This is meant to be a quick rough-and-ready guide for setting up a new encrypted partition, or changing an existing one (e.g. your home directory) into an encrypted partition. To find out what partitions exist on your system and what size they are, use the command "df -h" as follows:
$ df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 14G 5.1G 7.5G 41% / /dev/sda5 99M 19M 76M 20% /boot tmpfs 442M 0 442M 0% /dev/shm /dev/mapper/VolGroup00-LogVol02 79G 17G 63G 22% /home
In this example, you can see that I have a 79 Gigabyte /home partition which is managed by the LVM (logical volume manager), with device address /dev/mapper/VolGroup00-LogVol02. I want to turn this into an encrypted partition.
You will need to have the "cryptsetup" program installed. If you have SELinux running (which is by default on Fedora) then you might also need "restorecon". On Fedora, I think these are already installed in a default installation; if you’ve removed them or just want to be sure, you can get them back with:
% yum install cryptsetup-luks policycoreutils
In this guide I will tell you how to change an existing partition into an encrypted one. If you do not have an existing partition (i.e. you are adding a new partition and do not yet have any data), then you can skip steps 1. and 3.
1. Copy data off your partition
You cannot change an existing partition into an encrypted one in one stage. You need to remove the data, create the encrypted partition, and then copy it back. Use whatever tools you like to copy the data (e.g. /bin/cp, or drag and drop from your desktop).
cp -a /home/* /path/to/backup/directory/
2. Format your partition with LUKS
If you have a partition that is ready to use (i.e. it exists and it contains no data that you want to keep), then you can prepare it with "cryptsetup luksFormat" followed by the device name. The device name will either be a device for a hard disk partition (e.g. /dev/sdb1) or for a LVM logical volume. You will need to be the root user. You will be asked to set a password for use with the encryption.
% /sbin/cryptsetup luksFormat /dev/mapper/VolGroup00-LogVol02
3. Open your partition with LUKS
Now the partition needs to be made known to the encryption manager. You will be asked for the password that you created above. The name "home" here is arbitrary – you can use whatever name you like.
%cryptsetup luksOpen /dev/mapper/VolGroup00-LogVol02 home
4. Format the partition (filesystem format)
The partition is now available, but needs to be formatted with the normal filesystem tools in order to be usable. In this next command, the -L switch is giving a filesystem label which is again arbitrary, and the last /home corresponds to the name given in step 3, above.
% mke2fs -j -m 0 -L /home /dev/mapper/home
5. Make the partition available
If you want your partition to be available when the computer boots (i.e. so that you don’t have to open it manually every time), you need to add an entry to the file /etc/crypttab. Open this file in a text editor (you will still need to be the root user) and add a line like this. The first entry corresponds to the name from step 3, and the second entry to the device from the introduction.
You will also want to make the partition known in the file /etc/fstab. Open this file and add a line like this (replacing any previous entry in the same file for the same partition if you are replacing an existing one):
/dev/mapper/home /home ext3 defaults 1 2
In my example, the previous entry that needed replacing would be this:
/dev/mapper/VolGroup00-LogVol02 /home ext3 defaults 1 2
6. Mount the partition
Now you can either reboot your computer and have the partition automatically mounted (via the entry you made in step 5), or you can do it manually as follows.
% mount /home
% mount /dev/mapper/home
7. Copy your data on to the partition
Now, if applicable, get back the data that you copied in step 1. If you are using SELinux then you might also need to tell your computer to restore the security contexts of the files, depending on whether the place you copied the files to supported security contexts or not – if it was a USB stick or pen drive then it probably didn’t. There’s no harm in restoring them anyway:
% cp -a /path/to/backup/directory/home/* /home/ % restorecon -r /home
8. That’s it!
That’s all. You may find that your computer automatically offers to do various helpful things (such as automatically mount the partition), depending on what you’ve got installed.
- My blog.
- Recently I have written this parable about Richard Dawkins.
- I also wrote this website and this blog exposing a bogus group of science educators.
- My homepage.
Feedback / E-mail / Anything I forgot to mention?: Use the address on my homepage
(Of course, please try Google first).