Laptops are easily lost or stolen and in order to protect your emails, web passwords, encryption keys, etc., you should really think about encrypting (at least) your home directory.

If you happen to have /home on a separate partition already (/dev/hda5 in this example), then it's a really easy process:

  1. Copy your home directory to a temporary directory on a different partition:

    mkdir /homebackup  
    cp -a /home/* /homebackup
    
  2. Encrypt your home partition:

    umount /home  
    cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda5  
    cryptsetup luksOpen /dev/hda5 chome  
    mkfs.ext3 -m 0 /dev/mapper/chome
    
  3. Add this line to /etc/crypttab:

    chome    /dev/hda5    none    luks,timeout=30
    
  4. Set the home partition to this in /etc/fstab:

    /dev/mapper/chome /home ext3 nodev,nosuid,relatime 0 2
    
  5. Copy your home data back into the encrypted partition:

    mount /home  
    cp -a /homebackup/* /home  
    rm -rf /homebackup
    

That's it. Now to fully secure your laptop against theft, you should think about an encrypted backup strategy for your data...

You forgot one important step: Wipe the temporary partition after you copied your /home content back. Otherwise a thief could still get at your old /home contents on that partition.
Comment by Anonymous
You might want to use a different tool to remove the temporary home dir copy, e.g. wipe -r -f -q homedircopy
Comment by Anonymous
You might want to use cp -a /homebackup/{.,} /home to also copy dot-files.
Comment by jak
What does this mean for disaster recovery situations? What do I need to put on USB key and into a lock box in order to recover the data, and how exactly is it done?
Comment by flithm
Nice idea in principle but you might want to change the instructions slightly so that the user doesn't lose all their dotfiles in the process.
Comment by Mike

Why not start with basics:
1. Set a strong BIOS password
2. Disable (in BIOS) booting from removable media
3. Set a global GRUB password, so ALL options in menulist require a password.

The ordinary thief will already pass after encountering those obstacles.

Then encrypt your home partition.

Regards
The Dozy Kraut

Comment by dozykraut
Why not encrypt the temporary partition too, to prevent you having to hope wipe/shred etc. are thorough enough? Also a tarpipe ((cd /home/foo; tar c . ) | ( cd /tmp/foo; tar x )) or rsync would be better than cp -a (and cp -a /home/foo /tmp/foo would be better than the glob which could expand to too many arguments for the command line and will exclude dotfiles)
Comment by Jon Dowland
The first step could be simpler: 'cp -a /home /homebackup'. Also, in response to the post that you should use 'cp -a /homebackup/{.,} /home' to get back dotfiles -- not only is this usually unnecessary, since dotfiles are usually in /home/USERNAME/, not directly in /home/, but because cp -a is recursive, '/homebackup/.*' includes '/homebackup/..'. Don't do it; it will copy the entire contents of your filesystem into '/home'.
Comment by Anonymous
You should think about encrypting /tmp, /var/tmp and swap too, since there may sensitive data even if the machine is switched off.
Comment by Jan Wagner