How To Encrypt The Home Folder In Ubuntu 18.04

Ubuntu 18.04 LTS does not include an option in the installer to encrypt the home directory. This option was removed from the Ubuntu installer because it uses eCryptfs, which is considered "buggy, under-maintained", and the recommended alternative is a full disk encryption using LUKS.

For per-directory encryption, like the home folder, it's recommended to use fscrypt, which as far as I can tell doesn't support encrypting the home directory unless it's on a separate partition. I haven't used fscrypt, but if there are requests, I will try to post an article about how to use it to encrypt your (separate partition) home folder.

If despite this you still want to encrypt your home folder using eCryptfs, you'll find instructions below.

Encrypt the home folder for an existing user account


To make this guide easy to follow, the user for which we'll encrypt the home directory will be called "user1", while the user account that runs the migration will be called "user2".

1. Install the required encryption packages:

sudo apt install ecryptfs-utils cryptsetup

2. You'll need to login to an admin account (user2) that's different than the user who's home directory you want to encrypt (user1).

If your user is the only existing user account on your computer, you'll need to create another user (with administrator rights) account. This can be temporarily, so you can remove it later. To create a new user with administrator rights, you can use:

  • A GUI - in Gnome, from Settings > Details > Users (and set its password):


  • Or from the command line:
sudo adduser <user>
sudo usermod -aG sudo <user>

3. Migrate the home folder of the encrypted user (user1).

Reminder: Make sure you're logged in on an administrator user who's home folder you DON'T want to encrypt (user2).

Run this command to migrate the home folder of user1 (the user for which we'll encrypt the home):

sudo ecryptfs-migrate-home -u <user1>

Make sure you use the password that <user1> has set when prompted, after running the command above.

When running this command, a backup of the user's (user1) home folder is created. If everything is ok after completing this how-to, you can safely delete the backup. Not now though, read on!

4. Logout and login using the encrypted user credentials (user1). Do not reboot!

5. Print and record the recovery passphrase.

After logging in to the encrypted user account (user1), run the following command to print and record the recovery passphrase:

ecryptfs-unwrap-passphrase

Save this information (output) somewhere safe!

This completes the Ubuntu 18.04 LTS home encryption process. Reboot and if everything is ok, you can safely remove the temporary user as well as the backup created under step 3. If you can't remember the backup name, run ls /home, and one of the listed folders should be a user name followed by a dot and some numbers and letters (like logix.4xVQvCsO) - that's the backup. Only do this after a reboot!

Encrypt the home folder for a new user account


These instructions are for how to create a new user and encrypt its home directory on creation. For how to encrypt the home directory for an already existing user, see the separate instructions above.

1. Install the required encryption packages:

sudo apt install ecryptfs-utils cryptsetup

2. Create the new user with encrypted home directory:

sudo adduser --encrypt-home <user>

If you want to make the new user an administrator, use:

sudo usermod -aG sudo <user>

3. Logout and login with the new user credentials. Do not reboot!

4. Print and record the recovery passphrase.

Run this command to print and record the passphrase:

ecryptfs-unwrap-passphrase

Save this information somewhere safe!

No comments:

Powered by Blogger.