Encrypt home directory after install

9 risposte [Ultimo contenuto]
Abjectio

I am a member!

Offline
Iscritto: 08/21/2014

Hi,

My main trisquel installation is now 1 year and counting. Like it a lot and it serve me well.
However, I did not encrypt my home directory during installation and have decided to add the encryption now.

Any advice how I do this without re-installing or destroying my installation/setup?

Tx in advance.

Abjectio

I am a member!

Offline
Iscritto: 08/21/2014

Found the solution :

1) ecryptfs-migrate-home -u TheUserName
Encrypting /home

2) login as the TheUserName
This to finish off the migration of /home

3) ecryptfs-setup-swap
To encrypt the swap

4) delete or backup a temporary directory created
/home/.

5)as user run : ecryptfs-unwrap-passphrase
To record a randomly generated mount passphrase.

From:
http://blog.dustinkirkland.com/2011/02/long-overdue-introduction-ecryptfs.html
http://blog.dustinkirkland.com/2009/06/migrating-to-encrypted-home-directory.html

All is good.

strypey
Offline
Iscritto: 05/14/2015

This is very useful, thanks so much for posting your solution. I like the idea of encrypting my /home in a production system, but I don't really like doing it when I install, because if something goes wrong with the new install, the encrypted /home makes it tricky to use a live disc to rescue my files.

If I wanted to create a permanent page for this information in Trisquel's documentation, how would I go about that?

Abjectio

I am a member!

Offline
Iscritto: 08/21/2014

Oh, glad you like it.
I'm not sure how we could create permanent info about this (never done that).
Let's try to do that ...

Abjectio

I am a member!

Offline
Iscritto: 08/21/2014

It's in the wiki now - needs a cleanup.
Look under the "Privacy and security" section.

https://trisquel.info/en/wiki/all-manuals

GNUser
Offline
Iscritto: 07/17/2013

Thanks for posting the question and the answer. One question of mine: does it require to the home directory be in its own partition (in the installer choosing a separate partition for swap, home and system) ?? Or can it be in the same partition and it will just encrypt the directory (dunno how it would work, but fine)?

thanks.

Abjectio

I am a member!

Offline
Iscritto: 08/21/2014

GNUUser: I think it does not require to be in it's own partition. My /home has it's own partition, however it's only the user I specified which now has encrypted files, other users does not. Nothing in the man pages for ecryptfs which indicates that requirement either.

moxalt
Offline
Iscritto: 06/19/2015

I have no idea how it works either, but it seems to work fine on the same
partition. Apparently ecryptfs uses a sort of filesystem-within-a-filesystem
approach to encrypting areas of a partition, rather than the entire partition.
The only downside to disk encryption in general is that (for me at least) you
get noticeably slower access speeds, and you're screwed if something goes wrong.

When I used /home directory encryption, it worked flawlessly.

strypey
Offline
Iscritto: 05/14/2015

I think I've asked about this elsewhere, but can't find the thread, and don't know if it got answered. Once your /home partition is encrypted, is it still possible to use it as a shared /home partition with another GNU/Linux installation on the same device? If so, what's the suggested method?