If you happen to have /home on a separate partition already (/dev/hda5 in this example), then it's a really easy process:
- Copy your home directory to a temporary directory on a different partition:
mkdir /homebackup
cp -a /home/* /homebackup - Encrypt your home partition:
umount /home
cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda5
cryptsetup luksOpen /dev/hda5 chome
mkfs.ext3 -m 0 /dev/mapper/chome - Add this line to /etc/crypttab:
chome /dev/hda5 none luks,timeout=30
- Set the home partition to this in /etc/fstab:
/dev/mapper/chome /home ext3 nodev,nosuid,relatime 0 2
- Copy your home data back into the encrypted partition:
mount /home
cp -a /homebackup/* /home
rm -rf /homebackup
11 comments:
You forgot one important step: Wipe the temporary partition after you copied your /home content back. Otherwise a thief could still get at your old /home contents on that partition.
You might want to use a different tool to remove the temporary home dir copy, e.g. wipe -r -f -q homedircopy
You might want to use cp -a /homebackup/{.*,*} /home to also copy dot-files.
What does this mean for disaster recovery situations? What do I need to put on USB key and into a lock box in order to recover the data, and how exactly is it done?
Nice idea in principle but you might want to change the instructions slightly so that the user doesn't lose all their dotfiles in the process.
Why not start with basics:
1. Set a strong BIOS password
2. Disable (in BIOS) booting from removable media
3. Set a global GRUB password, so ALL options in menulist require a password.
The ordinary thief will already pass after encountering those obstacles.
Then encrypt your home partition.
Regards
The Dozy Kraut
You can also use libpam-mount to make things easier :-)
Why not encrypt the temporary partition too, to prevent you having to hope wipe/shred etc. are thorough enough? Also a tarpipe ((cd /home/foo; tar c . ) | ( cd /tmp/foo; tar x )) or rsync would be better than cp -a (and cp -a /home/foo /tmp/foo would be better than the glob which could expand to too many arguments for the command line and will exclude dotfiles)
The first step could be simpler: 'cp -a /home /homebackup'. Also, in response to the post that you should use 'cp -a /homebackup/{.*,*} /home' to get back dotfiles -- not only is this usually unnecessary, since dotfiles are usually in /home/USERNAME/, not directly in /home/, but because cp -a is recursive, '/homebackup/.*' includes '/homebackup/..'. Don't do it; it will copy the entire contents of your filesystem into '/home'.
You should think about encrypting /tmp, /var/tmp and swap too, since there may sensitive data even if the machine is switched off.
After unsuccessfully trying encryption on a LVM partition, I think it's safer to do a loopback strategy.
Post a Comment