Differences between revisions 25 and 26
Revision 25 as of 2018-05-12 18:07:23
Size: 1436
Editor: ?ReubenHonigwachs
Comment: Without lsof ecryptfs-migrate-home will not be able to check the user is logged out and has no open files.
Revision 26 as of 2021-03-12 22:50:21
Size: 1769
Editor: ?Felix Lechner
Comment: Re-add note about gocryptfs, which was unduly removed
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:

{{{#!wiki caution
'''Check out a new alternative'''

Before you proceed, please check out DebianPkg:gocryptfs.
It is comparable to DebianPkg:encfs, but
offers better encryption at similar speeds. (It also works great
over NFSv4.) You can use regular
DebianPkg:libpam-mount to make your home folder available at login.
}}}

Translation(s): English - Italiano


Transparent Encryption For a User's Home Folder

Check out a new alternative

Before you proceed, please check out gocryptfs. It is comparable to encfs, but offers better encryption at similar speeds. (It also works great over NFSv4.) You can use regular libpam-mount to make your home folder available at login.

Requirements

First install the packages ecryptfs-utils and rsync:

sudo apt-get install ecryptfs-utils rsync lsof

Then load the ecryptfs kernel module:

sudo modprobe ecryptfs

And make it permanent in /etc/modules-load.d/modules.conf.

Assisted Encrypted Home Directory

The user whose home directory you want to encrypt MUST NOT be logged in. For example, you can be logged as root in a tty.

Then run as root:

ecryptfs-migrate-home -u <username>

When this is done the user must login BEFORE rebooting the computer.

If the user can access the files in the users home directory you can remove the backup folder in /home/<username>.<random characters>

The user should also run this command to get the random encryption key and store it in a secure location (outside the encrypted home directory and not on the same machine) in case a recovery is needed:

ecryptfs-unwrap-passphrase

Assisted Encrypted Swap Partition

To encrypt the swap partition too:

sudo apt-get install cryptsetup
sudo ecryptfs-setup-swap


CategoryDesktop CategoryQuickIntroduction