Tuesday, November 24, 2009

How To Encrypt Home on Fedora

Encrypt Your Linux Home Partition

This how to explains the process of encrypting a partition on an existing system.

If you are installing a new Linux box, or reinstalling, the graphical installation for RHEL5.4 and later, Fedora, Ubuntu, OpenSuSE now all provide easy GUI tools to accomplish this.

Doing so on an existing system takes a bit of care so as not to destroy data.

The following are notes that I took while running through the process for the first time. Some steps may be redundant or unnecessary, if so, feel free to add comments and I'll adjust the process.

  1. Identify the partition that should be encrypted. In this example, I'm going to encrypt the partition (/dev/sdb1) that is mounted as /home
  2. Backup the data before proceeding. The process of encrypting requires a format, since this is /home, it makes sense to log out of the desktop, log in as root to the terminal (CTRL ALT F2) and 'init 3'. The /home directory can be safely unmounted
    # init 3
    # mkdir -p /backup/$(hostname -s)
    # rsync -a /home /backup/$(hostname -s)
    # umount /home

  3. Use cryptsetup to initialize the LUKS partition (again, make sure it is umounted) and set the initial key / passphrase. Use whatever good passphrase you want to unlock this device in the future. If necessary, additional keys can be added for multi user support.
    # cryptsetup luksFormat /dev/sdb1
  4. Identify the UUID of the partition
    # blkid /dev/sdb1

    /dev/sdb1: UUID="186f67df-9872-44d5-947c-a010d831f570" TYPE="crypto_LUKS"
  5. Open the LUKS partition setting up a mapping named based on the UUID (this is the default naming convention used by the Fedora installer)
    # cryptsetup luksOpen /dev/sdb1 luks-186f67df-9872-44d5-947c-a010d831f570
  6. Format the device, I'll use ext4 since it's the new standard on Fedora and Ubuntu
    # mkfs.ext4 /dev/mapper/luks-186f67df-9872-44d5-947c-a010d831f570
  7. Once again, verify the UUID for the device, if you don't get this correct, the system will hang at bootup as it attempts to mount the device
    # blkid /dev/sdb1

    /dev/sdb1: UUID="186f67df-9872-44d5-947c-a010d831f570" TYPE="crypto_LUKS"
  8. Add the device to crypttab to map it to the correct UUID
    # vi /etc/crypttab

    luks-186f67df-9872-44d5-947c-a010d831f570 UUID=186f67df-9872-44d5-947c-a010d831f570 none
  9. Add the new mount to /etc/fstab so that it mounts at boot (make sure to comment or remove the existing /home entry). If you choose to automount encrypted partitions the boot process will pause prompting for the passphrase. This may be undesireable, especially in the case of a server where you might choose to mount manually following boot!
    # vi /etc/fstab

    /dev/mapper/luks-186f67df-9872-44d5-947c-a010d831f570 /home ext4 defaults 1 2
  10. Before you reboot, make sure to locate a copy of the installation media just in case you need to enter recovery mode (most likely due to a typo in fstab or crypttab)
    # /sbin/shutdown -r now
  11. During the boot process you'll be prompted to enter a passphrase to unlock the partition.
  12. If you need multiple keys (maybe this is a shared workstation or laptop), you can add new keys as follows
    # cryptsetup luksAddKey /dev/sdb1

No comments: