How to Encrypt your Home Directory after Installing Ubuntu

Here I demo encrypting home directories, post installation, using eCryptfs. It should be noted here that encrypting just your home directory is not recommended as it carries with it potential security risks. Any data outside of this directory, including /etc, will remain un-encrypted and could potentially lead to sensitive data being revealed.

Ubuntu removed the option during installation that allowed you to encrypt the home directory from Ubuntu 18.04 LTS onwards as it was considered buggy, not well maintained and insecure. The current recommended approach is to encrypt the entire drive using LUKS. This method is supported during the installation.

If doing full disk encryption with LUKS is not an option for you, then I guess just encrypting the home directory is better than nothing.

Ubuntu 20.04 LTS

Install the following encryption utilities.

wojak@u20:~$ sudo apt install ecryptfs-utils cryptsetup

The encryption needs to be done from another user account that also has sudo privileges. If you don’t already have such an account that you can use, you’ll need to create one first:

wojak@u20:~$ sudo adduser tmpadmin
wojak@u20:~$ sudo usermod -aG sudo tmpadmin

Log out of the session and sign in with the new temporary admin user. Open up a terminal and run the following to start the encryption.

This is the directory we are going to encrypt.

tmpadmin@u20:~$ sudo ls -la ~wojak/
[sudo] password for tmpadmin: 
total 76
drwxr-xr-x 15 wojak wojak 4096 Jul  5 15:08 .
drwxr-xr-x  4 root  root  4096 Jul  5 15:10 ..
-rw-------  1 wojak wojak  199 Jul  5 15:12 .bash_history
-rw-r--r--  1 wojak wojak  220 Jul  5 14:41 .bash_logout
-rw-r--r--  1 wojak wojak 3771 Jul  5 14:41 .bashrc
drwx------ 12 wojak wojak 4096 Jul  5 15:05 .cache
drwx------ 11 wojak wojak 4096 Jul  5 15:08 .config
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Desktop
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Documents
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Downloads
drwx------  3 wojak wojak 4096 Jul  5 15:02 .gnupg
drwxr-xr-x  3 wojak wojak 4096 Jul  5 14:53 .local
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Music
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Pictures
-rw-r--r--  1 wojak wojak  807 Jul  5 14:41 .profile
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Public
drwx------  2 wojak wojak 4096 Jul  5 15:02 .ssh
-rw-r--r--  1 wojak wojak    0 Jul  5 15:03 .sudo_as_admin_successful
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Templates
drwxr-xr-x  2 wojak wojak 4096 Jul  5 14:53 Videos

Start the encryption like so:

tmpadmin@u20:~$ sudo ecryptfs-migrate-home -u wojak

If you get a similar warning to the below, you can safely ignore this.

tmpadmin@u20:~$ sudo ecryptfs-migrate-home -u wojak
INFO:  Checking disk space, this may take a few moments.  Please be patient.
INFO:  Checking for open files in /home/wojak
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs
      Output information may be incomplete.
Enter your login passphrase [wojak]: 

You should see some output like this:

========================================================================
Some Important Notes!

 1. The file encryption appears to have completed successfully, however,
    wojak MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
    TO COMPLETE THE MIGRATION!!!

 2. If wojak can log in and read and write their files, then the migration is complete,
    and you should remove /home/wojak.tXv1N8U9.
    Otherwise, restore /home/wojak.tXv1N8U9 back to /home/wojak.

 3. wojak should also run 'ecryptfs-unwrap-passphrase' and record
    their randomly generated mount passphrase as soon as possible.

 4. To ensure the integrity of all encrypted data on this system, you
    should also encrypt swap space with 'ecryptfs-setup-swap'.
========================================================================

We must now log back out (not reboot) from our tmpadmin user session and back into our user account. Once logged in, check you can read and write:

wojak@u20:~$ touch ~/test.txt
wojak@u20:~$ rm -v ~/test.txt
removed '/home/wojak/test.txt'

To generate the recovery key, issue the below command. Record and save the passphrase – you’ll need that to recover the data.

wojak@u20:~$ ecryptfs-unwrap-passphrase
Passphrase: 
05ad82ae67938c92e89e4d6343a1ca06

You might also want to encrypt the swap partition. First maybe check you have swap enabled:

wojak@u20:~$ swapon -s
Filename				Type		Size	Used	Priority
/swapfile                              	file    	703976	0	-2

Assuming you do – run:

$ sudo ecryptfs-setup-swap

This did not seem to work for me. My output looked like this.

WARNING:
An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format.

HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!

NOTE: Your suspend/resume capabilities will not be affected.

Do you want to proceed with encrypting your swap? [y/N]: y

INFO: Setting up swap: [/swapfile]
WARNING: Commented out your unencrypted swap from /etc/fstab
swapon: cannot open /dev/mapper/cryptswap1: No such file or directory

I rebooted and everything seemed to work. I was still able to read/write…..

wojak@u20:~$ touch test.txt
wojak@u20:~$ echo "blah blah blah" > test.txt
wojak@u20:~$ cat test.txt
blah blah blah
wojak@u20:~$ rm -v test.txt
removed 'test.txt'

….and my new swap file was present:

wojak@u20:~$ swapon -s
Filename				Type		Size	Used	Priority
/dev/dm-0                              	partition	703464	0	-2

If you were able to login and read/write, then the encryption was successful. Therefore you can now remove the following file. If you were not however, restore this directory back into /home/wojak.

wojak@u20:~$ sudo rm -Rf /home/wojak.tXv1N8U9

You can now also remove the temporary user we created.

wojak@u20:~$ sudo deluser --remove-home tmpadmin
[sudo] password for wojak: 
Looking for files to backup/remove ...
Removing files ...
Removing user `tmpadmin' ...
Warning: group `tmpadmin' has no more members.
Done.

And that should hopefully be it!

Be the first to comment

Leave a Reply