# How to encrypt /home

## Ruffman

Hi, 

I'm trying to enrypt my /home with no good result. so I have a new Gentoo installation with a 3.2 kernel. I found no Wiki- or manpage that tells me how to do it. the EcryptFs wiki Page doesn't work, as it fails to mount on start. the LUKS Guide is how to encrypt / or something. So many tutorials are outdated. So my /home is on its own partition, and right now there are only 3 .bash_* files inside. 

so my questions are: 

How to enrycpt at least my /home (maybe swap). 

Is it possible, to wrap decryption with my user password?

Do I have to fill my partition with random data? (it was a new Harddisk before installing)

----------

## cach0rr0

 *Ruffman wrote:*   

> 
> 
> How to enrycpt at least my /home (maybe swap). 
> 
> 

 

if youre doing any crypto at all, youll want to encrypt swap. 

luksFormat the partition, set up /etc/conf.d/dmcrypt (loads of comments in that file), and make sure fstab has /home as /dev/mapper/whatever and not /dev/sdwhatever. Setting up /etc/conf.d/dmcrypt will make sure that it's luksOpen'd correctly upon boot - this will either ask you for a passphrase, or you can use a keyfile, but if you use a keyfile storing it on your unencrypted / anywhere is silly, so you'd want to keep it on e.g. an external usb drive that you can dispose of should the need arise. 

 *Ruffman wrote:*   

> 
> 
> Is it possible, to wrap decryption with my user password?
> 
> 

 

Not something I've personally tried, so someone else will have to comment there. Dong a simple luksFormat with a keyfile or passphrase does not achieve this. I'm sure it's possible, but it's probably not a great idea since your / is plaintext, and as such so is /etc/shadow. 

*my* personal preference, which may or may not be your fancy, is to simply umount /home if im walking away from my machine. And I do the keyfile route, rather than password, with the keyfile kept on a micro-sd i could swallow if need be  :Very Happy: 

 *Ruffman wrote:*   

> 
> 
> Do I have to fill my partition with random data? (it was a new Harddisk before installing)

 

since a)it's new, and therefore wont have any lingering bits of data of yours that someone could recover, and b)youre only encrypting one partition, and ergo not trying to hide where things are, doing so will be of nominal benefit. If you really want to spend the time, you can overwrite just /home's partition (the /dev/sd??) with random data, but with the route youre taking of just doing /home, i question the utility of doing so.

----------

## lduser

method which I had readed on hack forum:

1) encrypt swap (fstab) as: 

```
/dev/sda2 none swap sw,loop=/dev/loop7,encryption=blowfish-256 0 0
```

maybe `/tmp' into memory?:

```
tmpfs /tmp tmpfs defaults 0 0
```

2) I think, to encrypt all datas is not effectively, so I will to encrypt my partition only (datas of user, or my datas):

```
$ dd if=/dev/urandom of=/dev/my_partition

$ losetup -e blowfish-128 -T /dev/loop5 /dev/my_partition

$ mkfs.ext4 /dev/loop5

$ mkdir /mnt/crypted_part

$ mount /dev/loop5 /mnt/crypted_part
```

some actions on secret part

after:

```
$ umount /dev/loop5

$ losetup -d /dev/loop5
```

3) needs to put encrypted key to anyway usb-flash:

```
$ dd if=/home/user/my_crypted_key.bin of=/dev/my_usb_flash bs=446 count=1
```

4) needs to make c/c++ programm, for decrypt key from boot sectors of usb-flash with `hidapi' or another library (or by dd?):

```
int main(){

// decrypt key from usb...

// NOTE: you need to use mlock/munlock for memory with decrypted key!!!

// 

system("echo 'my_super_password_has_much_lenght' | losetup -e blowfish-128 -p0 /dev/loop5 /dev/my_partition");

system("mount -o user,exec,dev,suid,rw /dev/loop5 /home/user/Documents");

}
```

----------

## Ruffman

Is it possible to have a USB-Flash Device with the Key, but with the option to use a Passphrase as well (if the USB-Stick is lost, I don't loose my data, too) ?

----------

## Hu

 *Ruffman wrote:*   

> Do I have to fill my partition with random data? (it was a new Harddisk before installing)

 This is not required.  Cryptography geeks might encourage it on the basis that if you fill the partition with random data, then it will be more difficult for an attacker to identify which sectors have been written by the filesystem.  This only matters if you assume an attacker who detects the encryption will spend the effort to defeat it through technical means.  If the attacker abandons the intrusion, resorts to physical violence to extract the key from you, or resorts to the force of law to extract the key from you, then there is no technical benefit to filling the partition with random data.

 *lduser wrote:*   

> 1) encrypt swap (fstab) as: 
> 
> ```
> /dev/sda2 none swap sw,loop=/dev/loop7,encryption=blowfish-256 0 0
> ```
> ...

 This is the legacy method based on loop-aes.  Therefore, this is not based on DM-Crypt.  For simplicity, I suggest using DM-Crypt for all volumes if you use it for any of them.

 *lduser wrote:*   

> 2) I think, to encrypt all datas is not effectively, so I will to encrypt my partition only (datas of user, or my datas):

 I disagree.  The typical advice for encrypted home directories is that the system should not allow an unprivileged user to write to an unencrypted area.  If it does, then an application may accidentally leak sensitive data.  As a trivial example, consider that the .viminfo file stores parts of recent cut buffers.  If I were to use an unencrypted $HOME and I used vim to edit a file in the encrypted area, then anything I placed in a cut buffer could end up in ~/.viminfo, where it would be stored unencrypted.

 *lduser wrote:*   

> 
> 
> ```
> $ dd if=/dev/urandom of=/dev/my_partition
> 
> ...

 As above, this is based on the legacy loop-aes.  In general, you should avoid using loop-aes.

 *Ruffman wrote:*   

> Is it possible to have a USB-Flash Device with the Key, but with the option to use a Passphrase as well (if the USB-Stick is lost, I don't loose my data, too) ?

 If you use LUKS, then yes.  You can have up to 8 independent unlock passwords, any of which could be a key file.  If you use loop-aes, then no.

----------

## lduser

 *Ruffman wrote:*   

> Is it possible to have a USB-Flash Device with the Key, but with the option to use a Passphrase as well (if the USB-Stick is lost, I don't loose my data, too) ?

 

It can to be occurrence, if you will forget to backup bytes which are needed for programm of mounting you part...

But you have a vantage: only you will be to know what algo is using for encrypt/decrypt you Passphrase - and it likes to me...

 *Hu wrote:*   

> As above, this is based on the legacy loop-aes.  In general, you should avoid using loop-aes.

 

You want say are: loop-aes is vulnerable? Could you explain me why?

PS:  *Quote:*   

> VIM...

 

Perhaps you are right, but I have not the VIM...

--

Regards.

----------

## Hu

 *lduser wrote:*   

>  *Hu wrote:*   As above, this is based on the legacy loop-aes.  In general, you should avoid using loop-aes. You want say are: loop-aes is vulnerable? Could you explain me why?

 I am not aware of a specific vulnerability.  However, loop-aes requires an out-of-tree patch that often lags on upgrades.

 *lduser wrote:*   

> PS:  *Quote:*   VIM... 
> 
> Perhaps you are right, but I have not the VIM...

 There are plenty of other programs which may write files without specific request by the user.  Vim is just an example picked because it is a common text editor.

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> As above, this is based on the legacy loop-aes. In general, you should avoid using loop-aes.

 

I used to use loop-aes and have the greatest of confidence in its security.  However there are 

technical problems with using it that have caused some people grief in the past.

see for example  https://forums.gentoo.org/viewtopic-t-880587-highlight-loopaes.html

I have switched to using dm-crypt (and luks) and am very happy with it.

Now for a personal opinion: Encrypting swap and /home is a good learning experience, but I think

that to be really secure you need to encrypt   "/"  and that that should be your long term goal.

----------

## cach0rr0

 *nlsa8z6zoz7lyih3ap wrote:*   

> 
> 
> Now for a personal opinion: Encrypting swap and /home is a good learning experience, but I think
> 
> that to be really secure you need to encrypt   "/"  and that that should be your long term goal.

 

if youre just worried about data on a stolen laptop, encrypting /home and swap is fine

if you're worried about LEO's or government types getting at your data, encrypt the whole lot, use keyfiles (whose contents you dont know obv and therefore cant reveal even if beaten to death) on removable media that can be hidden and/or trashed easily, with backups of the key on a foreign friend's server.

----------

## lduser

to Hu, nlsa8z6zoz7lyih3ap:

thanks for your replies.

----------

