypttab.

# <target name> <source device>         <key file>      <options>
# decrypt sda1 so it can be accessed from /dev/mapper/sda1_crypt
sda1_crypt UUID=93d58349-5972-4f41-b384-a4b4c6e3ce2a none luks,timeout=180

The commented line should be descriptive enough. The timeout option causes the passphrase prompt to timeout after the specified number of seconds.

Add the unlocked LUKS device (sda1_crypt) UUID, and the mount point to /etc/fstab.

UUID=3e52fa81-5aa4-4f7e-9008-013c60961d9a /home           ext4    defaults               0       0