######### LUKS Disk Encryption ###########
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/
security_guide/sec-encryption
Enter runlevel 1 by typing the following at a shell prompt as root:
telinit 1
Unmount your existing /home:
umount /home
If the command in the previous step fails, use fuser to find processes hogging
/home and kill them:
fuser -mvk /home
Verify /home is no longer mounted:
grep home /proc/mounts
Fill your partition with random data:
shred -v --iterations=1 /dev/VG00/LV_home
This command proceeds at the sequential write speed of your device and may take
some time to complete. It is an important step to ensure no unencrypted data is
left on a used device, and to obfuscate the parts of the device that contain
encrypted data as opposed to just random data.
Initialize your partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
Open the newly encrypted device:
cryptsetup luksOpen /dev/VG00/LV_home home
Make sure the device is present:
ls -l /dev/mapper | grep home
Create a file system:
mkfs.ext3 /dev/mapper/home
Mount the file system:
mount /dev/mapper/home /home
Make sure the file system is visible:
df -h | grep home
Add the following to the /etc/crypttab file:
home /dev/VG00/LV_home none
Edit the /etc/fstab file, removing the old entry for /home and adding the following
line:
/dev/mapper/home /home ext3 defaults 1 2
Restore default SELinux security contexts:
/sbin/restorecon -v -R /home
Reboot the machine:
shutdown -r now
The entry in the /etc/crypttab makes your computer ask your luks passphrase on
boot.
Log in as root and restore your backup.
