coobird.net

Setting up an encrypted home (and swap) in Linux

There are a few options for encrypting data on storage devices. One that I’ve been interested in for a few years has been disk encryption. Now that I have a new laptop, there was a stronger justification for using one.

Disk encryption can be implemented on both software and hardware.

For hardware, there’s options like full disk encryption. My new Thinkpad came shipped with a 256 GB SSD implementing the OPAL standard. However, I’ve taken it out as I want to use a larger SSD for my primary storage. (And I wanted to keep the small SSD with the Windows install in case I ever want to use Windows… Doubtful. 😉)

As an alternative, a software-based solution that works on Linux is required.¹

Ubuntu does a pretty good job on this front. The live install comes with an option to use disk encryption with LUKS. As such, it couldn’t be easier to enable encryption – all it takes is one option that needs to be selected.

That said, there are some downsides for using software-based disk encryption – the obvious one is performance. While the recent hardware seems to cope well, some also observe larger performance hits. For this reason, I decided not to do a full encryption of the drive.

The approach I took was as follows:

• Keep the root partition unencrypted
• Encrypt both home and swap partitions.

As reading and writing from encrypted partitions can take a performance hit, I’ve opted to keep the root partition unencrypted. Encrypting the home directory was a must, as that contains actual data. In addition, a swap partition was created in a LUKS encrypted partition to reduce chance of leaking data from memory.

Here’s how the partition layout of my primary disk looks like:

nvme0n1                                        
├─nvme0n1p1   vfat        FAT32      1G     1% /boot/efi
├─nvme0n1p2   ext4        1.0    153.3G    11% /
├─nvme0n1p3   crypto_LUKS 2                    
│ └─cryptSwap swap        1                    [SWAP]
└─nvme0n1p4   crypto_LUKS 2                    
  └─cryptHome ext4        1.0    677.7G     0% /home/redacted

As can be seen, LUKS works by encrypting a block device. In this case, I’ve created separate home and swap partitions, so they could be encrypted and mounted separately.

Setting this up was performed in these steps:

• Start Ubuntu with a Live USB.
  • Partitioning the disk with a small ext4 partition (which automatically makes the /boot/efi partition.
  • Make a “bootstrap” user that’s only used for setting up the encrypted partition.
• Boot into Ubuntu after installation using the bootstrap user.
• Create the swap and home partitions.
• Create the encrypted partitions using cryptsetup.
• Mount them.

The part that’s different from a regular system set up is making the encrypted drives. For that, I followed instructions from this Ask Ubuntu answer. It basically boils down to:

# Create the encrypted partition for swap and home.
cryptsetup luksFormat /dev/nvme0n1p3
cryptsetup luksFormat /dev/nvme0n1p4

# Create a mapping of the LUKS devices.
cryptsetup luksOpen /dev/nvme0n1p3 crypt_swap
cryptsetup luksOpen /dev/nvme0n1p4 crypt_home

# Make the filesystem on the device.
mkfs.ext4 /dev/mapper/c_swap
mkfs.ext4 /dev/mapper/c_home

Once that’s done, /etc/crypttab is updated, so the encrypted devices can be unlocked when booting the system. And finally, updating /etc/fstab to mount the partitions.

Now, I have my home and swap partitions encrypted. 😎

Home  |  About coobird.net  |  Legal Notices

coobird.net © 2007 - 2024. All rights reserved.