This story was originally posted on the PCLinuxOS forum. There was a question about encrypted home on a LiveUSB stick. I had already done it using a couple of different methods, but, took a shot at setting it up the same way as I do it on my desktop. It works , and, has been reliable so far.
I can also plug the stick into my running desktop, mount, and read/write to the encrypted partition (using the passphrase, of course.)
This method probably only works on a normal PCLinuxOS LiveUSB installation, but, may provide an idea for other live usb installations.
Here's the story.
Here's something to think about. I have used a slightly different method in the past, but this is more normal.
Encrypted /changes or encrypted /home? Doing /home is a variation of post-install encryption, I don't think /changes can be encrypted because it's used during boot.
For this my LiveUSB label is Live and I used Xfce22 as the name during installation. And, I use an EFI configuration, with swap, and, the first partition setup for use with Windows.
— Partition/format the USB drive with a partition for encrypted /home
/dev/sdb1 Microsoft basic data (FAT/NTFS if needed)
/dev/sdb2 EFI System
/dev/sdb3 Linux filesystem (Live partition)
/dev/sdb4 Linux swap
/dev/sdb5 for encrypted home
— Use cryptsetup/mkfs.ext4 or drakdisk to encrypt and format the home partition to ext4.
— Record sdb5 UUID
b7b61151-4053-48bb-a954-1f9b0d3f9596
— Do a normal LiveUSB install to sdb3: include Persistence.
— Boot and make sure it runs; setup the user as desired.
— Shutdown and attach LiveUSB to other computer.
— Edit LiveUSB
/media/LIVE/changes/Xfce22/etc/
Add the file:
crypttab
containing the desired /dev/mapper name and UUID:
(Enter the following as one line)
ehome UUID=b7b61151-4053-48bb-a954-1f9b0d3f9596 none luks,timeout=180
— Since fstab is written during boot, edit:
/media/LIVE/changes/Xfce22/etc/rc.d/rc.sysinit
around line 300 find the fstab entry and add (one line):
/dev/mapper/ehome /home ext4 rw,errors=remount-ro 0 0
that goes before EOF.
And, note /dev/mapper/ehome is the name assigned in crypttab.
— Mount the encrypted home and copy the users over from /media/LIVE/changes/Xfce22/home (NOT /home just the users like guest).
— Unmount the LiveUSB partitions and boot using the stick.
— Select Persistence and enter the passphrase when prompted. Maybe copy a file in as a test.
When done, attach the stick to another computer and mount the encrypted home partition. Make sure everything worked.
If you left the user in /changes/home you can delete now.
The standard boot will be as always, i.e, operating in its own world.
Depending on how the stick is used, you might consider adding other things to the encrypted /home partition. Maybe root's .bash_history could be linked from /changes/root.