1436
Comment: Without lsof ecryptfs-migrate-home will not be able to check the user is logged out and has no open files.
|
← Revision 26 as of 2021-03-12 22:50:21 ⇥
1769
Re-add note about gocryptfs, which was unduly removed
|
Deletions are marked like this. | Additions are marked like this. |
Line 6: | Line 6: |
{{{#!wiki caution '''Check out a new alternative''' Before you proceed, please check out DebianPkg:gocryptfs. It is comparable to DebianPkg:encfs, but offers better encryption at similar speeds. (It also works great over NFSv4.) You can use regular DebianPkg:libpam-mount to make your home folder available at login. }}} |
Translation(s): English - Italiano
Transparent Encryption For a User's Home Folder
Check out a new alternative
Before you proceed, please check out gocryptfs. It is comparable to encfs, but offers better encryption at similar speeds. (It also works great over NFSv4.) You can use regular libpam-mount to make your home folder available at login.
Contents
Requirements
First install the packages ecryptfs-utils and rsync:
sudo apt-get install ecryptfs-utils rsync lsof
Then load the ecryptfs kernel module:
sudo modprobe ecryptfs
And make it permanent in /etc/modules-load.d/modules.conf.
Assisted Encrypted Home Directory
The user whose home directory you want to encrypt MUST NOT be logged in. For example, you can be logged as root in a tty.
Then run as root:
ecryptfs-migrate-home -u <username>
When this is done the user must login BEFORE rebooting the computer.
If the user can access the files in the users home directory you can remove the backup folder in /home/<username>.<random characters>
The user should also run this command to get the random encryption key and store it in a secure location (outside the encrypted home directory and not on the same machine) in case a recovery is needed:
ecryptfs-unwrap-passphrase
Assisted Encrypted Swap Partition
To encrypt the swap partition too:
sudo apt-get install cryptsetup sudo ecryptfs-setup-swap