My method for mounting an encrypted home with debian-live
In a previous message I described creating a non-partitioned bootable
USB drive. My goal in doing that was to make a USB drive, which I
could insert into (most) any random PC and boot to a functional Debian
desktop. Into the root image I install Xfce, iceweasel, icedove,
pidgin, xemacs, ssh, network-manager, and importantly cryptsetup.
That gives me the tools I use 90% of the time in a 450MB squashfs
image, which fits in my wallet. I also install various system rescue
As before, I'm posting this in the hope that it helps somebody, or
even better, that people help me to simplify this, or improve the
Because I have icedove's mail cache, and other personal information
stored on an easily loseable USB drive, I wanted to make sure my home
directory was encrypted. I'm familiar with cryptsetup and LUKS,
because that is what I use in several other applications.
I decided the easiest way to do this would be with a disk image
mounted as a loopback device, and then let cryptsetup handle it
First I created a disk image of the required size:
dd if=/dev/zero of=encrypted.home bs=1M count=500
or whatever size you think is appropriate.
Then setup the image as a loop device:
to get the next available loop device, probably /dev/loop0
losetup /dev/loop0 ./encrypted.home
Now treat /dev/loop0 as you would any other hard drive partition as
far as creating a luks partition and filesystem:
cryptsetup luksFormat /dev/loop0
cryptsetup luksOpen /dev/loop0 luks.home
and format it. I chose ext2 because it fast, but use whatever you
want. Be sure to update the scripts below for other filesystems.
mount /dev/mapper/luks.home /mnt
Create your home directory. Replace these with the appropriate
username and uid.
chown 1000.1000 /mnt/user
chmod 755 /mnt/user
At this point you can copy over any files you want in the encrypted
home. Don't forget to update their permissions and ownerships.
and to reverse the process:
cryptsetup luksClose /dev/mapper/luks.home
losetup -d /dev/loop0
Now, copy encrypted.home to the /live directory on the USB drive.
I then put a script named 99crypt-home.sh into
config/chroot_local-hooks to configure the live image:
update-rc.d losetup-home.sh start 23 S .
echo >> /etc/fstab <<EOF
/dev/mapper/home /home ext2 defaults,noatime 0 0
That references the file losetup-home.sh which goes in
### BEGIN INIT INFO
# Provides: losetup-home
# Required-Start: checkroot
# Required-Stop: umountroot
# Should-Start: udev devfsd
# Should-Stop: udev devfsd
# X-Start-Before: cryptdisks
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Setup early encrypted block devices.
### END INIT INFO
case "$1" in
/sbin/losetup $LOOP $CRYPTHOME
echo "home $LOOP none luks,check,timeout" > /etc/crypttab
>From this point (unless I'm forgetting a step) cryptsetup should
figure out what to do during the boot process. At some point it will
ask for your password to decrypt the luks partition. My system is
configured to autologin to an Xfce desktop.
I'm sure my scripts have lots of room for improvement, but the steps
I've outlined work well for me.