Ubuntu – How to create ext4 encrypted partition on Ubuntu 15.04 with new 4.1 kernel


Can I create a new ext4 encrypted partition with kernel 4.1 on Ubuntu 15.04?

Best Answer

  • First off a disclaimer: I've not done this with Ubuntu, but on a machine with Debian "Stretch" installed using a custom Linux 4.2.3 kernel that I enabled EXT4_FS_ENCRYPTION on.

    The instructions given by kmeaw don't work for me exactly as posted. A few things were left out (command line parameters and steps).

    • Update e2fsprogs as shown above
    • Generate your random salt. I used the following to store it in a "safe place":

      head -c 16 /dev/urandom | xxd -p >~/tmp-salt.txt
      echo 0x`cat ~/tmp-salt.txt` >~/.cryptoSalt
    • In order to use ext4 encryption on the file system, the "encrypt" flag must be set in the super-block. This is not the default when the ext4 file system is created. Using the "tune2fs" utility from e2fsprogs 1.43 or later, set the "encrypt" option:

      sudo tune2fs -O encrypt /dev/sda4
    • Mount or remount the file system so the kernel knows about the change (maybe it's automatic, but I have only done this on a separate partition, so I'm not sure.)

    • Create a directory on the file system that is mounted with encryption enabled:

      sudo mkdir -p /secret/home/$USER
      sudo chown $USER:$USER /secret/home/$USER
    • Create the key in the keyring and use it to set the policy for the directory to be encrypted (the sudo command is not needed here):

      $ /usr/sbin/e4crypt add_key -S s:`cat ~/.cryptoSalt`
      Enter passphrase (echo disabled):
      Added key with descriptor [0132fed69f946c86]
      $ /usr/bin/e4crypt set_policy 0132fed69f946c86 /secret/home/$USER
      Key with descriptor [0132fed69f946c86] applies to /secret/home/theuser.
    • After each reboot, the add_key command can be used set the key for decryption of the directory and its descendants:

      $ /usr/sbin/e4crypt add_key -S s:`cat ~/.cryptoSalt`
      Enter passphrase (echo disabled):
      Added key with descriptor [0132fed69f946c86]

      Enter the same password used in the previous step, and you don't have to remember the descriptor hex string.

    • You can also use add_key directly. This will use a filesystem specific salt (So all folders under that partition will have the same salt)

      $ /usr/sbin/e4crypt add_key /secret/home/$USER
      Added key with descriptor [0132fed69f946c86]
      Key with descriptor [0132fed69f946c86] applies to /secret/home/theuser.