How do I encrypt an existing /home structure?

Worried that your personal files in your home directory could be viewed by a thief if your Linux laptop is stolen? Do you use iFolder3 but wish the data (or other data) were encrypted on your machine (while not in use) as well as on the server?

I got your back. Using the standard encryption tools built in to Opensuse (and some other distros), you can encrypt your home directory (or any other) structure — even after the fact — and help protect that data that may be super secret, even if only to you.

Here’s how I created an encrypted /home on my recently-upgraded openSUSE11 laptop, even after I had been using the machine for some time and had accumulated a significant amount of personal data (including my iFolders):

First, boot cleanly into runlevel 3, by rebooting and entering a “3” after the kernel options line. All you have to do is type “3” when the kernel choices are shown at boot, then hit enter.

Log in as root.

Once logged in, backup your home directories (this is needed if you’re going to encrypt existing home directories, not needed if you’re starting fresh and creating a new encrypted mount point):
tar -cvf /homeBackup.tar /home

(You could delete the contents of /home at this point… See “Note” below…)

It doesn’t matter where you create the backup, except make sure you didn’t create it in the home directory; because in this example we will mount our encrypted structure there later… you’ll see… You might want to copy the tar off to another server via ftp or whatnot, which is why I chose runlevel 3…

Using YAST -> System -> Partitioner, create the Crypt file and stuff.

  1. Choose “Crypt File…” at bottom
  2. Enter “Path Name of File”, I chose “/CryptHome
  3. Select the “Create Loop File” if you have not created one manually already. Set the size here. I chose 10GB (hey, after all this is my home directory “virtual partition” that will include my iFolder and stuff, too!). Note that if you are space-sensitive, give it some extra room since it needs some for the small amount of crypt overhead.
  4. Leave it set to format, and I prefer “Ext3″… and definitely leave it set to “Encrypt File System”.
  5. Set the mount point. In my set up, I’m using /home
  6. Upon choosing “OK”, you are prompted for a passphrase. NEVER FORGET THIS PASSPHASE, or you loose all the data on the encrypted storage.
  7. Upon choosing “OK” for the partitioner, it will prompt you to re-affirm the changes, then it will create the crypt file (this could take a while, depending on your system) and the mount point (in /etc/fstab) and mount it for you.

Once the partitioner and Yast are finished, and you’re back out at the prompt, you need to restore the home directory content into the new crypt structure:
tar -xvf /homeBackup.tar

(Note: the data from your old home directory is still there underneath the mounted new encrypted home directory. At this point, you *could umount the encrypted /home and delete your old unencrypted home data with rm -r /home … but I’m afraid to even tell you that. Just know that the old data is still there, un-encrypted, until you delete it!)

Now reboot with init 6. That’s it! You will be prompted for the the passphrase on boot in order to mount the crypt structure (you *do* remember it, right? šŸ˜‰ ). For more information on how all this works (with cryptsetup and LUKS and stuff), make sure to take a look at the cryptsetup man page.

Now feel somewhat safer that if your laptop is stolen, they can’t get to your home directory personal files before they sell it for crack money…

Enjoy! šŸ™‚

Leave a Comment

Your email address will not be published. Required fields are marked *