Those looking for an easy, universal way to encrypt the home folder on Linux need look no further than EcryptFS. When correctly set up, users can seamlessly encrypt and decrypt their private without much effort.
SPOILER ALERT: Scroll down and watch the video tutorial at the end of this article.
Before any encryption can begin, you’ll need to install the encryption tool. Its very popular, works on almost all Linux distributions, and is easy to use. You must be need to be running Ubuntu, Debian, Arch Linux, Fedora, OpenSUSE to install or you can build it from source if you’re running some other distribution.
sudo apt install ecryptfs-utils
sudo apt-get install ecryptfs-utils
sudo pacman -S ecryptfs-utils
sudo dnf install ecryptfs-utils
sudo zypper install ecryptfs-utils
Can’t find an installable package of EcryptFS on your Linux operating system? If so, you’ll need to download the source code and install the software manually. If you have trouble building the software, do check out the EcryptFS documentation page.
Encrypt The Home Folder
During this encryption process, we’ll be making a temporary user. This user isn’t going to be permanent. At the end of this tutorial, we’ll completely delete it. Creating a temporary super-user account is important because it’s not possible to encrypt a user directory while logged in.
Create New User
To create a new user, open up a terminal, log into the root account.
Now that the shell is root, use useradd to make the temporary account. Be sure to add the -M to ensure the system doesn’t create a new home directory.
useradd -M encrypt-admin
Useradd will create a new user, but it doesn’t have a password. Using passwd, assign encrypt-admin a new UNIX password.
Encrypt-admin is ready to use, but will not be able to access and execute root commands. To allow the user to run root commands, we’ll need to add it to the sudoers file. Using visudo, edit the sudo config file.
Inside the Nano text editor, scroll down and look for “# User privilege specification“. Under this, you should see “root ALL=(ALL:ALL) ALL“. Press enter on the keyboard under this line and write out the following in Nano.
encrypt-admin ALL=(ALL:ALL) ALL
Save the visudo file by pressing Ctrl + O, then close with Ctrl + X.
To start the encryption process, log out of the username you plan to start the encryption on. On the login screen, press Alt + Ctrl + F1. If this button combo doesn’t work, try F2 through F6.
Using the TTY prompt, write encrypt-admin in the login prompt, followed by the password set earlier. Then, use EncryptFS to start the encryption.
Note: change “yourusername” to the name of the user account you just logged out of. To encrypt multiple user accounts, run this command multiple times.
sudo ecryptfs-migrate-home –u yourusername
The above command will migrate your user to an encrypted home folder. From here, it’s safe to log out of the temporary administrator account, and back into the regular user. Log out of the TTY console with:
Writing out the exit command should instantly return to the login screen from before. From there, press Alt + F2 – F7 to return to graphical mode.
Remove User Account
EcryptFS is fully configured on Linux, so it’s time to get rid of the encrypt-admin account. Start off by removing it from the sudoers file. Open up a terminal and modify visudo.
sudo -s EDITOR=nano visudo
Scroll down the sudoers file, and remove the code added earlier on in the guide.
encrypt-admin ALL=(ALL:ALL) ALL
Save the sudoer file edit in Nano by pressing Ctrl + O on the keyboard. Exit Nano and return to the terminal shell with Ctrl + X.
Encrypt-admin no longer has any ability to gain root access or modify the system in any way. At this point, it’s harmless, and it’s possible to just leave it there. Still, if you’re not interested in having multiple users on your Linux PC, it may be a good idea to delete it altogether. In the terminal, use the userdel command to get rid of it.
sudo userdel encrypt-admin
Add Encryption Password
EcryptFS is almost ready to go. All that’s left is to set up a new password. Open up a terminal (without using sudo or root) and enter add a new passphrase. Please keep in mind that encryption is pointless without a secure password. Head over to strongpasswordgenerator.com and create a strong encryption passphrase.
Note: don’t want to use the generator to create a new passcode? Check out this article to learn how to create your own secure passphrase instead.
When “ecryptfs-add-passphrase” finishes, your home folder should be fully encrypted. To start using it, restart your Linux PC. Upon restart, EcryptFS will require your new passphrase to log in correctly.