Encrypt Home Partition with cryptsetup & LUKS

First step is to backup all necessary data, if something goes wrong your data will be lost in the process if it’s not backed up. Also note that your home folder needs to be located on a separate partition than your root partition, if not see #How to make partitions.

Second, install necessary software:

  sudo apt-get install cryptsetup

Insert the new module, dm-crypt into the kernel:

  sudo modprobe dm-crypt

Check to see what encryption schemes are available:

  cat /proc/crypto

If only MD5 is listed, try inserting the appropriate modules into the kernel:

  sudo modprobe serpent

Above is an example, this could also be twofish, blowfish or anything other crypto module that you would like to use.

The following commands will assume that your home partition is /dev/sda1, please change it to match your own configuration.

Next step we use cryptsetup to change the partition with the luksFormat option, this command will cause you to lose all data on /dev/sda1.

  sudo cryptsetup luksFormat -c algorithm -y -s size /dev/sda1

Where algorithm is the algorithm that you chose above such as serpent aes, etc.

Size is the key size for encryption, this is generally 128 or 256. Without specifying the algorithm or the size, I believe it defaults to AES 256, more information and additional options can be found by reading the man page. The above step will ask you to choose a password and verify it. Do not forget this password.

We can then use the luksOpen option to open the encrypted drive.

  sudo cryptsetup luksOpen /dev/sda1 home

Home is a nickname which cryptsetup uses to refer to /dev/sda1. It also creates the device /dev/mapper/home, this is what you would actually mount to access the filesystem. If you specify another name other than home, it will create the device /dev/mapper/[name], where [name] is the nickname that cryptsetup will use. This step will ask you for your LUKS passphrase, this is the password you created in the previous step.

Next, we create the actual filesystem on the device. I use reiserfs, but it could just as well be ext3.

  sudo mkreiserfs /dev/mapper/home


  sudo mkfs.ext3 /dev/mapper/home

Next step is to mount your encrypted device and copy your files back to your home directory.

  mkdir new_home
  sudo mount /dev/mapper/home new_home
  cp -r * new_home

Now we have to set up everything so that it’s ready to go at boot, we need to tell the system that there are encrypted disks that we want mounted.

  gksudo gedit /etc/crypttab

Enter the following as one line at the end of the file.

  home       /dev/sda1       none       luks,tries=3

remember home can be any name that you want, just remember that this maps to /dev/mapper/[name]. The option tries=3 allows 3 tries before a reboot is required or the disk is not decrypted.

Next enter the device info in fstab that we want to mount on boot.

  gksudo gedit /etc/fstab

Enter the information as one line at the end of the file.

  /dev/mapper/home       /home       reiserfs       defaults       0       0

Remember to substitute /dev/mapper/home with your device /dev/mapper/[name], /home is the mount point, since this is our home directory, reiserfs is the filesystem type, put ext3 if you formatted it as ext3. For now the default options should be good, change this if you need/require something else. Also, now is a good time to remove the old /dev/sda1 device entry so that fstab doesn’t try to load it at boot. This can be accomplished by commenting out the /dev/sda1 line or deleting it.

Final step is to make sure that the proper modules are loaded at boot time.

  gksudo gedit /etc/modules

Now add dm-crypt and the crypto module that you used earlier, such as serpent, aes, etc. Each needs to be on its own line.


That should be it, all that’s required is a reboot. During the reboot process, the computer will say “Starting early crypto disks” and ask for your passphrase. If the passphrase is accepted, it will unlock the encrypted partition and mount it on your specified mount point.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s