Encrypt your home folder after installation

Olle Harstedt olleharstedt at gmail.com
Sat Oct 14 16:05:50 PDT 2017 

Hi,

Thanks for your excellent reply.

OK, I just accepted the default partition settings during
installation, and it seems it did not create a home folder, so I guess
I'm screwed unless I can shrink the root partition without formating
it. Possible? Otherwise, a reinstallation might be my best option
here. (Except that I physically have to move the hard-drive since dfly
won't read USB on the X220 laptop ><)

A related question: Is it possible to encrypt a HAMMER PFS?

Regards
Olle

On Fri, Oct 13, 2017 at 04:29:45PM -0400, Pierre Abbat wrote:
> On Friday, October 13, 2017 9:42:01 PM EDT Olle wrote:
> > Hi,
> > 
> > At this point I would be happy to encrypt even just a single file. The
> > options seem dead after installation. Any ideas?
> 
> I'm assuming you meant to answer the list, so I'm sending my answer to the 
> list.
> 
> To create an encrypted partition, you need some free space. If all of your 
> disk is allocated to filesystems or swap, you need to either shrink some 
> filesystem or add a disk. If /home is on a separate partition and you want to 
> encrypt it, copy everything in it (which shouldn't be much if you just 
> installed) to somewhere else and remove the partition from /etc/fstab. If you 
> are using LVM and have some free space in a volume group, you can make a new 
> logical volume.
> 
> Once you have an empty partition in a slice or an empty logical volume, you 
> can make an encrypted partition with cryptsetup. Use the luksFormat command.
> 
> Having done that, create a file /etc/crypttab. Mine looks like this:
> crypt   /dev/serno/WD-<snip>.s1d  none    tries=3,timeout=200
> This file is used by the cryptdisks service.
> 
> Run "/etc/rc.d/cryptdisks start". cryptsetup will ask you for the password of 
> the encrypted partition. Enter it, and you'll get the plaintext of the 
> partition (which will be gibberish, since you're decrypting zeros) in /dev/
> mapper/. Make a filesystem on the device in /dev/mapper/.
> 
> Add a line in /etc/fstab similar to this:
> /dev/mapper/crypt       /crypt          hammer  rw,noauto       1       1
> You can now mount your new filesystem on your encrypted partition.
> 
> At the time I created the encrypted partition, there was a bug that caused a 
> kernel panic if I tried to load the dm module when booting. I therefore 
> created the following script /usr/local/bin/mountcrypt:
> #!/bin/sh
> kldload dm
> /etc/rc.d/cryptdisks start
> mount /crypt
> mount /usr/obj
> If your computer is remote, and you can't enter the cryptdisk password when 
> booting, you'll need a script like this. You will need to run this as root, 
> and if you encrypt /home, you have to ssh in as root, because you can't log in 
> as yourself when your home directory is unavailable.
> 
> Pierre
> -- 
> The Black Garden on the Mountain is not on the Black Mountain.
>

More information about the Users mailing list