Crypt setup

Setup cryptographic volumes for dm-crypt (including LUKS extension)

Encrypt home directory with cryptsetup module

  1. Backup home directory

  2. Install modules:

$ apt-get install cryptsetup
  1. Install header files (if you got warn about headers files in previous step)

$ apt-get install  firmware-linux  firmware-realtek intel-microcode
  1. Unmount partitions

$ umount -a
  1. Load modules in kernel

$ modprobe xts
$ modprobe dm-crypt
$ modprobe aes
$ modprobe aes-in
$ modprobe aesni-intel
$ modprobe  aes-x86_64
  1. Encrypt wanted partition

$ cryptsetup luksFormat -h --debug --cipher aes-xts-plain64  --hash sha256 /dev/sda5

another option for cipher is aes-cbc-essive:sha512

  1. restart to effect new UUID

  2. Open encrypted partition

$ cryptsetup luksOpen /dev/sda5 home
  1. Format partition with wanted partition type

$ mkfs.ext4 /dev/mapper/home
  1. Adding this partition to fstab file, also comment old line for home partition

$ vim /etc/fstab
/dev/mapper/home /home ext4 defaults 0 2
  1. Get UUID of encryption partition

$ blkid
  1. Adding UUID of encryption partition to etc/crypttab file

$ vim /etc/crypttab
home UUID=<UUID OF /dev/mapper/home/> none luks
  1. Mount encryption partition

$ mount  /dev/mapper/home
  1. Copy home directory from backup to this encryption partition

$ mkdir /home/or
$ cp -R /backup/or /home
$ chown -R or /home/or
  1. Update image file of boot

$ update-initramfs -u
  1. Check status of encrypted partition

$ cryptsetup luksDump /dev/sda5
  1. Backup headers of encryption partition

$ cryptsetup luksHeaderBackup /dev/sda5 --header-backup-file /backup/sha5_ency_header.img