Encrypting existing /home partition

[AnotherUser]

My system has two partitions: / and /home (no swap because I have plenty of RAM). I would like to change my currently unecrypted /home into an encrypted /home. I read http://pclosmag.com/html/Issues/201108/page19.html but it deals with a new installation only and I don't want to go through that headache.

I understand that I cannot simply encrypt an existing partition. That's why I have backed up all of my /home using rsync to an external harddrive using the procedure described here http://www.pclinuxos.com/forum/index.php/topic,111612.msg953126.html#msg953126 . Now I am looking for a step-by-step howto, which presumably looks something like:

• Boot into a LiveCD
• delete the existing /home partition
• scrub the partition with random data
• configure the same partition to be encrypted
• mount the newly encrtypted partition
• copy the backed up data to the encrypted partition
• reboot into the normal install which will automatically mount the encrypted harddrive asking me for the password to do that (I don't want to auto-login into KDE, so I still want the KDM to prompt me for that password as well)

Any help is appreciated.

[AnotherUser]

Well, after lots of googling and some good guesswork, I was successful at converting my unencrypted /home partition into an encrypted /home. For the sake of others, here are the steps that I had to take:

Preparations

• Boot into your existing installation. Start konsole and run mount. Take note of which partition is your current / (in my case /dev/sda5) and which is your current /home (in my case /dev/sda7).
• Close all applications and log out from KDE. Press CTRL+ALT+F1 to switch to the console mode. Log in as root. Backup your entire /home partition to some other location. For me it was an external USB drive mounted on /media/disk and on that drive I had an empty HOMEBACKUP directory. So, I used rsync --delete -aHAXhxv /home/ /mnt/HOMEBACKUP (NOTE: all slashes are needed!)
• Place a LiveCD (for me it was 2012.09 FullMonty) into the CD drive
• Type reboot and proceed to the next section

Erasing and encrypting the partition

• Boot into the LiveCD and log in as root
• Start konsole and run drakdisk
• Click on your unecrypted /home partition (again for me it was /dev/sda7). Click Delete
• Click on the partition again. Click Create
• Size the partition as desired (for me, I set it to the max because I was converting the entire partition)
• Set the type to be ext4
• Leave the mount point unspecified
• Make sure to place a checkmark next to encrypt partition
• Enter an encryption key, two times
• Click OK. This will give a warning saying that the partition table of drive SDA is going to be written to disk. Click OK
• Drakdisk is now going to do all the heavy lifting of erasing, encrypting, and formatting the partition. While this is going on, take a note of which device is being worked on. For me it was /dev/mapper/crypt_sda7
• When finished, click Done

Restore /home partition contents

• While still running from the LiveCD, in konsole type mkdir -p /mnt/vault
• Mount the newly encrypted partition by typing mount /dev/mapper/crypt_sda7 /mnt/vault
• Plug in your external USB drive and let KDE automount it to /media/disk
• Restore the old /home contents to the new encrypted partition by typing rsync -a /media/disk/HOMEBACKUP/ /mnt/vault (yes, the slashes are still important!)
• Unmount the backup drive by typing umount /media/disk
• Umount the encrypted /home by typing sync && umount /mnt/vault && cryptsetup luksClose /dev/mapper/crypt_sda7

Update the / partition to use an encrypted /home

• While still in the LiveCD, mount the original / partition by typing mkdir -p /mnt/root && mount /dev/sda5 /mnt/root
• Create /mnt/root/etc/crypttab with the following contents vault /dev/sda7 none luks
• Edit /mnt/root/etc/fstab so that instead of the UUID entry for the old unecrypted /home parition, you will have the following contents /dev/mapper/vault  /home  ext4  rw,errors=remount-ro 0 0
• Exit the text editors and unmount by typing umount /mnt/root
• Type reboot to restart the system
• Eject the LiveCD and start the system again. Observe that during Plymouth boot, you will be now prompted for the /home password before you will be allowed to log into KDE.

[Bald Brick]

Good how-to.

[YouCanToo]

I have added this to the Knowledge Base here

http://www.pclinuxoshelp.com/index.php/Encrypting_existing_directory

[AnotherUser]

I have added this to the Knowledge Base here

http://www.pclinuxoshelp.com/index.php/Encrypting_existing_directory

Thanks for uploading it there! Hopefully, someone else will find it useful

[AnotherUser]

I have one remaining question. When booting, if I press ESC to exit Plymouth, after I enter the password to mount the encrypted /home partition, I see

error inserting padlock_sha

It seems to be benign because it does not appear to affect any functionality. I just want to understand what this means and why its appearing in the first place.

[Just17]

Create /mnt/root/etc/crypttab with the following contents vault /dev/sda7 none luks

This is the only line that I am unsure of while reading (and never having tried to do this) .....

Is this a file with one line in it?

[AnotherUser]

Create /mnt/root/etc/crypttab with the following contents vault /dev/sda7 none luks

This is the only line that I am unsure of while reading (and never having tried to do this) .....

Is this a file with one line in it?

Yes, the /etc/crypttab file tells the device mapper how to create a /dev/mapper/ entry. The example I gave will create a /dev/mapper/vault as a device which can then be mounted using /etc/fstab

[craesz]

Noob?? Really? Not even close. 

[Just17]

Noob?? Really? Not even close. 

We are all noobs at somethings .....  and a great number of us, noobs at a lot of things