Crypt setup

Setup cryptographic volumes for dm-crypt (including LUKS extension)

Encrypt home directory with cryptsetup module

  1. Backup home directory
  2. Install modules:
$ apt-get install cryptsetup
  1. Install header files (if you got warn about headers files in previous step)
$ apt-get install  firmware-linux  firmware-realtek intel-microcode
  1. Unmount partitions
$ umount -a
  1. Load modules in kernel
$ modprobe xts
$ modprobe dm-crypt
$ modprobe aes
$ modprobe aes-in
$ modprobe aesni-intel
$ modprobe  aes-x86_64
  1. Encrypt wanted partition
$ cryptsetup luksFormat -h --debug --cipher aes-xts-plain64  --hash sha256 /dev/sda5

another option for cipher is aes-cbc-essive:sha512

  1. restart to effect new UUID
  2. Open encrypted partition
$ cryptsetup luksOpen /dev/sda5 home
  1. Format partition with wanted partition type
$ mkfs.ext4 /dev/mapper/home
  1. Adding this partition to fstab file, also comment old line for home partition
$ vim /etc/fstab
/dev/mapper/home /home ext4 defaults 0 2
  1. Get UUID of encryption partition
$ blkid
  1. Adding UUID of encryption partition to etc/crypttab file
$ vim /etc/crypttab
home UUID=<UUID OF /dev/mapper/home/> none luks
  1. Mount encryption partition
$ mount  /dev/mapper/home
  1. Copy home directory from backup to this encryption partition
$ mkdir /home/or
$ cp -R /backup/or /home
$ chown -R or /home/or
  1. Update image file of boot
$ update-initramfs -u
  1. Check status of encrypted partition
$ cryptsetup luksDump /dev/sda5
  1. Backup headers of encryption partition
$ cryptsetup luksHeaderBackup /dev/sda5 --header-backup-file /backup/sha5_ency_header.img

Resources: