TrueCrypt is a handy utility for encryption entire partitions. The encryption is transparent, so everything works like normal but that data on the disk is encrypted. As a first line of defense one might want to have everything encrypted and mount it upon booting the computer, without having to type the commands every time the computer boots. This is a guide on how to set that up.

It’s quite easy to do this with partitions that don’t have to be mounted while booting, such as the home partition. The home partition has to be mounted before logging in though, so the password has to be provided while booting. If you’re running Fedora Core then this can be done by adding an init script in /etc/rc.d/init.d.

The following example script should be placed at /etc/rc.d/init.d/truecrypt. “[Insert mount command here]” and “[Insert unmount command here]” should be replaced with the command to mount and unmout the /home partition, e.g. truecrypt --filesystem ext2 /dev/hdan /home and truecrypt -d /dev/hdan. It asks for a password at the boot prompt. If the password is correct then the /home partition is mounted with truecrypt, otherwise two more chances are given to provide the correct password. If the third attempt is incorrect then the boot sequence proceeds without mounting the /home partition (the computer is still usable, but information contained in the /home partition is no longer available).

#!/bin/bash
#
#   /etc/rc.d/init.d/truecrypt
#
# Mounts the /home partition with truecrypt.
#
# chkconfig: 2345 90 10
# description: Truecrypt

# processname: truecrypt

source /etc/rc.d/init.d/functions

[ -x /usr/bin/truecrypt ] || exit 1

RETVAL=0
prog="truecrypt" 
desc="Truecrypt" 

start() {
   [Insert mount command here]
   RETVAL=$?
   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
   echo
}

stop() {
   echo "Unmounting encrypted disks." 
   [Insert unmount command here]
   RETVAL=$?
   [ $RETVAL -eq 0 ] && success || failure
   echo
   [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
   return $RETVAL
}

case "$1" in
  start)
   start
   ;;
  stop)
   stop
   ;;
  restart)
   stop
   start
   RETVAL=$?
   ;;
  condrestart)
        [ -e /var/lock/subsys/$prog ] && restart
   RETVAL=$?
   ;;
  *)
   echo $"Usage: $0 {start|stop|restart|condrestart}" 
   RETVAL=1
esac

exit $RETVAL 

This kind of setup is just a first line of defense and should be augmented with additional encrypted partitions and containers (for starters one might also want to encrypt the swap, /tmp and /var in case a program stores some sensitive data temporarily). One might as well want to go all the way and encrypt everything, which becomes a bit more complicated as one has to boot from something. Luckely there’s a good guide on how to encrypt the root file system over at SUSE.