Linux Home Directory Encryption

If you carry important data on your hard disk it is good practice to encrypt your disk so unauthorized users cannot access it.

In this blog, we will encrypt the home directory of an already existing user.

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume.

Let’s now encrypt our home directory !!

We will use ecryptfs-utils to encrypt the home directory, let’s install it.

sudo apt install -y ecryptfs-utils cryptsetup

Keep the login password of the user whose directory you want to encrypt STRONG because it will used as Login passphrase in the encryption decryption process and you don’t want that it be easily crack-able or guessable.

if you have a weak password and want to make a strong password use

sudo passwd <username>

If you want to encrypt a specific user’s home directory, you cannot encrypt it while you are logged in as that user so create a temporary user and add it sudo group (this user will be just for this specific task after encryption we will delete this temp user)

Make sure that you can login as this new user and are a member of sudo group.

Create a backup of you home folder and store it in some other directory if in case something went wrong you will not lose your files.

Now login with this new tempuser and make sure no process is running under the user who you want to encrypt.

Now to make sure this you can run below command to kill all process run by a user based on username or UID.

sudo pkill -u <username or UID>
# sudo pkill -u v3nom

Time to encrypt ❕

Replace v3nom with your username whose directory you want to encrypt

sudo ecryptfs-migrate-home -u v3nom

It will ask for a login passphrase which is the user’s password mean here I will enter v3nom’s login password.

It will take time depending on the size of your home folder, after completion terminal will appear like this.

Read Important notes now we will log in as our user whose home folder we encrypted and check if we can read all files before rebooting our system.

If you can read all files Congratulations you have successfully encrypted your home directory.

We have to perform some addition steps now.

Now we will recover our passphrase, it will be used to recover data if you forget your login password. If you want to learn bit more about it click HERE

ecryptfs-unwrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase

Enter your user’s login password in Passphrase and you will get this random 128 bit string. Store it somewhere because if you forget the passphrase you will recover data using this.

Now delete the temporary user

How to recover files if you forget your passphrase?

1. Boot in using a Live CD or USB.
2. Make sure the encrypted home directory is mounted.
3. Use sudo ecryptfs-recover-private it will look for any encrypted directory.
4. It will prompt if you want to recover the directory type “Y”.
5. It will ask if you know login passphrase which you don’t so type “n”.
6. Then it will ask if you know Mount Passphrase enter your 128-bit passphrase and it will mount a folder in /tmp directory where you can access your data, copy all important files you want.

Thanks for reading 😃