Background
This post shows how to encrypt your home directory after the initial install.
Details
What you will need:
- ecryptfs-utils - most distros will already have this package but I did find my debian (sid) netinstall did not
To encrypt your home directory:
- You cannot encrypt a user’s Home directory while logged in as the user and you need root privileges to encrypt a user’s Home directory so, reboot your OS and select to boot into Recovery Mode (this will drop you to a shell and with root privs)
- Once you are at the shell you can begin, simply type in the following command
$ecryptfs-migrate-home -u <username> #replace <username>with the name of the user that you want to migrate- NOTE: as I was in recovery mode, the ecryptfs module was not loaded (indicative of the “Cannot get ecryptfs version, ecryptfs kernel module fashplugin-nonfree not loaded?” messages). To alleviate this issue simply load the module with:
$modprobe ecryptfs
- NOTE: as I was in recovery mode, the ecryptfs module was not loaded (indicative of the “Cannot get ecryptfs version, ecryptfs kernel module fashplugin-nonfree not loaded?” messages). To alleviate this issue simply load the module with:
- The
ecryptfs-migrate-homescript will guide you through the process of encrypting the user’s Home directory which is a relatively short/quick process. - After the script completes it will tell you to log in as the user you just migrated BEFORE you reboot. This seems a little tricky as you are in Recovery Mode but simply type:
exitto log out of your root session and then log in as the user you just migrated. Check to make sure you receive no odd errors/messages during login and that all of the user’s files/directories exist. - In addition to the checks listed in step 4, you should run the
ecryptfs-unwrap-passphrasescript (supply your user password when it prompts for “Passphrase”) and save the value it returns in a safe place. - Next, you should remove the temporary home directory the
ecryptfs-migrate-homescript created as it is no longer needed - The final step is to test the encryption (I’d hate to go to all of this trouble and let you think your Home directory is encrypted when it actually is not). To test/verify that your home directory is encrypted simply boot into Recovery Mode again and navigate to the user’s directory that you just encrypted. If you do a
lsin this user’s directory you should only see two files; “Access-Your-Private-Data.desktop” and “README.txt”. If you log out from root and log in as the user and do alsin the user’s Home directory you will see it has the user’s normal directories/files. This proves that the Home directory is encrypted such that only the user can access files in the Home directory and other user’s (including root) cannot.
I hope you find the above info useful. If you have questions/feedback please contact us.
