For those of you that haven't encrypted your home partition, but would like to, here's a guide to do so using dm-crypt and LUKS without having to reinstall your entire system. What you have to do thou, is backing up /home before you start this guide. Note that this is block device level encryption, witch means that the entire partition will be encrypted. If you are unsure about the differences between block and filesystem stacked level encryption, google it first 🙂

While doing this, you have to logout and use the terminal. Pressing Ctrl+Alt+F2 will get you to a new virtual console, and login with your root account.

First, back up your /home. I found rsync was the easiest way. Depending on it's size, it can take a while.

rsync -ah --progress /home <USB DRIVE>

Now it's time to create the encrypted partition. NOTE! This will erase the entire partition! You also chose what passphrase to use in this step. Remember it, if you lose it you will not be able to get your stuff back!

cryptsetup -y -v luksFormat /dev/sdXX

Now it's time to open your new encrypted partition, and create a filesystem to use for it. I use btrfs for my system, you can use whatever fs you want. When opening the partition, it will ask you for the passphrase you created in earlier step. The dd step isn't necessary, but will give some extra protection to secure your data. Using dd will write zeros your partition, but it can take a long time depending on the size of the partition.

cryptsetup luksOpen /dev/sdXX home
dd if=/dev/zero of=/dev/mapper/home
mkfs.btrfs /dev/mapper/home

Now your drive is ready to use. If you want to encrypt your USB-stick/hard drive with LUKS, use the same procedure as above. To use the new encrypted partition as /home, you have to make some changes to both fstab and crypttab to make it mount correctly.

Edit /etc/crypttab and add the following line to it. If you don't want a timeout, remove that option.

home /dev/sdXX none luks,timeout=120

Locate the line in /etc/fstab that mounts /home, and change the UUID to /dev/mapper/home. In some guides I saw that you could use the UUID, but that didn't work for me. This is how mine looks like now.

/dev/mapper/home /home btrfs defaults,noatime,space_cache,autodefrag,compress=lzo 0 2

If you want to have a more human readable name of your partition, you can mount the partition and change the label of it. Note that all changes made to the partition (fx. in partition manager) must be made after you unlocked it, else you will wipe the encryption to.

cryptsetup luksOpen /dev/sdXX home
e2label /dev/mapper/home <name>

That's it. Now you can reboot your system and try it out. Note that the passphrase is entered before you get to the login screen. Personally I use auto login to skip the login part, /home is encrypted anyway 🙂

All you have to do now is restore your previous backup.

Good luck.

Never used github, but I will give it a try 🙂

I think i just manged to do a pull request. Look if I managed to do it correctly 🙂

I would name the partition crypt_home or cr_home, but not the same name as the mountpoint.
Furthermore, why check the btrfs filesystem at boot? btrfs has online checks (btrfs scrub).

You can use whatever name you want in crypttab, then use it in fstab accordingly. It doesn't really matter what you name it. The important part is that it's mounted to /home in fstab.

The entry in fstab is from the default installation, haven't really made any other changes to it. But you are right, there's no need to do the check at boot.