0. The Plan

So if you read the last post, you will know that I am suggesting that everyone who owns a Linux laptop encrypts their home directory by Christmas. As part of that I am explaining how I implemented encryption on my laptop. To quickly recap:

• Firstly, I explained the benefits and shortcomings of my approach to laptop encryption.
• Secondly, we will now setup the encrypted partition at a dummy mount point and check that it works.
• Thirdly, in the next post we will copy our files to the encrypted partition, set the encrypted partition to be mounted as /home and then shred the old copies of our files.

1. Make yourself a new partition

So the first step is to make yourself a new partition. You will possibly have to resize existing partitions to make space. This is not a big problem, one easy way is to use the graphical tool called gparted.

If you don't know what partitions are then read my `introduction to disk partitions`_ and possibly my post on `setting up partitions for Gentoo`_.

One you have room, you need to make the new partition with gparted or with the curses program cfisk or the plain command line version fdisk (e.g. type sudo cfdisk - be careful what you press!).

Remember or write down the name of the partition that you make. For example, it may be called /dev/sda4. If you forget then sudo fdisk -l will tell you what partitions you have.

Note, don't worry about formatting a filesystem at this point, we will need to reformat it later anyway.

2. Install cryptsetup

The next step is to install the required userspace tool. The easiest way is to use your friendly neighbourhood package manager. Let's take two examples:

On Gentoo Linux:

sudo emerge cryptsetup-luks

If you have compiled your own kernel, then you need add certain modules, crib them from here.

On Ubuntu/Debian Linux:

sudo apt-get install cryptsetup

3. Encrypt the partition

There are lots of available algorithms. We will use a pretty standard one - the AES algorithm with a 256 key. Here is what the NSA says:

> The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths (NSA 2003, page 2).

So AES with a 256 key should be secure enough to stop any potential identity thieves.

Imagine the partition is called /dev/sda4, then we need to use the following command to encrypt the partition:

sudo cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/sda4

You will then be asked for a passphrase, make sure it is strong and that you remember it. Do not write it down on this computer, for example in a text file or document, that would undermine the whole approach, for reasons we shall see later. If you have to write it down at this point, write it on paper, but never keep the paper with the computer.

Here is what happened when I encrypted my partition:

> ::user@warrior:~$ sudo cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/sda4 > > WARNING! > ======== > This will overwrite data on /dev/sda4 irrevocably. > > Are you sure? (Type uppercase yes): YES > Enter LUKS passphrase: > Verify passphrase: > Command successful.

4. Add the partition to the crypt table

The next step is add the partition to the /etc/crypttab file. You can do this with any text editor that you like such as gedit, nano, vim, or for example with emacs:

sudo emacs /etc/crypttab

You then need to add the following line, as always replacing /dev/sda4 with whatever your partition was called in part 1 above:

crypt-home /dev/sda4 none luks

We can see if this worked by unlocking the partition, use the following command:

sudo /etc/init.d/cryptdisks start

This should work as follows:

> ::user@warrior:~$ sudo /etc/init.d/cryptdisks start > * Starting remaining crypto disks... > Enter LUKS passphrase: > key slot 0 unlocked. > Command successful. > [ OK ]

The system can now see a partition at: /dev/mapper/crypt-home

**5. Format the encrypted partition **

Now we need to give the partition a filesystem. I chose to have a classic reiserfs filesystem, as shown below, I have skipped some of the output to make it more consise:

> ::user@warrior:~$ sudo mkfs.reiserfs /dev/mapper/crypt-home > > ALL DATA WILL BE LOST ON '/dev/mapper/crypt-home'! > Continue (y/n):y > Initializing journal - 0%....20%....40%....60%....80%....100% > Syncing..ok > > ReiserFS is successfully created on /dev/mapper/crypt-home.

6. Add the encrypted partition to the file system table

Next we need to add the partition to the file system table. For the moment, we will just use a dummy mount point, later on we will change it to /home.

So firstly, lets create the mount point:

sudo mkdir /mnt/sda4

Now we need to edit the filesystem table, as before substitute the word emacs for your favourite text editor:

sudo emacs /etc/fstab

Add the following line:

/dev/mapper/crypt-home /mnt/sda4 reiserfs defaults 0 2

We can then try to mount the partition:

sudo mount /mnt/sda4/

If all goes well, we should be able to see the partition in the disk space list provided by df:

> ::user@warrior:~$ df > > /dev/mapper/crypt-home 29293052 32840 29260212 1% /mnt/sda4

**7. Reboot to test the system. **

Assuming this is a laptop not a server, let's reboot to test what happens. If this is a server then you might want to restart the relevant init scripts instead to have the same effect.

What should happen is that while your system boots, it will ask you for your passphrase on the command line. When the system has booted you should be able to see the encrypted partition in df (or gnome-system-monitor if you prefer). You should also be able to write to the partition (as root at least).

Make sure everything works as you expect before continuing, in the next post we will copy our data to this partition.

If you have forgotten your passphrase already then go back to 3 above and start over, don't forget it this time.

There are ways to improve the setup, for example gcryptmount allows you to enter the password at the graphical boot screen instead. Currently gcryptmount is only packaged for Gentoo, with some minor fiddling of the paths (e.g. to represent your /etc layout), you should be able to get to it work on your distro. I may come back to this later.

Continue with part three - moving your data to the encrypted partition.

References

• Gentoo Wiki (2007), HOWTO Encrypt Your Home Directory Using LUKS and pam mount.
• NSA (2003), National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information (PDF).
• John Leach (2007), Encrypted partitions with Ubuntu/Debian.

Discuss this post - Leave a comment