November 10, 2015 - Reading time: 2 minutes

If you happen to have /home on a separate partition already (/dev/sda5 in this example), then it's a really easy process.

Do the following as the root user:

1. Install the cryptsetup package:

   apt install cryptsetup
   

2. Copy your home directory to a temporary directory on a different partition:

   mkdir /homebackup
   cp -a /home/* /homebackup
   

3. Encrypt your home partition:

   umount /home
   cryptsetup -h sha512 -c aes-xts-plain64 -s 512 luksFormat /dev/sda5
   cryptsetup luksOpen /dev/sda5 chome
   mkfs.ext4 -m 0 /dev/mapper/chome
   

4. Add this line to /etc/crypttab:

   chome    /dev/sda5    none    luks,timeout=30
   

5. Set the home partition to this in /etc/fstab (replacing the original home partition line):

   /dev/mapper/chome /home ext4 nodev,nosuid,noatime 0 2
   

6. Copy your home data back into the encrypted partition:

   mount /home
   cp -a /homebackup/* /home
   rm -rf /homebackup
   

That's it. Next time you boot your laptop, you will be prompted for the passphrase you set in Step 2.

September 19, 2015 - Reading time: 4 minutes

Unlocking and mounting the disk with udiskctl

Instead, I used udisksctl, a command-line interface that interacts with the udisksd service.

Here's what worked (/dev/sdb5 is the partition on my hard disk marked as crypt-luks):

udisksctl unlock -b /dev/sdb5
udisksctl mount -b /dev/mapper/ubuntu--vg-root

After typing the first command, you'll be prompted for your encryption passphrase. Once the encrypted partition is unlocked, the second command will mount it. If that's successful, you'll end up with a message similar to this:

Mounted /dev/dm-1 at /media/dpm/e8cf82c0-f0a3-41b3-ab28-1f9d23fcfa72

From there I could access the data :)

Locking the disk with udiskctl

Unmount the device:

udisksctl unmount -b /dev/mapper/ubuntu--vg-root

You'll need to deactivate all logical volumes in the ubuntu-vg volume group first. Otherwise you'll get an error along the lines of 'Device busy' if you try to lock it (more info):

sudo lvchange -an ubuntu-vg

Then you'll be able to lock back the encrypted partition

udisksctl lock -b /dev/sdb5

Notes

• The udisksctl commands are executed without sudo.

• Device mapper names: the ubuntu--vg-root naming might change across Ubuntu releases (e.g. I've seen it called system-root and ubuntu-root too). An easy way to find out the name is to run the following command after unlocking the LUKS partition:

  ls -la /dev/mapper

  Then looking at the output of the ls command, the name you'll need will be generally the one symlinked to /dev/dm-1

• Device mapper names, alternative: an alternative to the previous command is to run:

  lsblk -e7

  There you'll be able to see the device name mapping as a tree view. The -e 7 option is used to exclude the loop devices (ID 7) created by installed snaps from the output. Simply to have less clutter.

• Logical volume names: you can run the sudo lvs command to find out the names of volume groups and logical volumes
• Disks app: the GNOME Disks app does not automatically deactivate the logical volumes before locking the partition. Even if you've successfully unlocked the partition via the GUI, you will need to go to the command line and execute the sudo lvchange -an ubuntu-vg command before you can lock it from the GUI.