Disk Encryption in Linux
My experiment with FreeBSD is over. It just wasn’t worth the bother. FreeBSD is good, but I don’t need to muck about with USB drive mounting (what? In 2016?) layers of compatibility code, and the like. But the final straw was attempting to install TeX and finding that the packaging such that I had to install either not enough to get the job done, or way too much (ie a massive download). So I’m back to Linux.
I set up my little EeePC with an encrypted /home partition in order to keep things somewhat secure in case I lose the thing. Earlier I mentioned how easy this was in FreeBSD. It’s not much different in Linux.
I went the dm-crypt route, as it’s the most straightforward of the options. First, set up the encryption:
# cryptsetup luksFormat /dev/sd??
You get asked for a password, and it’s all done. Next you get the encryption/decryption going.
# cryptsetup open /dev/sd?? home
Finally, create a filesystem.
# mkfs.btrfs /dev/mapper/home
Then you fill in /etc/crypttab
with the appropriate data to get the partition unlocked at boot time. In my case, I added the following line:
home UUID=<the uuid of the LUKS container> none
The UUID you need is returned from the command
cryptsetup luksUUID /dev/path/to/partition
The ‘none’ tells dm-crypt to prompt for a password, which happens at boot. And then you’re done! Obviously you still need to add the encrypted filesystem to /etc/fstab to get it mounted, though.
Posted Wednesday, April 27, 2016