First step is to backup all necessary data, if something goes wrong your data will be lost in the process if it’s not backed up. Also note that your home folder needs to be located on a separate partition than your root partition, if not see #How to make partitions.
Second, install necessary software:
sudo apt-get install cryptsetup
Insert the new module, dm-crypt into the kernel:
sudo modprobe dm-crypt
Check to see what encryption schemes are available:
If only MD5 is listed, try inserting the appropriate modules into the kernel:
sudo modprobe serpent
Above is an example, this could also be twofish, blowfish or anything other crypto module that you would like to use.
The following commands will assume that your home partition is /dev/sda1, please change it to match your own configuration.
Next step we use cryptsetup to change the partition with the luksFormat option, this command will cause you to lose all data on /dev/sda1.
sudo cryptsetup luksFormat -c algorithm -y -s size /dev/sda1
Where algorithm is the algorithm that you chose above such as serpent aes, etc.
Size is the key size for encryption, this is generally 128 or 256. Without specifying the algorithm or the size, I believe it defaults to AES 256, more information and additional options can be found by reading the man page. The above step will ask you to choose a password and verify it. Do not forget this password.
We can then use the luksOpen option to open the encrypted drive.
sudo cryptsetup luksOpen /dev/sda1 home
Home is a nickname which cryptsetup uses to refer to /dev/sda1. It also creates the device /dev/mapper/home, this is what you would actually mount to access the filesystem. If you specify another name other than home, it will create the device /dev/mapper/[name], where [name] is the nickname that cryptsetup will use. This step will ask you for your LUKS passphrase, this is the password you created in the previous step.
Next, we create the actual filesystem on the device. I use reiserfs, but it could just as well be ext3.
sudo mkreiserfs /dev/mapper/home
sudo mkfs.ext3 /dev/mapper/home
Next step is to mount your encrypted device and copy your files back to your home directory.
mkdir new_home sudo mount /dev/mapper/home new_home cp -r * new_home
Now we have to set up everything so that it’s ready to go at boot, we need to tell the system that there are encrypted disks that we want mounted.
gksudo gedit /etc/crypttab
Enter the following as one line at the end of the file.
home /dev/sda1 none luks,tries=3
remember home can be any name that you want, just remember that this maps to /dev/mapper/[name]. The option tries=3 allows 3 tries before a reboot is required or the disk is not decrypted.
Next enter the device info in fstab that we want to mount on boot.
gksudo gedit /etc/fstab
Enter the information as one line at the end of the file.
/dev/mapper/home /home reiserfs defaults 0 0
Remember to substitute /dev/mapper/home with your device /dev/mapper/[name], /home is the mount point, since this is our home directory, reiserfs is the filesystem type, put ext3 if you formatted it as ext3. For now the default options should be good, change this if you need/require something else. Also, now is a good time to remove the old /dev/sda1 device entry so that fstab doesn’t try to load it at boot. This can be accomplished by commenting out the /dev/sda1 line or deleting it.
Final step is to make sure that the proper modules are loaded at boot time.
gksudo gedit /etc/modules
Now add dm-crypt and the crypto module that you used earlier, such as serpent, aes, etc. Each needs to be on its own line.
That should be it, all that’s required is a reboot. During the reboot process, the computer will say “Starting early crypto disks” and ask for your passphrase. If the passphrase is accepted, it will unlock the encrypted partition and mount it on your specified mount point.