Encrypted swap, tmp and home partition in Ubuntu 9.04

I really would like to have an encrypted swap, tmp and home partition on my laptop. In case it gets stolen or if I should forget it somewhere, I can be sure that no-one would be able to read my private files. In this mini-howto I set my home partition using LVM, but using a regular partition should work just fine. This howto should also work, with minor modification, if you use another distribution than Ubuntu.

Updated:

May 2009: Updated for Ubuntu 9.04. Added encrypted /tmp.

May 2008: Init for Ubuntu 8.04.

By using Linux Unified Key Setup (LUKS) setting up encrypted partition in Linux is done in no time.

Prerequisites

Install required packages:

The device-mapper should be active (if not, reboot):

..with support for crypto:

Good. Now we're ready.

Part I: Setting up encrypted swap

Step 1: Disable your current swap partition.

Step 2: Fill your swap with random data.

As you see, this might take some time depending on your swap size. So go grab a coffe.

Step 3: Configure encrypted swap.

Add this to your <code>/etc/crypttab</code>

Why <code>/dev/urandom</code> and not <code>/dev/random</code>? The latter blocks until it got enough entropy to continue, <code>urandom</code> don't. So if you use <code>random</code> instead <code>urandom</code> you might have to wait during boot until enough entropy is collected. (It does help to type your keyboard and move the mouse.) Use <code>/dev/random</code> if you're really paranoid.

Next, change your swap entry in <code>/etc/fstab</code> to this:

For every time we boot, swap will be encrypted with a different encryption key.

Step 4: Test it.

Reboot to test.

We now have an encrypted swap:

Good. Now we're safe right?

Part II: Dealing with /tmp

To protect <code>/tmp</code>, we have two choices. 1) we can encrypt it like we did with swap or 2) we can create a ramdisk. The content of a ramdisk don't survive a reboot and <code>/tmp</code> rarely is used for any big files, its is also a good option. But, paranoid as we are, we choose option 1)

The setup is almost identical as for swap:

Step 1: Setting up a tmp partition using LVM.

If you use a regular partition, you can easily skip this step.

Step 2: Fill the partition with random data.

Step 3: Add entry in /etc/crypttab

Now, since <code>/tmp</code> is encrypted with a new key every time, the filsystem must be created every time as well. The option "tmp" fixes that for us and calls mkfs before mount. Since it is created with filesystem ext2, we add in fstab:

We now have an encrypted <code>/tmp</code> partition as well. Great!

Part III: Creating and setting up an encrypted home partition

Step 1: Setting up a home partition using LVM.

Step 2: Fill your soon-to-be home partition with random data.

This will take even longer than the swap partition. So go for lunch or something.

Step 3: Initialize the partition and set initial key.

Remember, if you use a weak password, your screwed. If you forget the password, its game over.

Step 4: Create a device mapping.

This will create a device mapping, as can bee see under:

Note that LVM also uses the device-mapper (that is why LVM volumes also are listed).

Or, you can use the command <code>dmsetup ls</code> to list the mapped devices:

Step 5: Create a filesystem.

We now have an encrypted partition. To use it, we need to create a filesystem on it:

Step 6: Testing!

We start by closing and reopen the encrypted partition before we mount it:

We can also confirm that it works by issuing the command:

Now would be a good time to move your current home to this partition.

Finally we umount:

Step 7: Cryptohome mounted at boot or at login?

Now you have to take a choice. You can enable the partition at boot time, but then the boot sequence is interrupted asking you for the LUKS password. If you want the partition automatically mounted when you login, skip to the next section.

You want to enable mounting at boot time? Then update <code>/etc/crypttab</code>:

And /etc/fstab:

When you now reboot, the boot process is interrupted asking you for the LUKS password. If you type it correctly, the home partition is mounted. When you now log in, you will have an encrypted home partition ready waiting for you.

Part IV: Automatically mount when logging in.

A more elegant solution would be to automatically mount the home partition the same time you log in. This require that you use the same password for login as for the encrypted partition. (Actually that is not entirely true. You may have the password stored on file somewhere. But in this howto, we assume you have the same password for both.)

Step 1: Remove home partition from /etc/fstab

If there is an entry to your (encrypted) home partition in /etc/fstab, remove it

Step 2: Update /etc/crypttab

Make sure the you have a line in <code>/etc/crypttab</code> that reads as follows:

Step 3: Configure pam_mount

Add the following entry in <code>/etc/security/pam_mount.conf.xml</code>. This file is heavily commented, and it may be useful to read the comments.

Step 4: Configure PAM

No longer necessary. As of 9.04 all options already included.

Step 5: Test!

Log out and back in. You should now have an encrypted home:

Congratulation, you now have an encrypted swap, tmp and home partition!

A final advice: Take regular backups.

Useful links: