Create an encrypted /home partition

In my previous Artix post I mentioned that I had trouble creating an encrypted /home partition during installation. I could do that, but then the system wouldn’t boot. So I went for a quite basic installation and set up things afterwards, among others the encrypted home partition.

Although at installation stage I already created an empty partition which should later be used for /home, in my case that was /dev/sda3.

So given you have an empty partition /dev/sda3 which you want to use for you /home: First set it up for encryption: (you might have to install cryptsetup first)

cryptsetup -y -v luksFormat /dev/sda3

Open the encrypted partition and create a file system:

cryptsetup luksOpen /dev/sda3 home

# Check if that worked, you should see a 'home' entry there:
ls -lh /dev/mapper/

# create file system:
mkfs.ext4 -m 1 /dev/mapper/home

# close the device again:
cryptsetup close home

Add entry to crypttab:

echo "home	/dev/sda3	none	luks" >> /etc/crypttab

Create a temporary mount directory and fstab entry to test if you can mount the partition at boot time.

mkdir /mnt/tmp

echo "/dev/mapper/home	/mnt/tmp	ext4	defaults,noatime	0	1" >> /etc/fstab

Reboot. You should be asked about your encryption credentials. When the system has booted up again, you should see it mounted as /mnt/tmp.

If that worked, then copy your old /home over to the encrypted partition:

cp -a /home/* /mnt/tmp/

# double check again if everything is ok, then
rm -rf /home/*

Finally adjust the fstab accordingly:

/dev/mapper/home	/home	ext4	defaults,noatime	0	1

Reboot.

Tip

If you haven’t dedicated a whole partition for this purpose and/or you just want to have an additional encrypted device, then you can simple use a file instead of a parition for that. For example you want something like /home/user/encrypted as place for sensitive data, not a whole parition.

Then you could do:

mkdir /home/user/encrypted

# create an empty 25GB file (take care of this file, it will
# hold all the encrypted data, do not delete accidentaly!)
dd if=/dev/zero of=/home/user/encrypted.luks bs=1G count=25

cryptsetup -y -v luksFormat /home/user/encrypted.luks

cryptsetup luksOpen /home/user/encrypted.luks encrypted

mkfs.ext4 -m 1 /dev/mapper/encrypted

cryptsetup close encrypted

echo "encrypted	/home/user/encrypted.luks	none	luks" >> /etc/crypttab

echo "/dev/mapper/encrypted	/home/user/encrypted	ext4	defaults,noatime	0	1" >> /etc/fstab