Re: Late encryption of /home Partition
On Thu, 18 Nov 2021 14:40:14 +0100
Klaus Singvogel <deb-user-ml@singvogel.net> wrote:
> I installed Debian 11 (bullseye) on a fresh PC.
> I created 3 partitions: /, swap, /home.
>
> ...and forgot during installation dialog to encrypt the /home
> partition.
>
> - how can I encrypt the /home partition now?
> - In such a way that the password is asked for manual input during
> every boot?
>
You can. These instructions are adapted from notes I took on a similar,
related project. You do risk making your system unbootable, and
requiring a fresh installation, so proceed with caution.
Copy everything you want to preserve from the /home partition to
somewhere else. Use tar or the like to preserve permissions.
Log out all non-root users, and umount /home.
Encrypt that partition:
cryptsetup -y -v luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX encryptedhome
Check your work:
cryptsetup -v status encryptedhome
cryptsetup luksDump /dev/sdaX
cryptsetup luksHeaderBackup /dev/sdaX --header-backup-file ${HOSTNAME}.$(date +%Y.%m.%d).luks.home.backup
Then build the LVM on top of /dev/mapper/encryptedhome:
See: https://www.linuxsysadmins.com/create-logical-volume-filesystem-in-linux/
pvcreate /dev/mapper/encryptedhome # create the physical volume.
vgcreate ${HOSTNAME}-vg /dev/mapper/encryptedhome # Create the volume group.
lvcreate -n homelv -L <SIZE> ${HOSTNAME}-vg # Create a logical volume the size of the old /crc partition.
where <SIZE> is the available space less some 20 GB so 1) you have
room to grow, and 2) a background task in Bullseye has a place to
create snapshots and fsck them.
And finally, create and (optionally) tune the file system:
mkfs.ext4 /dev/mapper/${HOSTNAME}-vg-homelv
tune2fs -i 3m -c 15 /dev/mapper/${HOSTNAME}-vg-homelv
When you've done that, mount /dev/mapper/${HOSTNAME}-vg-homelv on
/home, and restore your data.
Then edit /etc/fstab to suit. Then run update-grub. Then reboot to see
if you got everything right.
> - does it make sense to use a LVM atop? How?
It may. I mentioned two reasons to do so and leave some empty
space. It would have been better to include the encryption and LVM as
part of installing,
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Reply to: