Create encrypted home partition

I want to install Manjaro 17 encrypting only the home partition with LUKS. During the installation process I tried to manually partition the disk as follows:

GUID Partition Table (GPT)
Partition for / (root) with ext4 (no flags).
Partition for /home with ext4 encrypted (no flags).
Partition for swap with linux-swap filesystem and swap flag.

When I try to boot Manjaro something goes wrong, in fact I haven't the time to put the passphrase to unlock the home partition. I think my partition scheme is wrong, maybe is missing some flags?
Can you help me please?

This is a screenshot of the output (I'm installing manjaro inside a virtual machine created with gnome-boxes):

How does your /etc/crypttab and /etc/fstab files look like?

Generally you mount your encrypted partition in crypttab and then in your fstab you use the unlocked partition that now is mapped in the device mapper at something like /dev/mapper/<name>.

This is the output of the two commands:

I used Calamares (the default Manjaro's installer) to define the partitions.

It tries to mount /dev/sda2 directly (assumes EXT4). But there is a luks encrypted partition on /dev/sda2. Maybe just initramfs is configured the wrong way.
But I have to admit that I never tried such a setup (encrypting only /home) with Manjaro.

I think @dot is right. Look at what it says in your crypttab:

Your fstab lists the same UUID as in crypttab, so that seems to be wrong.

1 Like

https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Unlocking_a_secondary_partition_at_boot

I think in your fstab instead of the UUID you will just have to use /dev/mapper/home
So the line for your home partition should read:

/dev/mapper/home    /home    ext4    defaults,noatime 0    2
1 Like

@oberon is right, using the device mapper is what you want to do, (you could also use the UUID for the unencrypted partition).

Also, in your crypttab you have a key-file listed as a way to unlock the the encrypted partition. I would verify that the key-file works, and if it does revoke it.

Why? Because you store a key to your encrypted device on an unencrypted partition next to it. A bit like hanging the key to your house outside your door with a sign saying "Here is my house key". It sort of defeats the purpose of encryption.

2 Likes

Thank you guys! I resolved following your suggestions :slight_smile:

I changed the entry in /etc/fstab replacing the UID with /dev/mapper/luks-f79cf2a1-e78e-4f58-93a2-21b51cf1cbaa where luks-f79cf2a1-e78e-4f58-93a2-21b51cf1cbaa is the name associated to the partition in /etc/crypttab.

Another way is to edit the /etc/crypttab replacing luks-f79cf2a1-e78e-4f58-93a2-21b51cf1cbaa with another name, for example home (more human readable) and then use /dev/mapper/home in /etc/fstab instead of UUID=f79cf...baa

Now, it works. I think that this is an incorrect installation process, because in this case the user have to manually edit these configuration files.

How did you install this? I didn't realise it was even possible to encrypt /home only with Calamares?
I'm glad that it's working now for you in any case! :slight_smile:

Yes, I used only Calamares. In fact, I started the live distro and followed the instructions to install the system. You should manually partition your hard drive telling to calamares that the home partition will be encrypted (there is a checkbox to enable this option) and then edit the configuration files as previously described :grin: :+1:

Another solution seems to be ecryptfs. This is a post-install process where you can add an encryption layer. It's a different solution (file-based encryption instead of block-based encryption). I think the luks encryption (actually the only one) supported by calamares is easier and more suitable for a large tree of folders and files.

1 Like

Doesn't Ubuntu use ecryptfs to encrypt home partitions?
I have never really looked closer into it, but it has its own advantages and disadvantages:
https://wiki.archlinux.org/index.php/ECryptfs

Looks like calamares is maybe not handling this very well, yet...
I made a test install now with just one encrypted partition for / and the resulting install works as it is, but config files look not ideal, do they, @robiha ?

crypttab

luks-30523f85-62d6-4833-a3a8-e0e7377b3e2e    UUID=30523f85-62d6-4833-a3a8-e0e7377b3e2e    /crypto_keyfile.bin    luks

fstab

UUID=30523f85-62d6-4833-a3a8-e0e7377b3e2e    /    ext4    defaults,noatime 0    1

and mkinitcpio.conf has

FILES="/crypto_keyfile.bin"
HOOKS="base udev autodetect modconf block keyboard keymap plymouth encrypt filesystems fsck"
1 Like

Yes calamares seems to always generate the wrong fstab when using encrypted partitions, and it do not handle the key-file very well.

It works fine for a single partition setup, as you noticed, but if you have any more partition, even with the option to let calamares partition the hard drive, it doesn't work. It do not add the key-file to all partitions and the fstab is wrong.

2 Likes

I successfully installed it with this configuration on my real system. The only thing is that I had to add another partition for EFI. So, I created a 400MB fat32 partition with /boot/efi as mount point and the esp flag. Calamares notified this tip when it saw that there wasn't an efi partition.

The first time I tried to install manjaro, it crashed during the creation of the encrypted home partition. I tried again restarting the installer and it did the installation without problems.

So, @robiha -- if I used Calamares to install and encrypt a system on a single partition, it would work fine? Even if the hard drive contained two partitions? Or does this only work when the hard drive is a single partition unto itself?

Hope you can hear/understand the nuance to this question.

cc: @oberon

Maybe, I don't know. It was some time since we discussed this and I don't know if something have changed in Calamares on latest installation media. But if Calamares do what it did before, then I think it will work, though you may want to have a look at your fstab after installation to see that it uses the "right" mount options.

The only way to know for sure is to test.

What are you going to use the other partition for?

Also if you are going to use encryption you may want to read up a bit on how it works:
https://wiki.archlinux.org/index.php/Dm-crypt

Lastly, if you want to have a bit more control when you install your system, then I suggest you have a look at the Manjaro-architect installer. I have found it very useful.

1 Like

I had the same problem and I could fix it doing this:

which is basically re-doing what calamares should have done. I guess the problem is during adding the keyfile to LUKS?

Forum kindly sponsored by