This method provides good modularity, it is possible to have several different home containers and switch between them only modifying crypttab, or move them to the different compatible OS installation.
Warning. In my experience the method is stable but it is unknown to me that someone else used or discussed it. As for any data backup is mandatory for encrypted data as well if the data has any worth. The filesystem backup can be compressed, can contain only part of the encrypted storage, but, if necessary, needs to be encrypted separately.
[1] Installing VeraCrypt
Skip this part if you have VeraCrypt already installed.
Commands are provided for VeraCrypt version 1.25.9.
Download page:
https://veracrypt.fr/en/Downloads.htmlInstallation of generic Linux version:
Code: Select all
cd /tmp
wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
gpg --import VeraCrypt_PGP_public_key.asc
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-setup.tar.bz2
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-setup.tar.bz2.sig
gpg --verify veracrypt-1.25.9-setup.tar.bz2.sig
gpg: Good signature from "VeraCrypt Team :
Code: Select all
gpg: assuming signed data in 'veracrypt-1.25.9-setup.tar.bz2'
gpg: Signature made Sun 20 Feb 2022 02:11:36 PM CET
gpg: using RSA key 5069A233D55A0EEB174A5FC3821ACD02680D16DE
gpg: Good signature from "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5069 A233 D55A 0EEB 174A 5FC3 821A CD02 680D 16DE
Code: Select all
tar xvjf veracrypt-1.25.9-setup.tar.bz2
./veracrypt-1.25.9-setup-gtk3-gui-x64[2] Creation of the VeraCrypt container
Start VeraCrypt from Menu --> Accessories or just run
veracrypt & in terminal.Click Create Volume button.
- Create an encrypted file container
Standard VeraCrypt Volume
Enter container name in the Location field:/tmp/home_vc
Next, choose Encryption options (defaults are AES and SHA-512)
Next, Volume size, say 2000 MiB
Next, set the Volume password, note that it is different from login user password.
Next, in Volume Format set filesystemLinux ext4
Next, mark crossplatform support for only on Linux
Next, collect randomness moving mouse during Volume Format and then click Format button.
Enter Login password after prompt to finish volume creation
[3] Preparing of the VeraCrypt container
Move the container to
/opt
Code: Select all
sudo mv /tmp/home_vc /opt/opt/home_vc file, click Mount button and enter the container password.Determine the path of the container directory, it should be
/media/veracrypt1 if mount slot 1 was selected.
Code: Select all
sudo chown -R $USER:$USER /media/veracrypt1/
rsync -a /etc/skel/ /media/veracrypt1Dismount the container.
Edit pam common-auth:
Code: Select all
sudo nano /etc/pam.d/common-auth
Code: Select all
session optional pam_mkhomedir.soCode: Select all
sudo nano /etc/crypttabCode: Select all
home_vc1 /opt/home_vc none tcrypt-veracrypthome_vc1 is a name of your choosing.none stands for authentication with an interactive password, but this field can alternatively point to the keys. Please note that VeraCrypt keys logic is different from LUKS keys.Code: Select all
sudo nano /etc/fstabCode: Select all
/dev/mapper/home_vc1 /home/user_name_here ext4 nofail,noatime,nosuid,nodev 0 1Important: Please note that using the tcrypt-veracrypt option in cryptab you should supply correct password on the first try. There is no retries as a header of a container is encrypted. The system may become unresponsive, if this happens use ALT+PrntScr-->R.E.I.S.U.B key sequence to reboot OS.
How to undo changes and return to the original setup:
Comment out two lines inserted in
/etc/fstab and /etc/crypttab