Re: Late encryption of /home Partition

Thu, 18 Nov 2021 08:56:43 -0800 

On Thu, 18 Nov 2021 14:40:14 +0100
Klaus Singvogel <deb-user...@singvogel.net> wrote:

> I installed Debian 11 (bullseye) on a fresh PC.
> I created 3 partitions: /, swap, /home.
> 
> ...and forgot during installation dialog to encrypt the /home
> partition.
> 
> - how can I encrypt the /home partition now?
> - In such a way that the password is asked for manual input during
> every boot?
> 

You can. These instructions are adapted from notes I took on a similar,
related project. You do risk making your system unbootable, and
requiring a fresh installation, so proceed with caution.

Copy everything you want to preserve from the /home partition to
somewhere else. Use tar or the like to preserve permissions.

Log out all non-root users, and umount /home.

Encrypt that partition:

cryptsetup -y -v luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX encryptedhome

Check your work:

cryptsetup -v status encryptedhome
cryptsetup luksDump /dev/sdaX

cryptsetup luksHeaderBackup /dev/sdaX --header-backup-file ${HOSTNAME}.$(date 
+%Y.%m.%d).luks.home.backup

Then build the LVM on top of /dev/mapper/encryptedhome:

See: https://www.linuxsysadmins.com/create-logical-volume-filesystem-in-linux/

pvcreate /dev/mapper/encryptedhome      # create the physical volume.
vgcreate ${HOSTNAME}-vg /dev/mapper/encryptedhome       # Create the volume 
group.
lvcreate -n homelv -L <SIZE> ${HOSTNAME}-vg     # Create a logical volume the 
size of the old /crc partition.

where <SIZE> is the available space less some 20 GB so 1) you have
room to grow, and 2) a background task in Bullseye has a place to
create snapshots and fsck them.

And finally, create and (optionally) tune the file system:

mkfs.ext4 /dev/mapper/${HOSTNAME}-vg-homelv
tune2fs -i 3m -c 15 /dev/mapper/${HOSTNAME}-vg-homelv

When you've done that, mount /dev/mapper/${HOSTNAME}-vg-homelv on
/home, and restore your data.

Then edit /etc/fstab to suit. Then run update-grub. Then reboot to see
if you got everything right.

> - does it make sense to use a LVM atop? How?

It may. I mentioned two reasons to do so and leave some empty
space. It would have been better to include the encryption and LVM as
part of installing,

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Reply via email to