PDA

View Full Version : How to encrypt /home/username folder on Linux if not done it during OS installation



Fli
09-27-2020, 10:26 AM
I tried following and it appear to be working. Feedback is welcome:

If You do NOT have user account with sudo rights (example "root"), excluding the one you want to encypt, then do:


sudo useradd -M encrypt-admin;sudo passwd encrypt-admin
sudo EDITOR=nano visudo
sudo usermod -aG sudo encrypt-admin

endif

In all cases reboot computer to prevent locked files, then login different account than the one you want to encrypt, for example root or previously created encrypt-admin account. Run:


sudo apt-get install ecryptfs-utils cryptsetup

check that the /home partition has at least 2.5 times free space than the size of the account to encrypt:

df -h|egrep "home|Size";du -h /home/usertoencrypt --max-depth=1|sort -h 2>/dev/null
(previous command can take longer time to complete)


sudo ecryptfs-migrate-home –u youruseraccounttoencrypt

Then it invited me to login account that was encrypted and run command:

sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/myaccountname/.ecryptfs/wrapped-passphrase

This random passphrase should be needed to recover data if i do not know the account password. So good to save it to safe place outside of the encrypted user account.

It is said that i need to add my account password to the kernel keyring:

ecryptfs-add-passphrase

I can delete temporary sudo account if i created it:

sudo userdel encrypt-admin

I can "reboot" and if everything works - can open and edit files, i can delete backup files located in /home/username.randomphrase:
sudo find /home/username.* -delete

Encrypting swap also to prevent leaking some data?

$ sudo ecryptfs-setup-swap

THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!

NOTE: Your suspend/resume capabilities will not be affected.

Do you want to proceed with encrypting your swap? [y/N]: y

INFO: Setting up swap: [/dev/sdb2]
WARNING: Commented out your unencrypted swap from /etc/fstab
swapon: cannot open /dev/mapper/cryptswap1: No such file or directory


Feedback welcome