Encrypting /home on Dell XPS 13 7390

The following procedure adds encryption to pre-installed Ubuntu 18.04 on Dell XPS 13 7390:

  1. Within a console or terminal, sudo into root.
  2. $ sudo su -

  3. Create LUKS encrypted file container (20,000 Megabytes or 20GB, for example).
  4. # dd if=/dev/zero bs=1M count=20000 of=/.hostname-home.img
    # cryptsetup luksFormat /.hostname-home.img

  5. Open LUKS encrypted file container.
  6. # cryptsetup luksOpen /.hostname-home.img hostname-home

  7. Format encrypted filesystem.
  8. # mkfs.ext4 /dev/mapper/hostname-home

  9. Move original /home content to temporary location.
  10. # mkdir /root/home
    # mv /home/* /root/home/*

  11. Mount the encrypted filesystem.
  12. # mount /dev/mapper/hostname-home /home

  13. Move /home content into encrypted filesystem.
  14. # mv /root/home/* /home/*
    # rmdir /root/home

  15. Unmount the encrypted container, potentially flushing (writing) pending data to disk.
  16. # umount /home

  17. Close the LUKS encrypted file container, potentially flushing (writing) pending data to disk.
  18. # cryptsetup luksClose hostname-home

  19. Add entry into /etc/crypttab.
  20. # echo \
    "hostname-home /.hostname-home.img - tries=0" \
    >> /etc/crypttab

  21. Add entry into /etc/fstab.
  22. # echo \
    "/dev/mapper/hostname-home /home ext4 defaults 0 0" \
    >> /etc/fstab

I recently received my Dell XPS 13 7390 with pre-installed Ubuntu 18.04. My top concern is securing data such as private SSH keys and passwords saved by Internet browsers from the real possibility of losing my laptop to absent-mindedness or theft. My purist side insists on configuring full disk encryption by performing a fresh install from a publicly available Ubuntu download. My pragmatic side pushed me toward adopting the above procedure. Without the needed transparency from Dell on their additions to Ubuntu, it is difficult to determine whether a publicly available Ubuntu download will fully support the features of my new Dell XPS 7390. The above procedure encrypts any data writable by unprivileged users while remaining unprivileged. It introduces a basic layer of security while allowing enjoyment of a system configured by Dell.

Questions, comments, and responses are welcomed. Spam is really not.

Leave a Reply