How to setup a second encrypted hard drive and move your home directory to it:
Let's make a keyfile for it second drive, which I'll be calling cryptextra.
Code:
sudo dd if=/dev/urandom of=/etc/keys/cryptextra bs=2048 count=1
Restrict access to root
Code:
sudo chmod 600 /etc/keys/cryptextra
Setup LUKS on second drive. Be absolutely sure you have the right drive! If you get it wrong there is NO undo!
Code:
sudo cryptsetup luksFormat /dev/sdb1 /etc/keys/cryptextra
Open cryptextra and make a filesystem.
Code:
sudo cryptsetup --key-file /etc/keys/cryptextra /dev/sdb1 cryptextra
sudo mkfs.ext4 /dev/mapper/cryptextra
Time to setup some config files to auto mount. First, put an appropriate entry in /etc/fstab
Code:
UUID=abcdef.... /mnt/cryptextra ext4 defaults 0 2
And /etc/crypttab. 'noearly' is optional, but you will get a prompt to skip mounting or recover manually on boot if you don't have it.
Code:
cryptextra UUID=123456 /etc/keys/cryptextra luks,noearly
Use 'blkid' to get the UUIDs above. IMPORTANT: The LUKS device UUID goes in crypttab, the UUID for the actual filesystem goes in fstab!
You should reboot at this point to make sure everything works correctly up to this point.
It's time to start moving our home directory.
Code:
sudo mkdir -p /mnt/cryptextra/home/user
sudo chown user:user /mnt/cryptextra/home/user
I had trouble with the next part. Supposedly, all you have to move is the .ecryptfs and .Private folder. That didn't work for me, I had to move the files separately of them. Copy everything in your home directory besides to two ecryptfs files somewhere safe.
Code:
ecryptfs-unmount-private
rsync -avP .ecryptfs .Private /mnt/cryptextra/home/user
Change your home directory in /etc/passwd. The file is quite simple and this should be obvious.
Log out and log back in.
If you want to permanently set the home directory for all new users you create later, edit /etc/default/useradd.
Bookmarks