An encrypted home directory with ecryptfs
In a recent post, I reviewed how to setup ecryptfs for providing a private directory. In that scenario, the directory “$HOME/Private” is the private directory. The files in that directory are stored on disk as encrypted files, but you see them as if unencrypted. The actual encrypted files are stored in “$HOME/.Private”, and what you see is a virtual unencrypted version of those files, mounted on “$HOME/Private”. The virtual unencrypted file system is only mounted while you are logged in. If properly setup, it is automatically mounted on login and automatically umounted on logout.
In this post, I want to describe how to have your actual home directory encrypted in this way. That amounts to having the virtual unencrypted file system mounted as “$HOME” instead of as “$HOME/Private”.
In order to set this up, there are a few steps where the root user must set things up. But most of the work can be done by an ordinary user. And note that I have tested this out, and it seems to work well.
The best way to set this up is to have a place outside of your home directory, where the encrypted files are kept on disk. One suggested place for this is in a directory “/home/.ecryptfs” and that is what I have used. I sometimes wonder whether it might have been better to make that “/home/ECRYPTFS”. But then it is just a directory name.
As root, create the directory “/home/.ecryptfs”. Inside that directory, create another directory for the specific user – give it a name like “/home/.ecryptfs/user”.
In my case, I normally login as user “rickert”. So, as the root user, I did:
# mkdir /home/.ecryptfs # mkdir /home/.ecryptfs/rickert # chown rickert:users /home/.ecryptfs/rickert
Those are the only steps that need to be done by the root user. The last two of those commands need to be repeated for each user who will want an ecryptfs home directory.
The first step for a user is to setup an ecryptfs private directory, as described in my earlier post.
The basic plan is that what you see as “$HOME/Private” will become what is the home directory. So files currently in your home directory must be moved into the Private subdirectory. However, there may be a few files that you do not want to move to the Private directory, so a little advance planning is needed.
You must not move “.ecryptfs” or “.Private” to the Private directory. They need to be outside the Private directory in order for ecryptfs to work. I also decided to keep “bin” (a directory of mostly shell scripts), “lib” and “.ssh” outside of the Private directory. I wanted those scripts (from “bin” and “lib”) to be available even when the ecryptfs home directory is not mounted. In the case of “.ssh”, I sometimes login using ssh, with public key encryption, and I want that to work even when the ecryptfs home directory is not mounted. So I wanted to keep that out of the ecryptfs mounted directory.
Having made my plans, the next step was to move the files and directories appropriately. It is important to not be logged into a graphic desktop while doing this. For example, I would need to move “.kde4” to “Private”, and that would cause problems if I were logged into KDE.
So logout from the desktop. Use CTL-ALT-F2 to get a virtual console prompt, and login there. Your ecryptfs private directory should be mounted, and you can check that with
My first step was to deal with the Private directory itself. I am used to having a directory named “Private”, so I wanted to continue with that practice. For one thing, it helps when synchronizing files (backing up over the network) where I am synchronizing with a system where I have a Private directory. So I did:
cd Private X=`echo * .??*` ## make a list of files mkdir Private mv $X Private cd ## back to home directory
These few commands won’t work if there are files in “Private” with spaces in their names. I made the list of file names before creating “Private”, so that “Private” would not be part of that list.
With that done, the next step is to move files and directories from my home directory to “Private”. Use the command “ls -a” to list all files. Ignore “.”, “..”, “.Private” and “.ecryptfs” as well as any files that you have chosen not to move.
mv .kde4 Private mv .g* Private
You can do a bunch together, as the second of those commands suggests. Repeat until done. Occasionally use “ls -a” to see what remains. When done, you should see only the files and directories that you did not want to move.
The next step is to unmount the Private directory
With that done, make a list of what remains. In my case, that was:
X=".Private .ecryptfs bin lib .ssh"
The list should be small enough to do manually. Do not include “Private” in that list. Then move those files to the space provided in “/home/.ecryptfs/user”:
mv $X /home/.ecryptfs/$USER/. for file in $X do ln -s ../.ecryptfs/$USER/$file . done
This should move those files, and then create a symbolic link to them, so that they will still appear (by virtue of the symlink) to be in the home directory.
The next step is to edit the file “.ecryptfs/Private.mnt”. That file should contain one line. It specifies where the ecryptfs directory is to be mounted. You must remove the characters “/Private” from the end of that line, so that it now gives the path to your home directory.
You are almost done. To test it:
cd / ecryptfs-mount-private ## remount the ecryptfs directory cd
That should have mounted the ecryptfs directory as your home directory. And you should now be able to see the files there. However, the files that you did not move to the Private directory will be missing, so create symlinks for those. “$X” should still be a list of those files.
for file in $X do ln -s ../.ecryptfs/$USER/$file . done
And you are done.
It is probably a wise idea to take a backup before you start any of this. As the saying goes, to err is human.