Encrypted home and swap partition on Ubuntu 9.10 Karmic
Simon | October 16, 2009I have always wanted to encrypt my /home partition on my notebook. Due to lack of time and the worries of data lose i never got round to it. But now the time has finally come. Please be careful following this howto if you do anything wrong you may erase all of you data. You have been warned!
aptitude install cryptsetup libpam-mount
We will start of with the swap partition which is easy. First deactivate your swap partition you may need to remove it from /etc/fstab and reboot if it is in use.:
swapoff /dev/sda7
Then fill your swap with random data from /dev/urandom
dd if=/dev/urandom of=/dev/sda7 bs=1M
Configure encrypted swap in /etc/crypttab and /etc/fstab
cat /etc/crypttab
cryptoswap /dev/sda7 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
cat /etc/fstab
/dev/mapper/cryptoswap none swap sw 0 0
Okay thats it reboot to test. If you call top from a shell you should see a normal swap partition. Then try and run the follow command you should see something like this:
cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 0 sectors
size: 8401932 sectors
mode: read/write
Ok your swap partition is done lets move on to /home make sure you have an empty partition for this all data on the partition will be deleted. You’ve been warned
Fill your new home partition with random data.
dd if=/dev/urandom of=/dev/sda8
Initialize the partition and set initial key. Please make sure to set a good password and do not forget it otherwise your data is gone.
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda8
Create a device mapping
cryptsetup luksOpen /dev/sda8 cryptohome
Now you can create a file system on cryptohome
mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
Okay give your new home a test by closing it reopening it and finally the first mount
cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda8 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
mkdir -p /mnt/cryptohome
mount /dev/mapper/cryptohome /mnt/cryptohome
touch /mnt/cryptohome/linux
ls /mnt/cryptohome/
lost+found linux
We can also confirm that it works by issuing the command
cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda8
offset: 2056 sectors
size: 20978771 sectors
mode: read/write
Now would be a good time to move your current home data to this partition. And umount the partition:
umount /mnt/cryptohome
cryptsetup luksClose cryptohome
To mount this partition at boot time do the following. The boot process will stop and you will be prompted for a password:
First edit /etc/cryptotab
cryptohome /dev/sda8 none luks
Then edit /etc/fstab and add
/dev/mapper/cryptohome /home/ ext4 relatime,errors=remount-ro 0 2
Automatically mount when logging in i will write this part shortly so stay tuned.
Share on Facebook
Does this really work on Ubuntu 9.10?
Pedro | October 31, 2009Does this really work on Ubuntu 9.10? I already tried this very set-up (which I did following the instructions in http://blog.gnist.org/article.php?story=EncryptedSwapAndHomeUbuntu ) but Ubuntu 9.10 doesn’t ask me for the password for cryptohome when booting up.
Yes i can confirm this does work. I have been
Simon | November 2, 2009Yes i can confirm this does work. I have been using this setup since karmic alpha 6 without a problem. The only problems i experienced were related to the /tmp partition which was formatted on boot. Ubuntu sometimes stopped booting waiting for crypto /tmp so i stopped using a encrypted /tmp for now. I unlock my /home partition with lib pam mount once the user logs in via GDM which works really well.
Very good tutorial, thanks!
Artur | November 11, 2009Very good tutorial, thanks!
It sure doesn't work for me. It worked flawlessly in 9.04
Willie | November 18, 2009It sure doesn’t work for me.
It worked flawlessly in 9.04 when the boot process would pause while you entered your encryption password under the ubuntu boot splash logo. Enter it correctly and the boot process would continue so you would log in transparently with an encrypted /home partition.
In 9.10, using the exact same setup process, something corrupts somewhere. The luks password prompt doesn’t appear on the graphical boot screen but on virtual console #1.
Also the boot process doesn’t halt while you enter this password but continues to the graphical user login, with no mounted home partition available.
Also, even after entering the password, virtual terminals 1-6 are subsequently unavailable to users.
I’m about the set up an encrypted partition on a 9.04 machine to try and see where the differences are in the boot process.
if you use the alternate disc it will be done
gianni | November 24, 2009if you use the alternate disc it will be done automagically, Im using 9.10 xubuntu… with encrypted home & swap + /tmp on ramdisk
worked for me (swap partition only, didn't try to encrypt
anon | December 17, 2009worked for me (swap partition only, didn’t try to encrypt home). thanks for the excellent tutorial
Hi! I was just wondering, when will you write about encryption
Thomas | January 23, 2010Hi!
I was just wondering, when will you write about encryption on home and automounting it on login, as you stated at the bottom. I am eagerly wating!
I'm having the same problem as everyone else on 9.10,
Mike | February 23, 2010I’m having the same problem as everyone else on 9.10, it doesn’t ask for the key at bootup on the gdm display but does ask it on the first tty. It won’t work when I try to mount it as /home.
Same here with 9.10. It didnt ask for a password
Ad | April 30, 2010Same here with 9.10. It didnt ask for a password on boot time, it just throw error messages complaining about not mounted encrypted partition.