Using ecryptfs to encrypt your home directory on Debian
=======================================================

Adam Thompson <[email protected]>
2020-03-08 10:23:21

I've recently been getting interested in encrypting sensitive user data on my
Linux machines.  I've been encrypting passwords etc for a long time, however
it's only recently that I've got interested in encrypting the rest of my
user data.

There are a variety of ways to do this.  However, being blind, I wanted a
solution which didn't require entering a password or similar before the
machine was booted.  I also needed to migrate my existing files.

Thus I decided to encrypt my home directory with Ecryptfs.  This is an
enterprise class cryptographic stacked filesystem.  This means that it's
widely used, well-tested and sits on top of an existing filesystem.  It's
also been available in the Linux kernel for a while.

The actual process to set this up is very simple once you have the required
software installed and providing you have enough free space (you can reclaim
much of this space after the initial setup).  Basically as root run:
apt install cryptsetup ecryptfs-utils rsync
ecryptfs-migrate-home -u <user>

Follow the instructions replacing <user> with the user whos home directory
you wish to encrypt (you'll need to enter that user's login passphrase).

Then run, again as root:
ecryptfs-setup-swap

To encrypt your swap space.  This means that any data swapped out of memory
is also encrypted which is important to prevent sensitive data from
being left on the disk in the clear.

After this, including making sure that you've logged in as the user with the
newly encrypted home directory (as per the instructions), you can reboot
your system.  If you log in as another user first, you should be able to
verify that the newly encrypted home directory is *not* mounted (a directory
will be present but it won't contain the home directory's contents).  Once
you log in as the user with the encrypted home you should see it mounted
automatically.

Of course, Ecryptfs can do far more than just encrypt home directories.  One
of the great things about cryptographic stacked filesystems like this is
that you can set up encrypted directories where and when you need them.  The
only thing to keep in mind is that, when using encrypted file names with
Ecryptfs (as the home directory setup above does), the 255 character name
limit (limit for individual path components, *not* the total path) is
reduced a bit (to 143 characters in testing).  In practice, I only had one
issue with this where a file name was *incredibly* long, and fixing it was a
simple case of using a shorter (and honestly better) name for the file.  As
such I'd recommend running with encrypted file names as it's an extra layer
of protection.

You are viewing proxied material from sdfeu.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.