Been quite a few burglaries this way, every single machine I have apart from the webserver (which must start without human intervention) and my main desktop have encrypted disks; so I thought it was time to encrypt the home folder on my main desktop.
So I backed up the home folders to the encrypted external drive for that machine, created a /home2/mark directory and edited /etc/passwd to make that my home directory (so I could unmount the LV used by home), and rebooted.
umounted /home, luks encrypted it, luksOpened it, made an ext4 filesystem in the volume, put the luks uuid in /etc/crypttab and the embedded ext4 uuid in /etc/fstab to replace the origional ext4 LV entry; rebooted.
OOPS. The external disk encryption keys were in /home, so the external drive failed to mount. And the encryption keys I use are not enterable from the keyboard. But at least I knew what they were, created a key file in /home2 and manually mounted the drive using that.
And here lies problem two, obviously I cannot keep the encryption keys in /home anymore, as that is going to be encrypted, no biggie, the external disk keys can go in /boot.
BUT wasn’t actually able to mount the new encrypted /home filesystem; and password prompting was irrigular (sometimes a gui window at boot, sometimes had to hit ESC and enter it from the command line boot window).
I think the problem is the crypttab entries try to mount their encryted volumes before the logical volumes are mounted, which makes sense as PVs and associated LVs are normally on encrypted raw partitions and I am trying to do it the other way around.
No problem, I will have to mount it from a S99 rc script, which will prbably require using the command line boot display rather than let it start with the GUI splash screens…
…but thats next weekend, I needed it back to do some TV recording so reformatted /home as a normal ext4 LV and restored back into it. Flicked selinux into permissive as the context labels were not restores by tar, will rebale on the next boot to fix that.
But after 4-5hrs of mucking about with this it’s back to where I started from for now.
The problem there may be keychaining keychaining as the /home filesystem must use a different key top the external drive (so I can enter it from the keyboard at boot), or more probably the crypttab entries try to
automating providing that key on the same disk makes encryption pointless (ok to automount external disks as if someone steals them they can’t use them without taking the desktop as well)).