Clothe Naked Data with Encrypted Partition

February 2008 – Edison Chan, a Hong Kong artist is found to be in troubles after his sex photo scandal circulates the world through Internet. He claimed that the photos were stolen after sending his laptop to a repair shop.

Edison did a mistake that we do, that is, storing files nakedly in machine.

Some files like docs and spreadsheets can be encrypted with the tool provided by OpenOffice itself. However, pictures and MP4 are left nakedly in hard disk. A baddie may possess these files by overriding the user privilege (E.g. using live-CD to bypass).

To overcome this, we encrypt our partitions. Most of the Linux users will have two partitions in their machine. One for for the root (/, /root, /bin,…) and another one for users home directory (/home). To avoid performance impact, we can encrypt the the partition of the home directory.

In the following example, Ubuntu 9.10 will be the targeted Linux OS, and LUKS is used as the encryption system.


Say, a machine of hard disk size 80G is used and we allocate 3 partitions as follows:
a. Partition 1 (sda1) – Linux OS partition, size 10GB
b. Partition 2 (sda2) – Sensitive data partition, size 20G
c. Partition 3 (sda3) – Regular data partition, size 50G

In the above example, Ubuntu will be installed in partition 1. Partition 2 will be encrypted with LUKS and that is where our sensitive data is stored. We store regular files in partition 3. Please be reminded that your allocation may be different than mine.

Assume you have installed Ubuntu in partition 1 successfully. Next, install cryptsetup in Ubuntu and restart the machine to get the Kernel ready for LUKS encryption.

Then, type the following command in the terminal:

cryptsetup luksFormat /dev/sda2

And we expect the output to be something like these:

This will overwrite data on /dev/sda2 irrevocably.
Are you sure?(Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Next, try to mount the device with by giving it a label named “private” (You can use another label name).

cryptsetup luksOpen /dev/sda2 private

And, the output should be:

Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

After this, the encrypted partition will be mapped as /dev/mapper/private.

Then, format the partition to ext3.

mkfs.ext3 /dev/mapper/private

Next, add this line to /etc/crypttab such that the kernel is aware the partition is encrypted:
private /dev/sda2 none luks

Then, we need create a mount point to host the encrypted partition:
mkdir /private

Add to the following line to /etc/fstab:
/dev/mapper/private /mnt/private ext3 defaults 0 2

Lastly, mv your current user folder to /private:

sudo mv /home/zkchong  /private/zkchong

or create a new user account:

sudo useradd chongzk -d /mnt/private/chongzk -m

And later remember to set the access privileges for this new user account from System->Administration->Users and Groups.

And, edit the /etc/passwd such that you startup folder is changed to the new location.

zkchong:x:1001:1001:Chong Zan Kai,,,,:/private/zkchong:/bin/bash

Then, restart your machine and the kernel should ask for your password for the encrypted partition somewhere at the middle of booting sequence.  After this, you should able to login  with your user folder in the encrypted partition.


Entering password every time restarting machine is somehow troublesome.

To overcome that, we can actually associate the partition password with the login password.

1st, you need to have libpam-mount be installed.

Secondly, remove the following line from fstab:

/dev/mapper/private /mnt/private ext3 defaults 0 2

Then, change the crypttab line to:

private /dev/sda2 noauto luks

Then, add

<volume user=”zkchong” fstype=”crypt” path=”/dev/sda2″ mountpoint=”/private” />

into /etc/security/pam_mount.conf.xml.

After restarting your machine, you should be able to unlock the encrypted partition by just login into account normally.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s