Encrypting existing directory

From PCLinuxOSHelp Knowledge Base
Jump to: navigation, search

--- Encrypting existing /home partition ---

by forum member AnotherUser

original posting can be found here.

Well, after lots of googling and some good guesswork, I was successful at converting my unencrypted /home partition into an encrypted /home. For the sake of others, here are the steps that I had to take:

Preparations

1. Boot into your existing installation. Start konsole and run mount. Take note of which partition is your current / (in my case /dev/sda5) and which is your current /home (in my case /dev/sda7).
2. Close all applications and log out from KDE. Press CTRL+ALT+F1 to switch to the console mode. Log in as root. Backup your entire /home partition to some other location. For me it was an external USB drive mounted on /media/disk and on that drive I had an empty HOMEBACKUP directory. So, I used rsync --delete -aHAXhxv /home/ /mnt/HOMEBACKUP (NOTE: all slashes are needed!)
3. Place a LiveCD (for me it was 2012.09 FullMonty) into the CD drive
4. Type reboot and proceed to the next section

Erasing and encrypting the partition

1. Boot into the LiveCD and log in as root
2. Start konsole and run drakdisk
3. Click on your unecrypted /home partition (again for me it was /dev/sda7). Click Delete
4. Click on the partition again. Click Create
5. Size the partition as desired (for me, I set it to the max because I was converting the entire partition)
6. Set the type to be ext4
7. Leave the mount point unspecified
8. Make sure to place a checkmark next to encrypt partition
9. Enter an encryption key, two times
10, Click OK. This will give a warning saying that the partition table of drive SDA is going to be written to disk. Click OK
11. Drakdisk is now going to do all the heavy lifting of erasing, encrypting, and formatting the partition. While this is going on, take a note of which device is being worked on. For me it was /dev/mapper/crypt_sda7 When finished, click Done.

Restore /home partition contents

1. While still running from the LiveCD, in konsole type mkdir -p /mnt/vault
2. Mount the newly encrypted partition by typing mount /dev/mapper/crypt_sda7 /mnt/vault
3. Plug in your external USB drive and let KDE automount it to /media/disk
4. Restore the old /home contents to the new encrypted partition by typing rsync -a /media/disk/HOMEBACKUP/ /mnt/vault (yes, the slashes are still important!)
5. Unmount the backup drive by typing umount /media/disk
6. Umount the encrypted /home by typing sync && umount /mnt/vault && cryptsetup luksClose /dev/mapper/crypt_sda7

Update the / partition to use an encrypted /home

1. While still in the LiveCD, mount the original / partition by typing mkdir -p /mnt/root && mount /dev/sda5 /mnt/root
2. Create /mnt/root/etc/crypttab with the following contents vault /dev/sda7 none luks
3. Edit /mnt/root/etc/fstab so that instead of the UUID entry for the old unecrypted /home parition, you will have the following contents /dev/mapper/vault /home ext4 rw,errors=remount-ro 0 0
4. Exit the text editors and unmount by typing umount /mnt/root
5. Type reboot to restart the system
6. Eject the LiveCD and start the system again. Observe that during Plymouth boot, you will be now prompted for the /home password before you will be allowed to log into KDE.