Encrypted home and swap partition on Ubuntu 9.10 Karmic

I have always wanted to encrypt my /home partition on my notebook. Due to lack of time and the worries of data lose i never got round to it. But now the time has finally come. Please be careful following this howto if you do anything wrong you may erase all of you data. You have been warned!

aptitude install cryptsetup libpam-mount

We will start of with the swap partition which is easy. First deactivate your swap partition you may need to remove it from /etc/fstab and reboot if it is in use.:

swapoff /dev/sda7

Then fill your swap with random data from /dev/urandom

dd if=/dev/urandom of=/dev/sda7 bs=1M

Configure encrypted swap in /etc/crypttab and /etc/fstab

cat /etc/crypttab

cryptoswap /dev/sda7 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap

cat /etc/fstab

/dev/mapper/cryptoswap none swap sw 0 0

Okay thats it reboot to test. If you call top from a shell you should see a normal swap partition. Then try and run the follow command you should see something like this:

cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 0 sectors
size: 8401932 sectors
mode: read/write

Ok your swap partition is done lets move on to /home make sure you have an empty partition for this all data on the partition will be deleted. You’ve been warned

Fill your new home partition with random data.

dd if=/dev/urandom of=/dev/sda8

Initialize the partition and set initial key. Please make sure to set a good password and do not forget it otherwise your data is gone.

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda8

Create a device mapping

cryptsetup luksOpen /dev/sda8 cryptohome

Now you can create a file system on cryptohome

mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome

Okay give your new home a test by closing it reopening it and finally the first mount

cryptsetup luksClose cryptohome
cryptsetup luksOpen /dev/sda8 cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
mkdir -p /mnt/cryptohome
mount /dev/mapper/cryptohome /mnt/cryptohome
touch /mnt/cryptohome/linux
ls /mnt/cryptohome/
lost+found linux

We can also confirm that it works by issuing the command

cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda8
offset: 2056 sectors
size: 20978771 sectors
mode: read/write

Now would be a good time to move your current home data to this partition. And umount the partition:

umount /mnt/cryptohome
cryptsetup luksClose cryptohome

To mount this partition at boot time do the following. The boot process will stop and you will be prompted for a password:

First edit /etc/cryptotab

cryptohome /dev/sda8 none luks

Then edit /etc/fstab and add

/dev/mapper/cryptohome /home/ ext4 relatime,errors=remount-ro 0 2

Automatically mount when logging in i will write this part shortly so stay tuned.

10 thoughts on “Encrypted home and swap partition on Ubuntu 9.10 Karmic

  1. Windows 7 32 Bit

    I am extremely inspired together with your writing skills and also with the format to your weblog. Is that this a paid subject matter or did you modify it your self? Either way keep up the excellent high quality writing, it’s uncommon to peer a nice weblog like this one these days..

  2. Ad

    Same here with 9.10. It didnt ask for a password on boot time, it just throw error messages complaining about not mounted encrypted partition.

  3. Mike

    I’m having the same problem as everyone else on 9.10, it doesn’t ask for the key at bootup on the gdm display but does ask it on the first tty. It won’t work when I try to mount it as /home.

  4. Thomas


    I was just wondering, when will you write about encryption on home and automounting it on login, as you stated at the bottom. I am eagerly wating! :)

  5. gianni

    if you use the alternate disc it will be done automagically, Im using 9.10 xubuntu… with encrypted home & swap + /tmp on ramdisk :)

  6. Willie

    It sure doesn’t work for me.

    It worked flawlessly in 9.04 when the boot process would pause while you entered your encryption password under the ubuntu boot splash logo. Enter it correctly and the boot process would continue so you would log in transparently with an encrypted /home partition.

    In 9.10, using the exact same setup process, something corrupts somewhere. The luks password prompt doesn’t appear on the graphical boot screen but on virtual console #1.
    Also the boot process doesn’t halt while you enter this password but continues to the graphical user login, with no mounted home partition available.
    Also, even after entering the password, virtual terminals 1-6 are subsequently unavailable to users.

    I’m about the set up an encrypted partition on a 9.04 machine to try and see where the differences are in the boot process.

    1. Simon

      Yes i can confirm this does work. I have been using this setup since karmic alpha 6 without a problem. The only problems i experienced were related to the /tmp partition which was formatted on boot. Ubuntu sometimes stopped booting waiting for crypto /tmp so i stopped using a encrypted /tmp for now. I unlock my /home partition with lib pam mount once the user logs in via GDM which works really well.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>