Encrypted Partitions

From MEPIS Documentation Wiki

Jump to: navigation, search

Crypto Hardened MEPIS

For quite some time I've wanted to have encrypted partitions on my system. Finally the process is easy enough for just about anyone to setup in MEPIS (even me).

Generally, in Linux, there are two partitions that should be encrypted for a secure system; your /home partition which contains all your personal data, and to be extra safe your swap file, as that is an area of your hard drive where the OS can write information when it runs out of RAM. Private data can be stored there from time to time, since that swap partition is never automatically wiped, encrypting it is a good precaution. There is usually no point in encrypting the root partition as no personal information is usually kept there. The only exception would be where you have installed programs that are, themselves, classified (not just the associated data).

All the software needed to encrypt your /home & swap are already installed in MEPIS as of version 6. If you have not already done so, install MEPIS in the normal fashion on your system. You will need to add or replace lines in a few files, and will need to be root to apply most if not all of these changes.

Note: These examples assume you used a default MEPIS installation:

  • /dev/hda1 is your root partition
  • /dev/hda2 is your swap
  • /dev/hda3 is your home

if you use other partition assignments, remember to adjust accordingly! Nothing in this will affect the MEPIS OnTheGo system an any way.


Let's start with the swap:

encrypted swap

Look at your file /etc/fstab, see if you have a line like this:

# Dynamic entries below, identified by 'users' option

If you do, notice that all lines below that have 'users' in the line. None of the lines we are adding ever go below that line---always above that line---even if they are replacing a line from below that line!

Find the swap entry like this one:

/dev/hda2 none swap sw,pri=1 0 0

now just replace /dev/hda2 in that line with the new device name /dev/mapper/cswap like this:

/dev/mapper/cswap none swap sw,pri=1 0 0

after that, add the following line in /etc/crypttab:

cswap /dev/hda2 /dev/random swap

Reboot, and that's it! the encrypted swap device is done; confirm it worked:

# cat /proc/swaps

should return something like this:

Filename                                Type            Size    Used    Priority
/dev/mapper/cswap                       partition       3148700 0       1
# cryptsetup status cswap

should return something like this:

/dev/mapper/cswap is active:
 cipher:  aes-cbc-plain
 keysize: 256 bits
 device:  /dev/.static/dev/hda2
 offset:  0 sectors
 size:    6297417 sectors
 mode:    read/write

That wasn't too hard was it?

Now for an encrypted home

NOTE: THIS IS DESTRUCTIVE! YOU MUST BACKUP ANY PART OF YOUR /home PARTITION THAT CONTAINS ANY FILES, DATA OR OTHER PERSONAL INFORMATION OR IT WILL BE GONE FOREVER!!!

If you are hardening a new system you just installed, or you don't have ANY personal information on the machine, you don't have to backup anything. Backup instructions can be found on the MEPIS documentation project here Back up your data

Using MEPIS Utilities, delete all the users except OnTheGo (assuming you have backed-up all that valuable data) you will be recreating the users when we're done.

unmount (if mounted) /dev/hda3

# umount /dev/hda3

check the partition for errors (waiting several minutes...):

# /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3

fill the disk with random data (waiting many more minutes...); Note: /dev/urandom won't be as random as /dev/random, but it is the best practical solution available:

# dd if=/dev/urandom of=/dev/hda3

NOTE: some cheaper (Intel Celeron) or older systems don't have a hardware random number generator. These machines must generate the random data using software which will take several days! If needed, you can stop the earlier process with Ctrl+Z if you already started it, and after many many minutes, it has not finished. For those slower machines fill the partition with zeros instead of random data using

# dd if=/dev/zero of=/dev/hda3


create a LUKS partition:

# cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3

Remember that a chain is only as strong as its weakest link, and with encryption the password is always the weakest link. Choose a strong password, or your data won't be much more secure than without any encryption.


set up the device mapper:

# cryptsetup luksOpen /dev/hda3 home

confirm it worked:

# cryptsetup status home

should return something like this:

/dev/mapper/home is active:
 cipher:  aes-cbc-essiv:sha256
 keysize: 256 bits
 device:  /dev/.static/dev/hda3
 offset:  2056 sectors
 size:    20962706 sectors
 mode:    read/write

create the filesystem (e.g. ext3):

# mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home

temporary mount, to copy data from old home:

# mount -t ext3 /dev/mapper/home /mnt

Open MEPIS Utilities and recreate your users by using the "add new users" tab. Assuming you needed to make a backup of your existing /home partition, now is the time to restore from your backup, using the appropriate method for however you made your backup.

Temporary unmount:

# umount /mnt

permanent mounting

Look at your file /etc/fstab, see if you have a line like this:

# Dynamic entries below, identified by 'users' option

If you do, notice that all lines below that have 'users' in the line. None of the lines we are adding ever go below that line---always above that line---even if they are replacing a line from below that line!

In /etc/fstab find your existing /home line and replace it with:

/dev/mapper/home   /home           ext3     defaults    1       2

IN THE TOP HALF of the file ABOVE the 'users' line.

after that, add the following entry in /etc/crypttab:

home                /dev/hda3         none         luks

reboot, and the encrypted home is done.


The majority of this how to came from https://help.ubuntu.com/community/EncryptedFilesystemHowto3. It was adapted to MEPIS 6 by LanceHaverkamp 18:59, 5 November 2006 (EST)

Personal tools
In other languages