Disk Encryption in Linux

My experiment with FreeBSD is over. It just wasn’t worth the bother. FreeBSD is good, but I don’t need to muck about with USB drive mounting (what? In 2016?) layers of compatibility code, and the like. But the final straw was attempting to install TeX and finding that the packaging such that I had to install either not enough to get the job done, or way too much (ie a massive download). So I’m back to Linux.

I set up my little EeePC with an encrypted /home partition in order to keep things somewhat secure in case I lose the thing. Earlier I mentioned how easy this was in FreeBSD. It’s not much different in Linux.

I went the dm-crypt route, as it’s the most straightforward of the options. First, set up the encryption:

# cryptsetup luksFormat /dev/sd??

You get asked for a password, and it’s all done. Next you get the encryption/decryption going.

# cryptsetup open /dev/sd?? home

Finally, create a filesystem.

# mkfs.btrfs /dev/mapper/home

Then you fill in /etc/crypttab with the appropriate data to get the partition unlocked at boot time. In my case, I added the following line:

home       UUID=<the uuid of the LUKS container>    none

The UUID you need is returned from the command

cryptsetup luksUUID /dev/path/to/partition

The ‘none’ tells dm-crypt to prompt for a password, which happens at boot. And then you’re done! Obviously you still need to add the encrypted filesystem to /etc/fstab to get it mounted, though.

Posted Wednesday, April 27, 2016

Blog contents