Crypt setup¶
Setup cryptographic volumes for dm-crypt (including LUKS extension)
Encrypt home directory with cryptsetup module¶
Backup home directory
Install modules:
$ apt-get install cryptsetup
Install header files (if you got warn about headers files in previous step)
$ apt-get install firmware-linux firmware-realtek intel-microcode
Unmount partitions
$ umount -a
Load modules in kernel
$ modprobe xts
$ modprobe dm-crypt
$ modprobe aes
$ modprobe aes-in
$ modprobe aesni-intel
$ modprobe aes-x86_64
Encrypt wanted partition
$ cryptsetup luksFormat -h --debug --cipher aes-xts-plain64 --hash sha256 /dev/sda5
another option for cipher is aes-cbc-essive:sha512
restart to effect new UUID
Open encrypted partition
$ cryptsetup luksOpen /dev/sda5 home
Format partition with wanted partition type
$ mkfs.ext4 /dev/mapper/home
Adding this partition to fstab file, also comment old line for home partition
$ vim /etc/fstab
/dev/mapper/home /home ext4 defaults 0 2
Get UUID of encryption partition
$ blkid
Adding UUID of encryption partition to etc/crypttab file
$ vim /etc/crypttab
home UUID=<UUID OF /dev/mapper/home/> none luks
Mount encryption partition
$ mount /dev/mapper/home
Copy home directory from backup to this encryption partition
$ mkdir /home/or
$ cp -R /backup/or /home
$ chown -R or /home/or
Update image file of boot
$ update-initramfs -u
Check status of encrypted partition
$ cryptsetup luksDump /dev/sda5
Backup headers of encryption partition
$ cryptsetup luksHeaderBackup /dev/sda5 --header-backup-file /backup/sha5_ency_header.img
Resources: