installs:raspi:argon-oneup:home-setup
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| installs:raspi:argon-oneup:home-setup [2026/03/01 16:11] – created elraphik | installs:raspi:argon-oneup:home-setup [2026/03/01 20:42] (current) – change info size elraphik | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Home Setup ====== | ====== Home Setup ====== | ||
| + | As said in prior pages, the goal here is to make the SSD the home directory, with encryption enabled, as it is not recommended to do it on the eMMC. | ||
| + | |||
| + | ===== SSD Cleaning and Encryption ===== | ||
| + | |||
| + | So be careful your device does not contain any data you'd like to recover. Mine is brand new so it's not a consideration I have, however I'll still run a couple commands to wipe it. | ||
| + | |||
| + | <code bash> | ||
| + | export DEVICE=/ | ||
| + | export PART=/ | ||
| + | # Wipe disk | ||
| + | sudo wipefs -a $DEVICE | ||
| + | |||
| + | # Make the partition, once in fdisk use g for new GPT table, n for new partition, w to write | ||
| + | # When making the partition, choose the defaults for a full-disk partition | ||
| + | sudo fdisk $DEVICE | ||
| + | g | ||
| + | n | ||
| + | w | ||
| + | |||
| + | # Install cryptsetup and use it to encrypt the device with a passkey | ||
| + | sudo apt update && sudo apt install cryptsetup -y | ||
| + | sudo cryptsetup luksFormat $PART | ||
| + | |||
| + | # Now open the device with passkey, it should be located at / | ||
| + | sudo cryptsetup open $PART crypt_home | ||
| + | export VOLUME=/ | ||
| + | |||
| + | # Add a filesystem to the volume, and add a label | ||
| + | sudo mkfs.ext4 $VOLUME | ||
| + | sudo e2label $VOLUME home | ||
| + | </ | ||
| + | |||
| + | You now have an encrypted disk with a single partition, that has a filesystem, great job! | ||
| + | Now, you may have to migrate the old home files into the new one before we continue, here's how to do so: | ||
| + | |||
| + | <code bash> | ||
| + | # Make temporary mount for migration + configuration | ||
| + | sudo mkdir / | ||
| + | sudo mount / | ||
| + | |||
| + | # Migrate data from old home to new home, trailing slashes are important | ||
| + | sudo rsync -aAXv /home/ / | ||
| + | </ | ||
| + | |||
| + | Great! Let's not configure the auto-mount and auto-decryption of the device on boot. | ||
| + | |||
| + | <code bash> | ||
| + | # Retrieve UUID of the partition | ||
| + | sudo blkid $PART | ||
| + | # Should return / | ||
| + | |||
| + | sudo nano / | ||
| + | # Add crypt_home UUID=YOUR-UUID none luks, | ||
| + | |||
| + | # Now configure your fstab | ||
| + | sudo blkid $VOLUME | ||
| + | sudo nano /etc/fstab | ||
| + | # Add / | ||
| + | </ | ||
| + | |||
| + | <WRAP center round info 100%> | ||
| + | If you pay attention here, you'll notice the " | ||
| + | I noticed that when booting, the prompt for the decryption passphrase does not appear if the disk decryption does not happen during the initramfs boot phase. If not present, it'll try to decypher during the systemd phase, in which you cannot interact with the prompt, so it will timeout and fail pretty hard. | ||
| + | </ | ||
| + | |||
| + | |||
| + | Okay now it's almost all set, just need to move some folders around : | ||
| + | |||
| + | <code bash> | ||
| + | # Archive old home | ||
| + | sudo mv /home /home_old | ||
| + | sudo mkdir /home | ||
| + | </ | ||
| + | |||
| + | You **should** now be able to reboot, and the boot process should ask for a passphrase.\\ | ||
| + | However, if you're like me, you'll need a couple extra steps: | ||
| + | |||
| + | <code bash> | ||
| + | # Install initramfs crypt support | ||
| + | sudo apt install cryptsetup-initramfs | ||
| + | |||
| + | # Regen initramfs | ||
| + | sudo update-initramfs -c -k all | ||
| + | |||
| + | # Now reboot | ||
| + | sudo reboot | ||
| + | </ | ||
installs/raspi/argon-oneup/home-setup.1772381464.txt.gz · Last modified: 2026/03/01 16:11 by elraphik