intrd · April 26, 2023 12:26
diff --git a/tutorial_disk_encryption.txt b/tutorial_disk_encryption.txt
 ## Linux disk encryption (/home folder + /tmp with ecryptfs, plus swap partitions w/ dm-crypt)
 # @author intrd - http://dann.com.br/

 Why not full disk encryption? 
 this setup is for systems who need performace..
 experienced on ubuntu system w/ an existing user..

 as root:
 # apt-get install ecryptfs-utils cryptsetup
 # apt-get install lsof
 # modprobe ecryptfs

 certificate that user is not logged. sudo does not work.
 # ecryptfs-migrate-home -u username
 type the username login password

 known errors that can be ignored: 
 chown: cannot access '/dev/shm/.ecryptfs-shell': No such file or directory
 Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount.

 after finish, reboot and login as user 
 if you havin preoblem w/ keyring.. just do manually

 $ ecryptfs-mount-private
 enter your login passphrase.

 reboot and login as user..
 $ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
 save your the passphrase on a safe place 

 check if your files at your home are ok..
 if ok, remove the backup created at /home/youruser.xxxxx

 ## Encrypting swap w/ ecryptfs-setup-swap
 sudo ecryptfs-setup-swap
 and folllow instructions..
 INFO: You do not currently have any swap space defined.
 You can create a swap file by doing:
 $ sudo dd if=/dev/zero of=/swapfile bs=1k count=2048k #if you want a swap of 2gb.. custize this to use a swap same size of your ram
 $ sudo mkswap /swapfile
 copy the uuid...

 sudo chmod 0600 /swapfile  
 check which sda is your partition and...
 sudo nano /etc/crypttab 
 somethiung like this
 cryptswap1 /swapfile /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
 if you are using a swap partition
 sudo blkid
 and replace /swapfile to something like /dev/sda3

 $ sudo reboot
 if this error
 swapon: /dev/mapper/cryptswap1: stat failed: No such file or directory
 do not use UUID on /etc/crypttab, why?
 Known Bug
 There is a bug (see below) that overwrites the UUID for the partition as soon as data is written to it. Therefore, you cannot use the UUID to reference the partition to use for encrypted swap.
 use /dev/sda3 instead of UUID (u can get this using: sudo blkid)

 ## /tmp encrypt 
 dd if=/dev/zero of=/.crypttmp count=300 bs=1M
 losetup /dev/loop0 /.crypttmp
 if loop0 is in use, use loop1
 mkfs.ext4 -O ^has_journal /dev/loop1
 nano /etc/crypttab
 crypttmp /.crypttmp /dev/urandom precheck=/bin/true,tmp,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256
 nano /etc/fstab
 /dev/mapper/crypttmp /tmp ext4 defaults 0 2
 cryptdisks_start crypttmp
 sudo rm -Rf /tmp/*
 moar details:
 http://ubuntuforums.org/showthread.php?t=2099797
 http://ubuntuforums.org/showthread.php?t=2099797&p=12433861#post12433861

 # Clear /tmp on shutdown
 firstly learn how to encrypt an non-home directory w/ ecryptfs
 su newuser
 $ ecryptfs-setup-private --nopwcheck --noautomount 
 type the user and blank mount passphrase to generate a new one.. ignore the two errors msgs
 mount: No such file or directory
 ERROR:  Could not mount private ecryptfs directory
 $ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
 take note of your passphrase..

 now you have your encrypted directory 
 ~/Private
 if u need change this path.. edit ~/.ecryptfs/Private.mnt
 to mount..
 $ ecryptfs-mount-private
 umount..
 $ ecryptfs-umount-private

 all done.
	## Linux disk encryption (/home folder + /tmp with ecryptfs, plus swap partitions w/ dm-crypt)
	# @author intrd - http://dann.com.br/

	Why not full disk encryption?
	this setup is for systems who need performace..
	experienced on ubuntu system w/ an existing user..

	as root:
	# apt-get install ecryptfs-utils cryptsetup
	# apt-get install lsof
	# modprobe ecryptfs

	certificate that user is not logged. sudo does not work.
	# ecryptfs-migrate-home -u username
	type the username login password

	known errors that can be ignored:
	chown: cannot access '/dev/shm/.ecryptfs-shell': No such file or directory
	Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount.

	after finish, reboot and login as user
	if you havin preoblem w/ keyring.. just do manually

	$ ecryptfs-mount-private
	enter your login passphrase.

	reboot and login as user..
	$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
	save your the passphrase on a safe place

	check if your files at your home are ok..
	if ok, remove the backup created at /home/youruser.xxxxx

	## Encrypting swap w/ ecryptfs-setup-swap
	sudo ecryptfs-setup-swap
	and folllow instructions..
	INFO: You do not currently have any swap space defined.
	You can create a swap file by doing:
	$ sudo dd if=/dev/zero of=/swapfile bs=1k count=2048k #if you want a swap of 2gb.. custize this to use a swap same size of your ram
	$ sudo mkswap /swapfile
	copy the uuid...

	sudo chmod 0600 /swapfile
	check which sda is your partition and...
	sudo nano /etc/crypttab
	somethiung like this
	cryptswap1 /swapfile /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
	if you are using a swap partition
	sudo blkid
	and replace /swapfile to something like /dev/sda3

	$ sudo reboot
	if this error
	swapon: /dev/mapper/cryptswap1: stat failed: No such file or directory
	do not use UUID on /etc/crypttab, why?
	Known Bug
	There is a bug (see below) that overwrites the UUID for the partition as soon as data is written to it. Therefore, you cannot use the UUID to reference the partition to use for encrypted swap.
	use /dev/sda3 instead of UUID (u can get this using: sudo blkid)

	## /tmp encrypt
	dd if=/dev/zero of=/.crypttmp count=300 bs=1M
	losetup /dev/loop0 /.crypttmp
	if loop0 is in use, use loop1
	mkfs.ext4 -O ^has_journal /dev/loop1
	nano /etc/crypttab
	crypttmp /.crypttmp /dev/urandom precheck=/bin/true,tmp,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256
	nano /etc/fstab
	/dev/mapper/crypttmp /tmp ext4 defaults 0 2
	cryptdisks_start crypttmp
	sudo rm -Rf /tmp/*
	moar details:
	http://ubuntuforums.org/showthread.php?t=2099797
	http://ubuntuforums.org/showthread.php?t=2099797&p=12433861#post12433861

	# Clear /tmp on shutdown
	firstly learn how to encrypt an non-home directory w/ ecryptfs
	su newuser
	$ ecryptfs-setup-private --nopwcheck --noautomount
	type the user and blank mount passphrase to generate a new one.. ignore the two errors msgs
	mount: No such file or directory
	ERROR: Could not mount private ecryptfs directory
	$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
	take note of your passphrase..

	now you have your encrypted directory
	~/Private
	if u need change this path.. edit ~/.ecryptfs/Private.mnt
	to mount..
	$ ecryptfs-mount-private
	umount..
	$ ecryptfs-umount-private

	all done.