Encrypt your home folder after installation

Pierre Abbat phma at leaf.dragonflybsd.org
Fri Oct 13 13:29:45 PDT 2017 

On Friday, October 13, 2017 9:42:01 PM EDT Olle wrote:
> Hi,
> 
> At this point I would be happy to encrypt even just a single file. The
> options seem dead after installation. Any ideas?

I'm assuming you meant to answer the list, so I'm sending my answer to the 
list.

To create an encrypted partition, you need some free space. If all of your 
disk is allocated to filesystems or swap, you need to either shrink some 
filesystem or add a disk. If /home is on a separate partition and you want to 
encrypt it, copy everything in it (which shouldn't be much if you just 
installed) to somewhere else and remove the partition from /etc/fstab. If you 
are using LVM and have some free space in a volume group, you can make a new 
logical volume.

Once you have an empty partition in a slice or an empty logical volume, you 
can make an encrypted partition with cryptsetup. Use the luksFormat command.

Having done that, create a file /etc/crypttab. Mine looks like this:
crypt   /dev/serno/WD-<snip>.s1d  none    tries=3,timeout=200
This file is used by the cryptdisks service.

Run "/etc/rc.d/cryptdisks start". cryptsetup will ask you for the password of 
the encrypted partition. Enter it, and you'll get the plaintext of the 
partition (which will be gibberish, since you're decrypting zeros) in /dev/
mapper/. Make a filesystem on the device in /dev/mapper/.

Add a line in /etc/fstab similar to this:
/dev/mapper/crypt       /crypt          hammer  rw,noauto       1       1
You can now mount your new filesystem on your encrypted partition.

At the time I created the encrypted partition, there was a bug that caused a 
kernel panic if I tried to load the dm module when booting. I therefore 
created the following script /usr/local/bin/mountcrypt:
#!/bin/sh
kldload dm
/etc/rc.d/cryptdisks start
mount /crypt
mount /usr/obj
If your computer is remote, and you can't enter the cryptdisk password when 
booting, you'll need a script like this. You will need to run this as root, 
and if you encrypt /home, you have to ssh in as root, because you can't log in 
as yourself when your home directory is unavailable.

Pierre
-- 
The Black Garden on the Mountain is not on the Black Mountain.

More information about the Users mailing list