In this post I give a short explanation of how to encrypt your home folder in Linux. Why should you encrypt your home folder? When you use a laptop and you take it with you all the time it’s important to protect it. Unfortunately a good log-in password isn’t enough to stop someone from accessing your data when your laptop gets stolen. Your log-in password can be circumvented with any Linux Live CD. Therefore it’s important to encrypt your data and I will explain how you can do that on your (installed) Linux laptop. This how-to is written for Linux Mint (Debian) but it should also work for other distributions (like Ubuntu). You can use it to encrypt your home folder after installing Linux.

Step 0: Backup your (unencrypted) home folder

Before you start, you should backup the important files in your home folder. You can do this by copying your home folder to an external drive or by using cloud storage. But this shouldn’t be a problem because you should always have backups 😉 (if you don’t, read this).

Step 1: Install the ecryptfs-utils package

You can do this using the command:
sudo apt-get install ecryptfs-utils

Step 2: Configure the ecryptfs module to load at startup.

You do this by adding ecryptfs to the /etc/modules file.

Step 3: Restart your system so that the ecryptfs module loads.

Step 4: Log in as root in a terminal

BEFORE you log in with your regular user name in the (graphical) log-in window, go to a non-graphical log-in terminal by pressing CTRL+ALT+F1. There you log in as root.

Step 5: Start the encryption of your home folder

In the terminal where you logged in as root, enter the following command where you replace USERNAME with your own username:
ecryptfs-migrate-home -u USERNAME

The script will ask you to fill in the password of your normal Linux account (of which you want to encrypt the home folder). After that the encryption starts. This can take a while depending on the number of files you have in your home folder. Wait for the encryption to complete.

Step 6: Log in with your username and password

DO THIS BEFORE REBOOTING YOUR SYSTEM! Go back to the graphical log-in window by pressing CTRL+ALT+F7. Log in and verify that your files are still present and that you can read them. If this is not the case, you should restore the backup you made in step 0 or the backup generated by the script that looks like USERNAME.d5JafeTE (in the home directory).

Step 7: Backup your randomly generated mount passphrase

The ecryptfs utility generated a mount passphrase that is necessary to mount your encrypted data. The mounting happens automatically when you log-in but not when approaching the data from another Linux installation (like a live CD). Then you need to give the mount passphrase and that’s why you should save it on some external medium. You can display your current mount passphrase using the command:
sudo ecryptfs-unwrap-passphrase

Step 8: Restart your system and verify your data again.

Just to be sure, restart your computer again and verify that you can read your data after logging in.

Step 9: Remove the backup folder generated by the script

After you made sure that your data is alright, you can remove the backup of your home folder that was generated by the script. This folder is located in /home and looks like USERNAME.d5JafeTE

Step 10: Enjoy your newly encrypted home folder.

I would like to end this post with some remarks:

  • The encryption of your home folder has a noticeable impact on the performance of your system. The impact is minimal and your system stays absolutely usable. Just take it into account when doing this.
  • Make sure you have unencrypted backups of all your data for when your Linux system breaks and you lost your mount passphrase (or the encryption went corrupt). When your data is encrypted, there is no way of retrieving it with a live CD.
  • Dropbox and SpiderOak have no problem with the encryption and your data is readable when you access it from another SpiderOak or Dropbox client (on a different computer). It is possible that they start uploading after the first reboot, but they only upload information about the ‘last-modified’ meta data of the files (and that changed since the files where encrypted). I haven’t tested with other could storage solutions, but I expect that they’ll behave in a similar way.

Happy encrypting!