Revision 1 as of 2006-06-04 16:00:44

Clear message

Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10)

by Stefano Spinucci virgo977virgo at <googlemail> dot com


WARNING: encrypting a partition is a destructive operation; then, partitions to be encrypted must be empty, because all data on them will be erased.

NOTE#1: DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; the important thing to mention is that whenever you operate on your partition, you must do so by using /dev/mapper/home instead of /dev/hda3.

NOTE#2: in this tutorial encrypted swap will be in in '/dev/hda2' and encrypted home will be in '/dev/hda3'; replace '/dev/hda2' with your swap partition and '/dev/hda3' with your home partition.

install cryptsetup

enable 'community maintained' (universe) repository from the Synaptic package manager or modifying the file /etc/apt/sources.list (apt sources list).

install cryptsetup:

# apt-get install cryptsetup

encrypted swap

before setting the encrypted swap, the file /etc/fstab should have a swap entry like this:

# <file system>   <mount point>   <type>   <options>   <dump>  <pass>
/dev/hda2         none            swap     sw          0       0

now just replace in /etc/fstab /dev/hda2 with the new device name /dev/mapper/cswap:

# <file system>     <mount point>   <type>   <options>   <dump>  <pass>
/dev/mapper/cswap   none            swap     sw          0       0

after that, add an entry in /etc/crypttab:

# <target device>   <source device>   <key file>    <options>
cswap               /dev/hda2         /dev/random   swap

reboot, and that's it! the encrypted swap device is done; confirm it worked:

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/cswap                       partition       3148700 0       -1

# sudo cryptsetup status cswap
/dev/mapper/cswap is active:
  cipher:  aes-cbc-plain
  keysize: 256 bits
  device:  /dev/.static/dev/sda6
  offset:  0 sectors
  size:    6297417 sectors
  mode:    read/write

read the crypttab(5) manpage for more information

encrypted home

unmount (if mounted) /dev/hda3

sudo umount /dev/hda3

check the partition for errors (and wait several minutes...):

# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3

fill the disk with random data (and wait many more minutes...); /dev/urandom won't be as random as /dev/random, but it is the best practical solution available:

# sudo dd if=/dev/urandom of=/dev/hda3

create a LUKS partition:

# sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3

set up the device mapper:

# sudo cryptsetup luksOpen /dev/hda3 home

confirm it worked:

# sudo dmsetup ls
home (254, 0)
# ls -l /dev/mapper
total 0
brw-------  1 root root 254,  0 Jun 13 22:34 home 

create the filesystem (e.g. ext3):

# sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home

temporary mount, to copy data from old home:

# sudo mount -t ext3 /dev/mapper/home /mnt

copy data from old home:

# sudo cp -axv /home/* /mnt/

unmount the temporary mount:

sudo umount /mnt

permanent mounting

Ubuntu 6.06

insert in /etc/fstab :

# <file system>    <mount point>   <type>   <options>   <dump>  <pass>
/dev/mapper/home   /home           ext3     defaults    1       2

after that, add an entry in /etc/crypttab:

# <target device>   <source device>   <key file>   <options>
home                /dev/hda3         none         luks

reboot, and the encrypted home is done.

Ubuntu 5.10

because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted partitions, automatic mounting of home with Ubuntu 5.10 is a bit more difficult.

create a file named 'cryptinit' in /etc/init.d/ with the following content:

# if this script is executed when home is opened, tries to close it;
# otherwise, tries to open it, for three times, then continue without
# opening it
if [ -b /dev/mapper/home ]; then
    /sbin/cryptsetup luksClose home
    while [ $i -gt 0 ]; do
        let "i -= 1"
        /sbin/cryptsetup luksOpen /dev/hda3 home && i=0

make 'cryptinit' executable

sudo chmod 755 /etc/init.d/cryptinit

then, create a symlink to 'cryptinit' in /etc/rcS.d

# cd /etc/rcS.d
# sudo ln -s ../init.d/cryptinit S28cryptinit

insert in /etc/fstab :

# <file system>    <mount point>   <type>   <options>   <dump>   <pass>
/dev/mapper/home   /home           ext3     defaults    1        2

reboot, and the encrypted home is done.

manual mounting and unmounting

if you have encrypted other partitions than home and you don't want to unlock those partitions on boot, then you need to manually mount and unmount them.


set up the device mapper:

# cryptsetup luksOpen /dev/hda4 data


# mount /dev/mapper/data /media/data



# umount /media/data

delete the device mapper:

# cryptsetup luksClose data


: cryptmount


: LUKS on dm-crypt

: dm-crypt

: dm-crypt wiki

: dm-crypt mailing list

: Encrypted Device Using LUKS

: How to configure an encrypted swap partition on Debian systems

  • /usr/share/doc/cryptsetup/CryptoSwap.HowTo

: Encrypted filesystem howto (Ubuntu)

: Encrypted filesystem howto 2 (Ubuntu)

: dmcrypt (Debian)

: Encrypt devices using dm-crypt and LUKS (Fedora Core)

: SECURITY System Encryption DM-Crypt with LUKS (Gentoo)

: SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)

: SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)