Fli
09-27-2020, 10:26 AM
I tried following and it appear to be working. Feedback is welcome:
If You do NOT have user account with sudo rights (example "root"), excluding the one you want to encypt, then do:
sudo useradd -M encrypt-admin;sudo passwd encrypt-admin
sudo EDITOR=nano visudo
sudo usermod -aG sudo encrypt-admin
endif
In all cases reboot computer to prevent locked files, then login different account than the one you want to encrypt, for example root or previously created encrypt-admin account. Run:
sudo apt-get install ecryptfs-utils cryptsetup
check that the /home partition has at least 2.5 times free space than the size of the account to encrypt:
df -h|egrep "home|Size";du -h /home/usertoencrypt --max-depth=1|sort -h 2>/dev/null
(previous command can take longer time to complete)
sudo ecryptfs-migrate-home –u youruseraccounttoencrypt
Then it invited me to login account that was encrypted and run command:
sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/myaccountname/.ecryptfs/wrapped-passphrase
This random passphrase should be needed to recover data if i do not know the account password. So good to save it to safe place outside of the encrypted user account.
It is said that i need to add my account password to the kernel keyring:
ecryptfs-add-passphrase
I can delete temporary sudo account if i created it:
sudo userdel encrypt-admin
I can "reboot" and if everything works - can open and edit files, i can delete backup files located in /home/username.randomphrase:
sudo find /home/username.* -delete
Encrypting swap also to prevent leaking some data?
$ sudo ecryptfs-setup-swap
THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!
NOTE: Your suspend/resume capabilities will not be affected.
Do you want to proceed with encrypting your swap? [y/N]: y
INFO: Setting up swap: [/dev/sdb2]
WARNING: Commented out your unencrypted swap from /etc/fstab
swapon: cannot open /dev/mapper/cryptswap1: No such file or directory
Feedback welcome
If You do NOT have user account with sudo rights (example "root"), excluding the one you want to encypt, then do:
sudo useradd -M encrypt-admin;sudo passwd encrypt-admin
sudo EDITOR=nano visudo
sudo usermod -aG sudo encrypt-admin
endif
In all cases reboot computer to prevent locked files, then login different account than the one you want to encrypt, for example root or previously created encrypt-admin account. Run:
sudo apt-get install ecryptfs-utils cryptsetup
check that the /home partition has at least 2.5 times free space than the size of the account to encrypt:
df -h|egrep "home|Size";du -h /home/usertoencrypt --max-depth=1|sort -h 2>/dev/null
(previous command can take longer time to complete)
sudo ecryptfs-migrate-home –u youruseraccounttoencrypt
Then it invited me to login account that was encrypted and run command:
sudo ecryptfs-unwrap-passphrase /home/.ecryptfs/myaccountname/.ecryptfs/wrapped-passphrase
This random passphrase should be needed to recover data if i do not know the account password. So good to save it to safe place outside of the encrypted user account.
It is said that i need to add my account password to the kernel keyring:
ecryptfs-add-passphrase
I can delete temporary sudo account if i created it:
sudo userdel encrypt-admin
I can "reboot" and if everything works - can open and edit files, i can delete backup files located in /home/username.randomphrase:
sudo find /home/username.* -delete
Encrypting swap also to prevent leaking some data?
$ sudo ecryptfs-setup-swap
THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!
NOTE: Your suspend/resume capabilities will not be affected.
Do you want to proceed with encrypting your swap? [y/N]: y
INFO: Setting up swap: [/dev/sdb2]
WARNING: Commented out your unencrypted swap from /etc/fstab
swapon: cannot open /dev/mapper/cryptswap1: No such file or directory
Feedback welcome