Encrypting home partition on an already installed Linux machine

Mateusz Piatkowski
9 min readApr 23, 2020

--

Photo by Sai Kiran Anagani on Unsplash

First off I would like to highlight that I am not an expert in data encryption, hence, this article will be a simple tutorial not going into technical and cryptographic details to much. I am giving examples from Arch Linux, but most of the instruction will work on any Linux distribution.

I was recently interested more into privacy and security matters and I realized that in case my laptop gets stolen I could actually loose a lot of my data. And I mean personal data not photos and movies from holidays. Without the hard drive encryption anyone can run a live CD and read anything from my /home directory including the Firefox profile and this way have access to all my internet accounts. Sounds scary. However my laptop is running Arch Linux for a good year now and I don’t want to reinstall it. Who was installing Arch knows that it takes a while. Fortunately I always create a separate partition for my /home directory so the process I will explain below was a bit easier. In case you don’t have your home directory on a separate partition you would have to take some extra steps before to create one.

Prerequisites

There is a few things you have to do before starting the whole process. I will not go into details of those, I’ll just list them below:

  • As mentioned before, have a separate partition for your /home directory. If you want to encrypt the whole / partition it basically requires reinstalling the operating system.
  • Have a backup (or two). You will have to clean your /home directory. For the sake of this process I just copied my data to a /backup folder in the other partition on my hard drive, but I also have a backup in my local NAS. It’s also highly recommended to have a proper backup system after encrypting your hard drive. Data from encrypted devices is much harder to recover. For this I recommend simple rsync, but if you prefer GUI applications, there is plenty of them.
  • You can login to your PC as a root. Sounds obvious, but some distributions don’t allow that by default, so you may need to unlock this option.

Disk encryption on Arch Linux

ArchWiki has a great article about encryption disk encryption. I highly recommend reading it, but for me it was lacking a clear step by step instruction how to make it working. I will try to distill the information from the mentioned article together with some other websites I found during my search to create this step by step tutorial.

I will describe the encryption using dm-crypt with LUKS. I found it most suitable for my case. I am the only user of my laptop, so I could encrypt the whole /home partition (the whole separate partition is encrypted, not only one directory). I also wanted a block device encryption as it’s generally faster then a stacked filesystem encryption (where the encryption happens on top of an existing file system).

How to encrypt your disk in 4 steps

Step 1 — make sure you know what you are doing

Apart from choosing the encryption type you will have to know what parameters of encryption you want to apply. It’s good to have it written down as you will end up working in the terminal without the window manager. First check the capabilities of your hard drive. You can do it with some GUI tool or following the instructions from this article in ShellHacks. In short, run:

# sync; dd if=/dev/zero of=/home/yourname/tempfile bs=1M count=1024; sync

And from the output read the last number which is the writing speed:

1073741824 bytes (1.1 GB, 1.0 GiB) copied, 0.472351 s, 2.3 GB/s

Then check the read speed by running this two commands:

# sudo /sbin/sysctl -w vm.drop_caches=3
# dd if=/home/yourname/tempfile of=/dev/null bs=1M count=1024

And from the output read the last number again:

1073741824 bytes (1.1 GB, 1.0 GiB) copied, 0.551859 s, 1.9 GB/s

You can run this several times and see that the number vary. Get the average from the results you are getting. In my case it’s around 2GB/s write and 1.9GB/s read. Also, delete the file you just created running the commands above.

Next you should check which encryption algorithm you want to choose. In order to do that you will need cryptsetup, which you will need anyway to create LUKS partition:

# sudo pacman -S cryptsetup

And check the capabilities of your CPU:

# cryptsetup benchmark

the output is a bit cryptic (not the best pun ever), but what you need to look for is the algorithm/key configuration with the best encryption and decryption speed. You will want to choose the algorithm configuration which will not slow down your underlying hardware, or will affect it as little as possible. Also check the lines starting with PBKDF and look for the one with biggest number of iterations. That will be the hash you want to choose. Below I paste my output with marked in bold options I have chosen:

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1801676 iterations per second for 256-bit key
PBKDF2-sha256 2255002 iterations per second for 256-bit key
PBKDF2-sha512 1487341 iterations per second for 256-bit key
PBKDF2-ripemd160 905506 iterations per second for 256-bit key
PBKDF2-whirlpool 680010 iterations per second for 256-bit key
argon2i 8 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id 8 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1170.6 MiB/s 3490.0 MiB/s
serpent-cbc 128b 95.3 MiB/s 752.1 MiB/s
twofish-cbc 128b 215.6 MiB/s 402.5 MiB/s
aes-cbc 256b 906.0 MiB/s 2810.2 MiB/s
serpent-cbc 256b 102.0 MiB/s 760.3 MiB/s
twofish-cbc 256b 220.0 MiB/s 405.3 MiB/s
aes-xts 256b 2158.0 MiB/s 2135.3 MiB/s
serpent-xts 256b 723.8 MiB/s 719.4 MiB/s
twofish-xts 256b 387.3 MiB/s 403.9 MiB/s
aes-xts 512b 1993.6 MiB/s 2021.6 MiB/s
serpent-xts 512b 720.3 MiB/s 726.8 MiB/s
twofish-xts 512b 403.1 MiB/s 402.6 MiB/s

Probably not by coincidence this are the default cryptsetup options.

Step 2 — prepare the partition for encryption

Now you have to boot to your machine as root in a good old terminal. If you have never done that, try pressing left Ctrl-Alt-F2 after the computer is booted. This should switch you to a terminal (exactly to a TTY2, there is more available under next F buttons).

Once you are logged in as root you should check which processes are using your home folder:

# lsof /home

And kill them all. There shouldn’t be many, so you can just go PID by PID. Then you can unmount it:

# umount /home

Now you have to delete the existing partition and create a new one. I recommend cfdisk to do it as it’s easy to use, but there is a few more tools you can choose from. Two hints:

  • cfdisk by default tries to open /dev/sda. If your hard drive has different device name, just add it after the command like so cfdisk /dev/nvme0n1
  • Triple check if you are deleting a correct partition. You will now loose all the data on the partition you choose to delete.

If you want to be sure that your old data are not readable after the encryption you should fill the partition with random data. Otherwise, even the encrypted hard drive, will have some old sectors that has never been written to using LUKS. That will make them readable by software used for data recovery. There is a simple way to do it described in ArchWiki. In short:

# cryptsetup open --type plain -d /dev/urandom /dev/sdXY to_be_wiped
# dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress
# cryptsetup close to_be_wiped

just replace the sdXY with the real device name you have. Remember that you want to point to a partition not the whole drive so for example /dev/sda2 not /dev/sda.

Step 3 — encrypt

Now you have the clean partition, you just need to setup the LUKS encryption on it and setup the mounting. To do so, run the following commands (again replacing sdXY with the real device name):

# cryptsetup luksFormat /dev/sdXY
# cryptsetup open /dev/sdXY home
# mkfs.ext4 /dev/mapper/home

If you have chosen other encryption parameters then the default ones you will have to pass them in the cryptsetup luksFormat command. The parameters that are interesting and I previously described how to choose them are:

--hash 
--cipher
--key-size

As always you can find more information in ArchWiki or in man cryptsetup.

If you wish to use another filesystem then ext4 you will have to change the last command. But if you intentionally want to use anything different then ext4, then it means you know what you are doing better then I do. After creating the filesystem you have to configure /etc/crypttab. This file is kind of an equivalent of /etc/fstab but for encrypted volumes. It’s read during the booting process before the fstab, so the encrypted partitions can be decrypted before they are mounted afterwords by fstab. To do so you will need the identifier of your partition. The easy way to obtain them is by running:

# lsblk -f
...
└─nvme0n1p3 crypto_LUKS 2 0c6229a9-9026-4985-92cc-109c9258b1c3
└─home ext4 1.0 92c449ea-efe2-4f36-a928-be956ca48abf

As you can see your device has now two entries. First one with filesystem crypto_LUKS which is the physical encrypted partition and second which is mapped with name home in your /dev/mapper with filesystem ext4

The example of an entry you have to place in your /etc/crypttab:

home UUID=0c6229a9-9026-4985-92cc-109c9258b1c3 none luks,timeout=180

Little explanation:

  • home is the name of the encrypted device. It’s the same name you put in the end of cryptsetup open command.
  • UUID=***** is the identifier of your partition. You should put here the ID of the physical partition with the filesystem crypto_LUKS
  • none — no predefined password. Here you can specify where you store your password. If you leave it as none it will ask you for the password on the boot process
  • luks — that’s the type of encryption. Just leave it as it is.
  • timeout=180 — system will wait 180 seconds for you to type your password.

After modifying the crypttab you should check if it works by running the command:

# systemctl daemon-reload

With that configuratoin your computer will try to decrypt the partition on boot process. The last missing part it to actually mount it in /home. To do so, go to your /etc/fstab and change the line that is mounting your /home to something like that:

/dev/mapper/home /home ext4 rw,relatime 0 2

This line is mounting the /dev/mapper/home device that you have just created (and decrypted in boot time) in /home.

Step 4 — restore the backup and polish the settings

Now you have your partition ready. The last thing you have to do is recreate your home folder:

# mkdir /home/yourname
# chown yourname:yourname /home/yourname

And bring back all your files to your new home. And:

# reboot

If everything went well your computer should prompt you for the password on the boot and then turn on normally.

Some extra steps you can take:

  1. If you are the only person using your machine you can turn on auto-login. Now you are prompted for the password on boot so nobody will turn it on anyway. It will speed up the boot process.
  2. If you have several people using your computer you can still use block device encryption and have many different passwords. LUKS allows to setup multiple passwords for the same device! There is a nice article in RedHat customer portal explaining how to set it up.
  3. Regarding point 2. Since you already can setup multiple passphrases it may be useful to setup the backup key. You can save it in the file, store in some USB stick and in case you forget yours you can still decrypt your hard drive.
  4. If you are curious you can run the speed tests of your hard drive now. It should not be far from the previous results.

Summary

It may seem long and complicated process but in fact it’s just a few commands to run. The encryption can save you in case your device is stolen and the time you will spend configuring your machine is not a big price for the peace of mind. Now I learned my lesson and I will encrypt all the partitions during the installation of the operating system. This gives you much more security as you also encrypt your swap and /tmp which may contain your private data.

--

--

Mateusz Piatkowski

Senior Software Engineer (Java, PHP, Node, APIs), 100% FOSS. Living between Poland and Spain. 🇵🇱🇬🇧🇪🇸