ElRaph(W)ik(i)

User Tools

Site Tools

Trace: home-setup
installs:raspi:argon-oneup:home-setup

This is an old revision of the document!

Home Setup

As said in prior pages, the goal here is to make the SSD the home directory, with encryption enabled, as it is not recommended to do it on the eMMC.

SSD Cleaning and Encryption

So be careful your device does not contain any data you'd like to recover. Mine is brand new so it's not a consideration I have, however I'll still run a couple commands to wipe it. 

export DEVICE=/dev/nvme0n1
# Wipe disk
sudo wipefs -a $DEVICE
 
# Make the partition, once in fdisk use g for new GPT table, n for new partition, w to write
# When making the partition, choose the defaults for a full-disk partition
sudo fdisk $DEVICE
g
n
w
 
# Install cryptsetup and use it to encrypt the device with a passkey
sudo apt update && sudo apt install cryptsetup -y
sudo cryptsetup luksFormat $DEVICE
 
# Now open the device with passkey, it should be located at /dev/mapper/crypt_home now
sudo cryptsetup open $DEVICE crypt_home
export VOLUME=/dev/mapper/crypt_home
 
# Add a filesystem to the volume, and add a label
sudo mkfs.ext4 $VOLUME
sudo e2label $VOLUME home

You now have an encrypted disk with a single partition, that has a filesystem, great job! Now, you may have to migrate the old home files into the new one before we continue, here's how to do so: 

# Make temporary mount for migration + configuration
sudo mkdir /mnt/newhome
sudo mount /dev/mapper/crypt_home /mnt/newhome
 
# Migrate data from old home to new home, trailing slashes are important
sudo rsync -aAXv /home/ /mnt/newhome/

Great! Let's not configure the auto-mount and auto-decryption of the device on boot. 

# Retrieve UUID of the partition
sudo blkid /dev/nvme0n1
# Should return /dev/nvme0n1: UUID="xxxxxxxx-xxxx-xxxx" TYPE="crypto_LUKS"
 
sudo nano /etc/crypttab
# Add crypt_home UUID=YOUR-UUID none luks
 
# Now configure your fstab
sudo blkid /dev/mapper/crypt_home
sudo nano /etc/fstab
# Add UUID=CRYPTHOME-UUID /home  ext4  defaults,noatime  0  2

Okay now it's almost all set, just need to move some folders around : 

# Archive old home
sudo mv /home /home_old
sudo mkdir /home

You should now be able to reboot, and the boot process should ask for a passphrase.
However, if you're like me, you'll need a couple extra steps: 

# Install initramfs crypt support
sudo apt install cryptsetup-initramfs
 
# Regen initramfs
sudo update-initramfs -u -k all
 
# Now reboot
sudo reboot
installs/raspi/argon-oneup/home-setup.1772383181.txt.gz · Last modified: 2026/03/01 16:39 by elraphik