Encrypting you home directory with eCryptfs

To be written.

One way to create ecrypfs home directories

Here is how i did it, based on the following link:

(much shamelessly copied)

Login and setup an Encrypted Private directory:

Logout, and log back in and make sure $HOME/Private is mounted.

mount | grep "$USER.*ecryptfs"

Use rsync

to copy all data from your home directory to your new Encrypted Private directory. If you have a large home directory, this step might take a very long time. Be very wary of any errors at this point. This is the most essential step in this migration scheme. I usually re-run this step 3 times.

rsync -aP --exclude=.Private --exclude=Private --exclude=.ecryptfs $HOME/ $HOME/Private/

Sync to disk, unmount, logout, and log back in.

sync && sync && sync

Setup your eCryptfs configuration directory.

cd /
sudo mkdir -p /home/.ecryptfs/$USER
sudo chown $USER:$USER /home/.ecryptfs/$USER
mv $HOME/.ecryptfs /home/.ecryptfs/$USER/
mv $HOME/.Private /home/.ecryptfs/$USER/
sudo chmod 700 /home/.ecryptfs/$USER/.Private
sudo chmod 700 /home/.ecryptfs/$USER/.ecryptfs

Setup your new, unmounted home directory.

sudo mkdir -p -m 700 /home/$
sudo chown $USER:$USER /home/$
ln -sf /home/.ecryptfs/$USER/.ecryptfs /home/$
ln -sf /home/.ecryptfs/$USER/.Private /home/$

Move your old, unencrypted home directory out of the way.

sudo mv $HOME $HOME.old

“Activate” your new, unmounted home directory by renaming it.

sudo mv /home/$ $HOME
echo $HOME > $HOME/.ecryptfs/Private.mnt
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt $HOME/README.txt
sudo chmod 500 $HOME

Logout, and log back in.

Ensure that $HOME is mounted, and that you have a symlink to your configuration directory.

mount | grep "$USER.*ecryptfs"
ln -sf /home/.ecryptfs/$USER/.ecryptfs /home/$USER/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private /home/$USER/.Private

Check all of your home directory data.

Ensure that everything is in order. Once you are completely confident that the migration worked, you can reclaim some disk space by removing your old, non-encrypted data.

sudo rm -rf $HOME.old

Check your /etc/pam.d/ configuration!

common-auth:28:      auth    optional unwrap
common-session:28:   session optional unwrap

Obviously, much of this is scriptable….