Mini howto: Encrypt your home and swap partitions (Gentoo Linux)

Introduction

Nowadays, security must be taken very very seriously. And when I'm talking about security, I mean the security of your data. As a user, I work in Linux for the majority of my time (the rest is when I don't play games and that's when I have to boot into Windows, but that's pretty rare anyway...). So, all my personal files are under my profile directory, under /home. If you work with a laptop or netbook or other mobile computer, then it's imperative that you encrypt your files just in case you become a victim of theft. In this case, you'll be sure that at least your files won't be exposed to the thieve's eyes.

There is a variety of ways oh how to apply encryption in your disks. You can always encrypt the whole disk (/boot, / (root), /home and swap partitions and everything else you have), or the minimum portion so that your data should be considered "safe" (that is the /home and swap partitions). Right now, I've followed the latter case, which is easier and fits better for me.

Requirements

You must be a Linux user. This howto is Gentoo Linux oriented, but with a little tweaking, it should work for your favorite distribution.

You must know your way around the terminal, since this howto contains instructions that are executed inside a terminal.

You must know how to compile the kernel and how to install a few required packages for the procedure this howto talks about.

Your /home directory must be a distinct partition from the rest of the disk. Having /home under the / (root) partition is not recommended and is not covered here.

Encrypting the /home partition

• First, backup your /home partition. Do this as you see fit, I've used rsync to backup the partition in another disk. You can always write a DVD (if it fits your data, it wouldn't mine), use an external USB flash or hard disk, etc. Make sure the backup is done right.
• Second, backup your /home partition (I'm trying to show you how much backup is important) and make sure the backup is ok.
• Fill the partition with random data. One practical way to do this is run
  dd if=/dev/urandom of=/dev/sda5 bs=8192
  where sda5 is your /home partition (in your case, your /home partition would be something else, I'll use sda5 for the rest of the howto). This will take some time, depending on your PC resources and is mostly CPU-bound. For example, my Core 2 Duo E8400 finished a 60GB partition in approximately 4 hours. If you have a relatively old processor, you can start this procedure late at night and have it finished in the morning.
• You should compile your kernel with Device mapper support and Crypt target support enabled. These two options reside under Device Drivers -> Multiple devices driver support (RAID and LVM). Also required are the pseudo filesystems /proc file system support and Virtual memory file system support (former shm fs) under File systems -> Pseudo filesystems. In Cryptographic options, you should enable the ciphers and the digest algorithms of your preference. I enabled all SHAx digest algorithms and the AES cipher. You can enable all these options as modules or include them inside the kernel as in my case.
• Boot the system with the new kernel.
• Install the cryptsetup package from portage.
  emerge -v cryptsetup
• Format sda5 as a LUKS formatted partition. LUKS is a specification created for Linux and the recommended way to encrypt your partition. Invoke cryptsetup with these options:
  cryptsetup -c aes-xts-plain -s 512 -v -y luksFormat /dev/sda5
  You will be asked for the encryption key twice. What this command does is to use the XTS mode of the AES cipher with a key size of 512bits to format the partition using the LUKS method. XTS is considered experimental as of the current 2.6.33 kernel, but what the heck.  After some warnings and confirmations, your partition should be ok. But you are not yet ready to go. Caution: DO NOT FORGET YOUR ENCRYPTION KEY, AS YOU WILL NOT BE ABLE TO RECOVER YOUR FILES!
• Issue the command
  cryptsetup luksOpen /dev/sda5 home
  and you will be asked for the encryption key. After entering it, a new device with the name home will appear under /dev/mapper that is the "raw" unencrypted partition. You deal with this device as you deal with a plain unencrypted hard disk partition. So, at this point this unencrypted partition is unformatted.
• Format the partition with the filesystem of your choice (ext4 of course)
  mkfs.ext4 /dev/mapper/home
• You can mount the partition normally, but instead of using /dev/sda5, you will have to use /dev/mapper/home. You are almost done, since you can now restore your /home partition from the backup.
• The last step is to modify your /etc/conf.d/dmcrypt configuration file to tell the system that your /home partition is a LUKS encrypted partition and before mounting the local filesystems, it should be opened by asking the encryption key from the user during the boot procedure. The lines that you have to add there are
  target=home
source='/dev/sda5'
  I guess they are self-explanatory. The target name is the name of the mapping under /dev/mapper.
• If you have not the dmcrypt service to start in the boot runlevel, add it now
  rc-update add dmcrypt boot
• Modify your /etc/fstab and change /dev/sda5 to /dev/mapper/home.

You are finished. Now, during the boot and when the dmcrypt service starts, you will be asked for the encryption key to open the encrypted /home partition and then it will be mounted. There's nothing else to do, the encryption-decryption procedure while working is completely transparent to the user.

Forgot to mention that all commands issued in the terminal should be entered under the root account.

Encrypting your swap partitions

Encrypting your /home partition where your personal files reside is of course imperative. Encrypting your swap partition is also necessary, because you don't want to have your encryption key stored in there at some point in time. The procedure is described below:

• Fill the partition with random data.
  dd if=/dev/urandom of=/dev/sda9 bs=8192
  where sda9 is your swap partition (again, this will probably different in your case, change as needed).
• Edit the /etc/conf.d/dmcrypt file and add these lines
  swap=swap
source='/dev/sda9'
options='-c aes-xts-plain -s 512 -d /dev/urandom'
  What these lines tell is that the name of the mapping for the swap partition will be swap, the partition is /dev/sda9 and use the XTS mode of the AES cipher with a key size of 512 with a random key from /dev/urandom. Practically, the swap partition is formatted each time during boot using LUKS and a random key generated by the system, not known to any human. So, between two boots, the encryption key for the swap partition is always different.
• Modify your /etc/fstab to reflect the change to the swap partition.

You are done with the swap partitions. Now, you will be sure that any memory contents that were swapped to the disk at some time in the past will be encrypted by a known to no one encryption key.

Conclusion

As I wrote in the introduction, encryption is an imperative procedure nowadays. Noone wants a third-person to go through their files.

The procedure described is not what would be called "piece of cake". It involves commands in a terminal, which requires the user to be familiar with it, involves technical information like where the /home partition resides in the disk, etc. It's not what most people would call a straight-forward procedure. Here I've tried to write down the most important steps in the procedure, so that people would have something to start with.

I have not included many technical details. The reader is free to search and read, there are various resources in the internet. I'll probably write down another article to include mode details some time in the future.

Thanks for reading.

Sources

Here are a couple of resources used during my procedure of encrypting my hard disk:

http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-c...