Note: In Ubuntu 7.10 and before, module names and pam_mount syntax changed. See the previous version here

Problem solving: Laptop are stolen, sometime, it happens... After watching "Breaking and Entering", I wanted to find a solution to protect my personal data.
The solution I choose is the encryption of my homedir, and to make it as transparent as possible, I’m having my homedir decrypted and mounted at login time.

The following are the different steps I followed for this setup.

The following explains how to set up your Ubuntu system so that it mount your homedir at login time. rest of the time, your homedir sits in a partition, unmounted and encrypted.

In the following, I assume:

• You are using Ubuntu 8.04 (Hardy Heron). If not, theses steps may require few modifications.
• You are the only user who will have his homedir encrypted. If you want several users the have their homedir encrypted, you need to have one partition available per user. You might want to consider having encrypted homedirs in files as an alternative, but this is not treated here (check my sources for more).
• You have a partition available which can be dedicated to your homedir.
• You have no data at the moment in your homedir, or you have an up-to-date backup of it.

The homedir will be encrypted using LUKS

Becoming root at this point will avoid having to precede all commands with sudo. From now on, they all need to be execute by root, so it makes it more convenient. That’s my personal feeling...

$ sudo -i

You may have them already in your system, you may not.

# aptitude install sha256 cryptsetup libpam-mount

Check and/or load the needed modules. The command to load them all on i586:

# modprobe aes_generic
# modprobe sha256_generic
# modprobe dm_crypt

Note:The partition I use for swap is /dev/sda2. Make the changes in the follwing according to your partition table and devices.

Edit /etc/crypttab and change it to reflect the following.

# <target name> <source device>         <key file>      <options>
swap    /dev/sda2       /dev/random     swap

Changes need to be made to /etc/fstab to reflect the new swap partition. Change the line for your swap partition to this:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/swap        none            swap    sw              0       0

Warning: ALL THE DATA ON THIS PARTITION WILL BE LOST
Note:The partition I will use for my homedir is /dev/sda3. Make the changes in the follwing according to your partition table and devices.

Backup all the data that you want to keep from this partition. The following will erase everything from it.

# umount /dev/sda3
# cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda3

Follow the instructions (uppercase YES) and type your passphrase twice. The passphrase must be identical to your user current password. Alternatively, you can change the user’s password to match the passphrase you just set.
Rememeber that the whole protection is as strong as your password. The encryption of your homdedir will not increase the security of your data if your login password stays simple and easy to guess.

From here, your partition is encrypted and ready for you to use. You need to map the physical device which is encrypted to a logical device decrypted:

# cryptsetup luksOpen /dev/sda3 sda3

The new device can be treated like any other.

# mkfs.ext3 -j /dev/mapper/sda3

Configure /etc/security/pam_mount.conf. This file is an XML file full of comments. Leave them as is and look for the encypted home directory definition section:

<!--
Linux encrypted home directory examples, using dm_crypt:

Outside of any comments (starting with <!– and finishing with –>), I added my line, keeping it very simple:

<volume user="cousin" fstype="crypt" path="/dev/sda3" mountpoint="/home/cousin" />

In both files /etc/pam.d/common-auth and /etc/pam.d/common-session add the following line at the end of the file:

@include common-pammount

Login as the user and check the partition is mounted properly

As usual you may want or need to change your password. After choosing your new password, there are few additional steps to go through:

First, you need to add the new password in one of the key slot

$ sudo cryptsetup luksAddKey /dev/sda3
Enter any existing LUKS password: 
key slot 0 unlocked.
Enter new password for key slot: 

The new password will be added in key slot #1 (assuming this is the 1st change of password. The old password is in key slot #0).

Then you can delete the old passphrase:

$ sudo cryptsetup luksDelKey /dev/sda3 0

This last command is optional, but some details must be kept in mind:

• LUKS comes with a fixed number of key slots. It may be not necessary to delete the old passphrases at each change of password, but regularly anyway.
• Any valid passphrase can be used to decrypt the partition. If you are changing your password because you think it is compromised, you *must* delete the old passphrase.
• It can be reasonable to delete the old passphrase only when you have checked the new one is working.

• Encrypted Home on Gentoo using LUKS
• Encrypted home on Ubuntu, using cryptoloop (Felipe Alfaro setup use one file per user’s homedir, not partitions. If you have several users requiring encrypted homedirs, you will find your inspiration here).
• FeistyEncryptedRootWithInstaller: Full disk encryption for Ubuntu Feisty, at installation time. For Ubuntu Gutsy, read this before following the same steps: Ubuntu Forums
• LUKS web site: At the end of the page, the Documentation part.