This can be done on any linux based machine, but the commands below were initially run on Debian based distros. This assumes a blank storage device, rendering the need for a secure wipe unnecessary. Use lsblk
to find the storage device (/dev/mmcblk1
is the location for example, an SD card). The device size listed in lsblk
should be the expected size of the device. This also assumes there is only one existing partition on the device (the default partition, which is the case for SD cards).
Remove the partition:
sudo parted -s /dev/mmcblk1 rm 1
This creates the primary partition for all available space on the device. For example /home/user
:
sudo parted --align optimal /dev/mmcblk1 mkpart primary ext4 0% 100%
The following will require user interaction with the command. Store passwords somewhere safe (a password manager):
sudo cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /dev/mmcblk1p1
This is so that the data can be recovered in case of corruption of the header due to hardware issues, or meddling with the formatting of the device:
sudo cryptsetup luksHeaderBackup --header-backup-file /tmp/user_home_header.$(hostname).img /dev/mmcblk1p1
It's best to copy these headers to a separate machine.
sudo cryptsetup open --type luks /dev/mmcblk1p1 user_home
Note that the decrypted drive mapping is available in /dev/mapper/
:
sudo mkfs.ext4 /dev/mapper/user_home
sudo cryptsetup close user_home
The device is now ready to be used.
This assumes that you have another user to use besides the user who's home directory is being encrypted.
sudo pkill -u user
cd / sudo mv /home/user /tmp/user.bkp
sudo mkdir /home/user sudo touch /home/user/DECRYPT_DEVICE_BEFORE_CONTINUING
Add the decrypting commands to the notice file for ease of use:
echo "sudo cryptsetup open --type luks /dev/mmcblk1p1 user_home" \ > /home/user/DECRYPT_DEVICE_BEFORE_CONTINUING echo "sudo mount /dev/mapper/user_home /home/user" \ >> /home/user/DECRYPT_DEVICE_BEFORE_CONTINUING
This assumes the parameters used above in "Creating the encrypted the device". Note that unlocking the home directory while currently visiting the home directory will require refreshing the home directory (just use cd):
sudo cryptsetup open --type luks /dev/mmcblk1p1 user_home sudo mount /dev/mapper/user_home /home/user
sudo rsync -au /tmp/user.bkp/ /home/user/
Once it is ensured that the data copy was done correctly, remove the backups:
sudo rm -rf /tmp/user.bkp/
The device has now been migrated.