[kwlug-help] How to encrypt home folder after installation?

Chris Irwin chris at chrisirwin.ca
Sun Jun 13 12:29:43 EDT 2010


On Sat, 2010-06-12 at 19:24 -0400, Bob Jonkman wrote:
> When I installed Ubuntu 10.04 there was an option to encrypt the 
> /home/<userid> folders.  However, I already had a /home partition, and 
> did not select this option.
> 
> How can I encrypt my home folder after the fact?   With all the nice 
> integration to the login password, &c.? There are many GiBytes of data 
> in it.

The magic word you need to include in your search is 'ecryptfs'. There
are plenty of ways to handle encrypted data, but 'ecryptfs' is the
mechanism Ubuntu provides.

There is a Wiki page about it:

https://help.ubuntu.com/community/EncryptedHome

It links to Dustin Kirklands blog for the topic of migrating to an
encrypted home:

http://blog.dustinkirkland.com/2009/06/migrating-to-encrypted-home-directory.html


> Another reference requires an empty destination folder to be encrypted, 
> then copying existing data from a backup[2].  I'd like to encrypt in 
> place, if possible.

From dkirkland's blog:

> Make sure you have sufficient disk space available. To make a full
> copy, you will need at least 2x the disk usage of your current home
> directory. 

The reason is that you have the files on your disk already. What you are
doing is creating a new container on that disk and copying files into
it. Until you delete the original unencrypted files, you're using extra
space.

> Yes, I already use TrueCrypt folders and partitions.  I do not think 
> these things are the same thing as available-at-login encryption.

You are correct, they are not the same, correct. Truecrypt is capable of
offering plausible deniability, while ecryptfs is not. 

Truecrypt creates a container, either using 'free' space at the end of
an existing partition, or as a file within a filesystem. Inside that
container you would create another filesystem, which would be mounted
wherever you like. If you hide that container well (say, hidden in
random data at the end of a partition), you should be able to deny it
even exists. Without the proper passcode, it is just random bits.

Ecryptfs is a transparent container, where each file has it's name and
data encrypted, then is passed through to the existing filesystem below
it. You can not deny that you have files as they are somewhat obviously
there. For example:

$ ls /home/.ecryptfs/chris/.Private/ -l
total 940
drwxr-xr-x  2 chris chris   4096 2010-05-28 22:57
ECRYPTFS_FNEK_ENCRYPTED.FWZE1w6NSFQdPkQTYho.nhSp0MKolDjvGYN70K-wBo-AzMLTYZARj70mKU--
drwxr-xr-x  7 chris chris   4096 2010-05-29 02:27
ECRYPTFS_FNEK_ENCRYPTED.FWZE1w6NSFQdPkQTYho.nhSp0MKolDjvGYN70M0hBJN-w5GxvfH5b1V9pE--
drwxr-xr-x  8 chris users   4096 2010-06-13 12:14
ECRYPTFS_FNEK_ENCRYPTED.FWZE1w6NSFQdPkQTYho.nhSp0MKolDjvGYN70RqHPMO5kBia8Iy8Pv87-E--

There are benefits to both approaches, so it depends on why you are
encrypting. I use it in case my laptop is stolen. I don't care if they
know I used encryption, as long as they can't actually see what the
files were. If you work for WikiLeaks, for example, you may favour
truecrypt.

Also, just for reference, your files are encrypted using AES and a
fairly strong key. But you're not logging in with a big random key,
you're using a password. So that big random key is encrypted using your
password. When you log in, it decrypts the key, then uses that to
decrypt your files. So keep your password complex, as it becomes (by
far) the weakest link in the chain.

-- 
Chris Irwin <chris at chrisirwin.ca>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://kwlug.org/pipermail/kwlug-help_kwlug.org/attachments/20100613/16f738ce/attachment.bin>


More information about the kwlug-help mailing list