Re: Late encryption of /home Partition

To: Debian Users <debian-user@lists.debian.org>
Subject: Re: Late encryption of /home Partition
From: Charles Curley <charlescurley@charlescurley.com>
Date: Thu, 18 Nov 2021 09:56:06 -0700
Message-id: <[🔎] 20211118095606.6cf9eb27@hawk.localdomain>
In-reply-to: <[🔎] 20211118134014.GA26346@singvogel.net>
References: <[🔎] 20211118134014.GA26346@singvogel.net>

On Thu, 18 Nov 2021 14:40:14 +0100
Klaus Singvogel <deb-user-ml@singvogel.net> wrote:

> I installed Debian 11 (bullseye) on a fresh PC.
> I created 3 partitions: /, swap, /home.
> 
> ...and forgot during installation dialog to encrypt the /home
> partition.
> 
> - how can I encrypt the /home partition now?
> - In such a way that the password is asked for manual input during
> every boot?
> 

You can. These instructions are adapted from notes I took on a similar,
related project. You do risk making your system unbootable, and
requiring a fresh installation, so proceed with caution.

Copy everything you want to preserve from the /home partition to
somewhere else. Use tar or the like to preserve permissions.

Log out all non-root users, and umount /home.

Encrypt that partition:

cryptsetup -y -v luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX encryptedhome

Check your work:

cryptsetup -v status encryptedhome
cryptsetup luksDump /dev/sdaX

cryptsetup luksHeaderBackup /dev/sdaX --header-backup-file ${HOSTNAME}.$(date +%Y.%m.%d).luks.home.backup

Then build the LVM on top of /dev/mapper/encryptedhome:

See: https://www.linuxsysadmins.com/create-logical-volume-filesystem-in-linux/

pvcreate /dev/mapper/encryptedhome	# create the physical volume.
vgcreate ${HOSTNAME}-vg /dev/mapper/encryptedhome	# Create the volume group.
lvcreate -n homelv -L <SIZE> ${HOSTNAME}-vg	# Create a logical volume the size of the old /crc partition.

where <SIZE> is the available space less some 20 GB so 1) you have
room to grow, and 2) a background task in Bullseye has a place to
create snapshots and fsck them.

And finally, create and (optionally) tune the file system:

mkfs.ext4 /dev/mapper/${HOSTNAME}-vg-homelv
tune2fs -i 3m -c 15 /dev/mapper/${HOSTNAME}-vg-homelv

When you've done that, mount /dev/mapper/${HOSTNAME}-vg-homelv on
/home, and restore your data.

Then edit /etc/fstab to suit. Then run update-grub. Then reboot to see
if you got everything right.

> - does it make sense to use a LVM atop? How?

It may. I mentioned two reasons to do so and leave some empty
space. It would have been better to include the encryption and LVM as
part of installing,

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Reply to:

Follow-Ups:
- Re: Late encryption of /home Partition
  - From: Hans <hans.ullrich@loop.de>

References:
- Late encryption of /home Partition
  - From: Klaus Singvogel <deb-user-ml@singvogel.net>

Prev by Date: Late encryption of /home Partition
Next by Date: Re: Late encryption of /home Partition
Previous by thread: Late encryption of /home Partition
Next by thread: Re: Late encryption of /home Partition
Index(es):
- Date
- Thread