intrd/tutorial_disk_encryption.txt

## tutorial_disk_encryption.txt
## Linux disk encryption (/home folder + /tmp with ecryptfs, plus swap partitions w/ dm-crypt)
# @author intrd - http://dann.com.br/

Why not full disk encryption?
this setup is for systems who need performace..
experienced on ubuntu system w/ an existing user..

as root:
# apt-get install ecryptfs-utils cryptsetup
# apt-get install lsof
# modprobe ecryptfs

certificate that user is not logged. sudo does not work.
# ecryptfs-migrate-home -u username
type the username login password

known errors that can be ignored:
chown: cannot access '/dev/shm/.ecryptfs-shell': No such file or directory
Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount.

after finish, reboot and login as user
if you havin preoblem w/ keyring.. just do manually

$ ecryptfs-mount-private
enter your login passphrase.

reboot and login as user..
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
save your the passphrase on a safe place

check if your files at your home are ok..
if ok, remove the backup created at /home/youruser.xxxxx

## Encrypting swap w/ ecryptfs-setup-swap
sudo ecryptfs-setup-swap
and folllow instructions..
INFO: You do not currently have any swap space defined.
You can create a swap file by doing:
$ sudo dd if=/dev/zero of=/swapfile bs=1k count=2048k #if you want a swap of 2gb.. custize this to use a swap same size of your ram
$ sudo mkswap /swapfile
copy the uuid...

sudo chmod 0600 /swapfile
check which sda is your partition and...
sudo nano /etc/crypttab
somethiung like this
cryptswap1 /swapfile /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
if you are using a swap partition
sudo blkid
and replace /swapfile to something like /dev/sda3

$ sudo reboot
if this error
swapon: /dev/mapper/cryptswap1: stat failed: No such file or directory
do not use UUID on /etc/crypttab, why?
Known Bug
There is a bug (see below) that overwrites the UUID for the partition as soon as data is written to it. Therefore, you cannot use the UUID to reference the partition to use for encrypted swap.
use /dev/sda3 instead of UUID (u can get this using: sudo blkid)

## /tmp encrypt
dd if=/dev/zero of=/.crypttmp count=300 bs=1M
losetup /dev/loop0 /.crypttmp
if loop0 is in use, use loop1
mkfs.ext4 -O ^has_journal /dev/loop1
nano /etc/crypttab
crypttmp /.crypttmp /dev/urandom precheck=/bin/true,tmp,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256
nano /etc/fstab
/dev/mapper/crypttmp /tmp ext4 defaults 0 2
cryptdisks_start crypttmp
sudo rm -Rf /tmp/*
moar details:
http://ubuntuforums.org/showthread.php?t=2099797
http://ubuntuforums.org/showthread.php?t=2099797&p=12433861#post12433861

# Clear /tmp on shutdown
firstly learn how to encrypt an non-home directory w/ ecryptfs
su newuser
$ ecryptfs-setup-private --nopwcheck --noautomount
type the user and blank mount passphrase to generate a new one.. ignore the two errors msgs
mount: No such file or directory
ERROR:  Could not mount private ecryptfs directory
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
take note of your passphrase..

now you have your encrypted directory
~/Private
if u need change this path.. edit ~/.ecryptfs/Private.mnt
to mount..
$ ecryptfs-mount-private
umount..
$ ecryptfs-umount-private

all done.
	## Linux disk encryption (/home folder + /tmp with ecryptfs, plus swap partitions w/ dm-crypt)
	# @author intrd - http://dann.com.br/

	Why not full disk encryption?
	this setup is for systems who need performace..
	experienced on ubuntu system w/ an existing user..

	as root:
	# apt-get install ecryptfs-utils cryptsetup
	# apt-get install lsof
	# modprobe ecryptfs

	certificate that user is not logged. sudo does not work.
	# ecryptfs-migrate-home -u username
	type the username login password

	known errors that can be ignored:
	chown: cannot access '/dev/shm/.ecryptfs-shell': No such file or directory
	Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount.

	after finish, reboot and login as user
	if you havin preoblem w/ keyring.. just do manually

	$ ecryptfs-mount-private
	enter your login passphrase.

	reboot and login as user..
	$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
	save your the passphrase on a safe place

	check if your files at your home are ok..
	if ok, remove the backup created at /home/youruser.xxxxx

	## Encrypting swap w/ ecryptfs-setup-swap
	sudo ecryptfs-setup-swap
	and folllow instructions..
	INFO: You do not currently have any swap space defined.
	You can create a swap file by doing:
	$ sudo dd if=/dev/zero of=/swapfile bs=1k count=2048k #if you want a swap of 2gb.. custize this to use a swap same size of your ram
	$ sudo mkswap /swapfile
	copy the uuid...

	sudo chmod 0600 /swapfile
	check which sda is your partition and...
	sudo nano /etc/crypttab
	somethiung like this
	cryptswap1 /swapfile /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
	if you are using a swap partition
	sudo blkid
	and replace /swapfile to something like /dev/sda3

	$ sudo reboot
	if this error
	swapon: /dev/mapper/cryptswap1: stat failed: No such file or directory
	do not use UUID on /etc/crypttab, why?
	Known Bug
	There is a bug (see below) that overwrites the UUID for the partition as soon as data is written to it. Therefore, you cannot use the UUID to reference the partition to use for encrypted swap.
	use /dev/sda3 instead of UUID (u can get this using: sudo blkid)

	## /tmp encrypt
	dd if=/dev/zero of=/.crypttmp count=300 bs=1M
	losetup /dev/loop0 /.crypttmp
	if loop0 is in use, use loop1
	mkfs.ext4 -O ^has_journal /dev/loop1
	nano /etc/crypttab
	crypttmp /.crypttmp /dev/urandom precheck=/bin/true,tmp,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256
	nano /etc/fstab
	/dev/mapper/crypttmp /tmp ext4 defaults 0 2
	cryptdisks_start crypttmp
	sudo rm -Rf /tmp/*
	moar details:
	http://ubuntuforums.org/showthread.php?t=2099797
	http://ubuntuforums.org/showthread.php?t=2099797&p=12433861#post12433861

	# Clear /tmp on shutdown
	firstly learn how to encrypt an non-home directory w/ ecryptfs
	su newuser
	$ ecryptfs-setup-private --nopwcheck --noautomount
	type the user and blank mount passphrase to generate a new one.. ignore the two errors msgs
	mount: No such file or directory
	ERROR: Could not mount private ecryptfs directory
	$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
	take note of your passphrase..

	now you have your encrypted directory
	~/Private
	if u need change this path.. edit ~/.ecryptfs/Private.mnt
	to mount..
	$ ecryptfs-mount-private
	umount..
	$ ecryptfs-umount-private

	all done.