It should be noted here that encrypting just your home directory is not recommended as it carries with it potential security risks. Any data outside of this directory, including /etc, will remain un-encrypted and could potentially lead to sensitive data being revealed.
Ubuntu removed the option during installation that allowed you to encrypt the home directory from Ubuntu 18.04 LTS onwards as it was considered buggy, not well maintained and insecure. The current recommended approach is to encrypt the entire drive using LUKS. This is supported during the installation.
If doing full disk encryption with LUKS is not an option for you, then I guess just encrypting the home directory is better than nothing. This seems to be the decision we’ve made at my work so I’m testing out the process.
Ubuntu 20.04 LTS
Install the following encryption utilities.
[email protected]:~$ sudo apt install ecryptfs-utils cryptsetup
The encryption needs to be done from another user account that also has
sudo privileges. If you don’t already have such an account that you can use, you’ll need to create one first:
[email protected]:~$ sudo adduser tmpadmin [email protected]:~$ sudo usermod -aG sudo tmpadmin
Log out of the session and sign in with the new temporary admin user. Open up a terminal and run the following to start the encryption.
This is the directory we are going to encrypt.
[email protected]:~$ sudo ls -la ~wojak/ [sudo] password for tmpadmin: total 76 drwxr-xr-x 15 wojak wojak 4096 Jul 5 15:08 . drwxr-xr-x 4 root root 4096 Jul 5 15:10 .. -rw------- 1 wojak wojak 199 Jul 5 15:12 .bash_history -rw-r--r-- 1 wojak wojak 220 Jul 5 14:41 .bash_logout -rw-r--r-- 1 wojak wojak 3771 Jul 5 14:41 .bashrc drwx------ 12 wojak wojak 4096 Jul 5 15:05 .cache drwx------ 11 wojak wojak 4096 Jul 5 15:08 .config drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Desktop drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Documents drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Downloads drwx------ 3 wojak wojak 4096 Jul 5 15:02 .gnupg drwxr-xr-x 3 wojak wojak 4096 Jul 5 14:53 .local drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Music drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Pictures -rw-r--r-- 1 wojak wojak 807 Jul 5 14:41 .profile drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Public drwx------ 2 wojak wojak 4096 Jul 5 15:02 .ssh -rw-r--r-- 1 wojak wojak 0 Jul 5 15:03 .sudo_as_admin_successful drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Templates drwxr-xr-x 2 wojak wojak 4096 Jul 5 14:53 Videos
Start the encryption like so:
[email protected]:~$ sudo ecryptfs-migrate-home -u wojak
If you get a similar warning to the below, you can safely ignore this.
[email protected]:~$ sudo ecryptfs-migrate-home -u wojak INFO: Checking disk space, this may take a few moments. Please be patient. INFO: Checking for open files in /home/wojak lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs Output information may be incomplete. Enter your login passphrase [wojak]:
You should see some output like this:
======================================================================== Some Important Notes! 1. The file encryption appears to have completed successfully, however, wojak MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_, TO COMPLETE THE MIGRATION!!! 2. If wojak can log in and read and write their files, then the migration is complete, and you should remove /home/wojak.tXv1N8U9. Otherwise, restore /home/wojak.tXv1N8U9 back to /home/wojak. 3. wojak should also run 'ecryptfs-unwrap-passphrase' and record their randomly generated mount passphrase as soon as possible. 4. To ensure the integrity of all encrypted data on this system, you should also encrypt swap space with 'ecryptfs-setup-swap'. ========================================================================
We must now log back out (not reboot) from our tmpadmin user session and back into our user account. Once logged in, check you can read and write:
[email protected]:~$ touch ~/test.txt [email protected]:~$ rm -v ~/test.txt removed '/home/wojak/test.txt'
To generate the recovery key, issue the below command. Record and save the passphrase – you’ll need that to recover the data.
[email protected]:~$ ecryptfs-unwrap-passphrase Passphrase: 05ad82ae67938c92e89e4d6343a1ca06
You might also want to encrypt the swap partition. First maybe check you have swap enabled:
[email protected]:~$ swapon -s Filename Type Size Used Priority /swapfile file 703976 0 -2
Assuming you do – run:
$ sudo ecryptfs-setup-swap
This did not seem to work for me. My output looked like this.
WARNING: An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format. HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM! NOTE: Your suspend/resume capabilities will not be affected. Do you want to proceed with encrypting your swap? [y/N]: y INFO: Setting up swap: [/swapfile] WARNING: Commented out your unencrypted swap from /etc/fstab swapon: cannot open /dev/mapper/cryptswap1: No such file or directory
I rebooted and everything seemed to work. I was still able to read/write…..
[email protected]:~$ touch test.txt [email protected]:~$ echo "blah blah blah" > test.txt [email protected]:~$ cat test.txt blah blah blah [email protected]:~$ rm -v test.txt removed 'test.txt'
….and my new swap file was present:
[email protected]:~$ swapon -s Filename Type Size Used Priority /dev/dm-0 partition 703464 0 -2
If you were able to login and read/write, then the encryption was successful. Therefore you can now remove the following file. If you were not however, restore this directory back into
[email protected]:~$ sudo rm -Rf /home/wojak.tXv1N8U9
You can now also remove the temporary user we created.
[email protected]:~$ sudo deluser --remove-home tmpadmin [sudo] password for wojak: Looking for files to backup/remove ... Removing files ... Removing user `tmpadmin' ... Warning: group `tmpadmin' has no more members. Done.
And that should hopefully be it!