67

Disappointed to see that the 18.04 installer no longer offers the option to encrypt the home directory. According to this bug report referenced in the installer, the recommended method for encryption these days is full-disk with LUKS, or fscrypt for directories. Full-disk encryption seems a bit overkill for my needs, and all the bugs and caveats mentioned on the Wiki don't make it a very attractive option. All I really want is to protect my home directory from someone accessing my documents, photos, etc. if my laptop were to get stolen, making fscrypt the option for me.

The fscrypt GitHub page has some examples on how to set it up, but I can't find any documentation aimed at encrypting the home directory on Ubuntu. The old ecryptfs tool is still available, but after setting it up Ubuntu would sometimes freeze at the login screen.

So my question is: How do I setup fscrypt to encrypt my /home directory and decrypt when I log in? I also liked how ecryptfs allowed decrypting the folder manually (eg. from disk images).

(A similar question was posted here and was unfortunately closed for being an "off-topic" bug report. To clarify, this is not a bug report. The fact that the encrypt home directory option was removed from the installer was intentional. All I'm asking here is how to setup fscrypt.)

Victor
  • 9,313
elight24
  • 671
  • 1
  • 6
  • 3
  • 1
    Go with full disc encryption as suggested, far easier. I have been using LUKS for years without a problem, LUKS is less buggy than the old method you used. – Panther Apr 28 '18 at 14:22
  • 3
    @Panther Does LUKS allow for decrypting files stored on a backup drive? The reason I ask is because I make my full system backups from Windows with Macrium Reflect. If I need to pull out a few files from the backup, I would need a way to decrypt the backed up files. With ecryptfs, all I had to do was plug in my drive and run the script stored in the encrypted folder. – elight24 Apr 28 '18 at 19:33
  • 10
    So how about those of us that have our home folder encrypted from 16.04, but can't mount it new because the "encrypt home folder" option is gone now from the installer? We can't even log in. It's ridiculous. – SunnyDaze Apr 28 '18 at 23:16
  • 2
    @SunnyDaze It's been awhile since I've had to mount my data manually, but I believe the command for that was "ecryptfs-mount-private". – elight24 Apr 28 '18 at 23:21
  • 1
    Backups are a separate issue . @SunnyDaze ask your own question rather than adding to this one – Panther Apr 29 '18 at 05:08
  • 1
    @Panther full disk doesn't work if you have dual boot with Windows, correct? At least for the installation, my only option was to delete all operating systems if I wanted encryption, therefore I'm also looking for alternatives. – Bani Apr 30 '18 at 05:43
  • 1
    Full encryption works fine with dual boot. You encrypt the partition you install I to rather than the entire disc – Panther Apr 30 '18 at 18:26
  • 1
    @Panther The Wiki page states that dual-booting does not work with LUKS, along with a bunch of other nasty side effects. I'm assuming that the Wiki is just outdated then? https://help.ubuntu.com/community/ManualFullSystemEncryption/Background – elight24 May 03 '18 at 19:29
  • 3
    You may be confusing using LUKS on the entire disc, this will not work with dual booting windows, vs using LUKS on the Ubuntu partition, works fine dual booting with windows. I have not read the wiki page – Panther May 04 '18 at 03:04
  • @Panther Ah, I think you're right. Everything I've read has said that it will erase all data on the Ubuntu partition though. I'm assuming there's no way around this? – elight24 May 04 '18 at 03:33
  • No making a LUKS partition is destructive – Panther May 04 '18 at 03:44
  • 2
    Full disk encryption is great and does the job. But it's enough only if it is you personal computer and you are the only user. If someone is wondering why encrypt the home?, when there are many users it's useful. When you log in, only your home is decrypted but not the other ones – Anthony May 10 '18 at 17:00
  • 1
    For me full disk encryption is not an option as I use the on screen keyboard to log in. Removing this option is a step back. Too bad. – Konrad Gajewski Aug 20 '18 at 19:40
  • Since you are asking for fscrypt explicitly this is not exactly an answer. But you may want to have a look at this answer: https://askubuntu.com/questions/1020390/how-do-i-auto-mount-luks-partition/1020414#1020414 – Sebastian Stark Sep 11 '18 at 09:03
  • 1
    wow! when people upgrade from 16.04 to 18.04, what happens to their ~ !? – MWB Sep 12 '18 at 19:45
  • 1
    @Panther - I was adding to this question. I wasn't talking about backups. I was talking about installing Ubuntu 18.04 over 16.04 on a setup that already had a separate /home partition that I didn't want to format over. With the 18.04 installer, you get a blank screen when you try to log in, but I long since figured it out on my own, and posted my findings elsewhere. – SunnyDaze Mar 06 '19 at 16:10
  • @SunnyDaze, can you post a link to your findings? – Gabriel Staples Jul 12 '19 at 07:38
  • I had to do some digging to find where I commented on what to do. It's in the comment section of another question. All I had to do in order to keep my old encrypted home folder/partition working with 18.04 is make sure I didn't format my old home folder, and then install ecryptfs-utils, and then reboot. That comment is at https://askubuntu.com/questions/1029285/ubuntu-18-04-disk-encryption/1029303#comment1823270_1029303 – SunnyDaze Jul 13 '19 at 19:00

4 Answers4

34

Update 2020-02

I'm running multiple encrypted homes with fscrypt. Install your system without encryption and use this guide to implement fscrypt on your home.

The API to fscrypt might change in the future, so make sure to back up your important files if you attempt to upgrade your system.

(This feature is not widely used on Desktop. Use at your own risk.)

Update 2018-11

TL:DR; You can try fscrypt in Ubuntu 18.10+ or Linux Mint 19.1+

Looks like this was finally fixed. Here's a pre-emptive guide: http://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html

I'm not quoting instructions here because it does require some hacks and you can end up losing your home data.

Warning: A warning from user @dpg: "BE CAREFUL:I followed instructions from that "pre-emptive guide" (did it under tty), and got infinite login loop."

Consider this guide for educational purposes only.

Next is my original answer:

Original Answer 2018-05

TL;DR: Use classic home encryption with Linux Mint 19 Tara.

fscrypt for home encryption is still broken.

How do I setup fscrypt to encrypt my /home directory and decrypt when I log in?

This is something a lot of us want. It appears the Ubuntu team couldn't get ecryptfs to work bug-free on Ubuntu 18.04, and couldn't fix the bugs in fscrypt for a home-encryption option in time for the scheduled Ubuntu 18.04 release either.

For fscrypt, is at least one critical bug that makes it unusable for home encryption at the moment:

Furthermore, we'd need a transparent way of authenticating/unlocking before it's a realistic alternative to the "old" ecryptfs-type home encryption. This is tracked here:

With these issues open, you can consider home encryption broken at this point. With that, my colleagues and I consider Ubuntu 18.04 18.04.1 unfinished at the moment, and hope that home-encryption will be brought back (using the new and much better fscrypt method) in Ubuntu 18.04.1 18.04.2.

Until such time, we're sticking with Ubuntu 16.04. We have switched all our machines to Linux Mint 19 Tara with the classic home encryption using ecryptfs. Read the "known issues" section in the Release Notes for Linux Mint 19 Tara about the ecryptfs limitations, and see if this is acceptable to you:

(...) please be aware that in Mint 19 and newer releases, your encrypted home directory is no longer unmounted on logout.

If you have tried fscrypt and found it to be broken for your usage, you can vote "this bug affects me too" at the following launchpad bug:

Note that fscrypt/ext4-crypt (future "encrypt home") is the fastest option, and ecryptfs (old "encrypt home") is the slowest option. LUKS ("encrypt entire drive") is in the middle.

For this reason, entire disk encryption is 'conveniently' recommended. Because if you have very big projects with many small files, use revision management a lot, make big compiles, etcetera, you'll find that the overkill of encrypting your entire drive is actually worth it compared to the slowness of the old ecryptfs-type home encryption.

In the end, encrypting the entire drive has multiple drawbacks:

  • Guest account
  • Family laptop with private accounts
  • Using PREY-like anti-theft software

It's puzzling that Canonical decided that "we don't need this anymore" on their LTS version, which has come to be known as their more "serious" distribution.

dualscyther
  • 3
Redsandro
  • 3,674
  • 2
    Ubuntu 18.04.1 was released today, with both bugs still standing. I hope to see fscrypt in 18.04.2, but I'm a little less optimistic now. Please update! – Nonny Moose Jul 26 '18 at 18:12
  • 2
    @NonnyMoose updated - see the bold section halfway down my post. – Redsandro Jul 31 '18 at 08:51
  • fscrypt/issues/77 is fixed now (at least. the issue is closed) – Tim Richardson Sep 01 '18 at 07:48
  • 3
    wow! when people upgrade from 16.04 to 18.04, what happens to their ~ !? – MWB Sep 12 '18 at 19:38
  • 1
    *buntu 18.10 comes with fscrypt version 0.2.4 and the above problems/bugs are solved. You can use fscrypt to encrypt only /home – nikos.svnk Nov 25 '18 at 21:30
  • Nice update @nikos.svnk. Haven't had the pleasure of figuring out how this works yet. – Redsandro Nov 28 '18 at 09:51
  • 2
    BE CAREFUL:I followed instructions from that "pre-emptive guide" (did it under tty), and got infinite login loop. Tried it twice on fresh 18.10 installation with the same result. – Peter Dec 14 '18 at 03:59
  • @dpg Thank you for testing this method. I'll add a warning with a direct quote from you if that's okay. – Redsandro Dec 14 '18 at 16:22
  • 3
    In case someone got into infinite login loop after encryption, but can login in tty. In my case, it was caused by wrong owner of /home/myuser directory. It was root for some reason, so changing owner to my user solved the issue. – Peter Dec 20 '18 at 02:12
  • 1
    I followed instructions from this guide and it worked perfectly. I'm on ubuntu 19.04. Thanks for the link! – Pavel Davydov Apr 23 '19 at 16:29
  • Thanks for letting us know, @PavelDavydov! – Redsandro Apr 25 '19 at 23:20
  • 1
    I appear to have a solution that works on Ubuntu 18 using ecryptfs but this discussion makes me nervous about it. See my comment and explanation here: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1756840/comments/26 – Gabriel Staples Jul 12 '19 at 15:39
  • Also take a look at my comment under this answer here: https://askubuntu.com/a/1088709/327339. – Gabriel Staples Jul 13 '19 at 01:35
  • I see "Update 2020-02", with it I successfully encrypted home folder

    Could you direct me to instructions on how to recover the files in case linux becomes not bootable?

     – Nefedov Efim Mar 15 '20 at 14:33
  • 1
    @NefedovEfim you'll need to manually add a pasphrase protector. See https://github.com/google/fscrypt/issues/115#issuecomment-554243727 or https://github.com/google/fscrypt/blob/master/README.md#troubleshooting or https://wiki.archlinux.org/index.php/Fscrypt Be advised that fscrypt is still <v1.0. "we give no guarantees." Use at your own risk. :) – Redsandro Mar 16 '20 at 15:15
10

From Panther's answer here Full disk encryption encrypts everything including /home while encrypting only a specific dir such as /home is only encypted when you not logged in.

To encrypting an existing users home dir:

  • First logout of that account and log into an admin account.

  • Install the encryption utilities for the job:

    sudo apt install ecryptfs-utils cryptsetup

    from that launchpad bug ecryptfs-utils is now in the universe repo.

  • Migrate the home folder of that user:

    sudo ecryptfs-migrate-home -u <user>

    followed by user password of that account

  • Logout and login into the encrypted users account before a reboot to complete the encryption process.

  • Inside the account print and record the recovery passphrase:

    ecryptfs-unwrap-passphrase

You can now reboot and login. Once you are satisfied you can delete the backup home folder.

Also, if you want to create a new user with encrypted home dir:

sudo adduser --encrypt-home <user>

For more info: man ecryptfs-migrate-home, man ecryptfs-setup-private.

Pablo Bianchi
  • 15,657
ptetteh227
  • 1,904
  • 3
    Thanks for the answer, ptetteh. I tried that method the other day, but it seemed to cause issues when logging in. It would sometimes freeze on the login screen and cause me to have to reboot. I reinstalled 18.04 just to make sure that it wasn't something else causing the issue, and so far everything seems to be fine. If ecryptfs is now deemed unfit to be included by default, I think the best thing would be for me to use LUKS or fscrypt. – elight24 Apr 28 '18 at 19:30
  • 1
    It worked for me in a clean installation (18.04.1). I had to do it in "recovery mode". Unwrap was not required as when you login, it will notify you about it and request you to write down the generated passphrase. Thanks! – lepe Sep 02 '18 at 09:50
  • 3
    ecryptfs will not work if you have some longer path names (>~140 characters) in your home directory. See https://unix.stackexchange.com/questions/32795/what-is-the-maximum-allowed-filename-and-folder-size-with-ecryptfs#32834 – Sebastian Stark Sep 11 '18 at 09:00
  • What if I have no space for backup? Would it get succeeded? – 4xy Nov 09 '19 at 14:19
  • @elight24 exactly the same here. When I login to a user with encrypted directory with this software on my laptop, my laptop gets frozen – scarface Jul 10 '21 at 08:57
3

Personally, I would almost never recommend using File System Encryption (FSE) to anyone, for most use cases. There are several reasons, not the least of which is the fact of existing, and more effective alternatives. You all talk like there are only two options, either FSE or FDE (Full Disk Encryption). However, that is simply not the case. In fact, there are two other options which would both benefit the OP far greater, those being File Container Encryption and Encrypted Archives.

File container encryption is what software like Veracrypt, and the now defunct Truecrypt are written for. Container encryption is built into most file compression archive software like Winzip and 7zip, as an option when creating such an archive.

The two both have many advantages over FSE, the most obvious being that you don't need to leave them mounted while you're not working with your encrypted files. That prevents anyone from being able to access who is able to override the protections of the user profile key, and screen lock. Also, you might do something stupid, like step away from your computer, but forget to lock the screen, or allow someone to use the computer, and hoping they won't peek at your hidden directories. Also, you can easily move large amounts of files at a time, without needing to encrypt them another way, since the containers are portable.

One advantage that Veracrypt containers are so useful is the fact that they can be mounted as a drive, and that allows you to format them with a separate file system, preferably a non-journaling file system, like EXT2 or FAT32. Journaling files system could potentially leak information to an attacker. However, if all you're doing is hiding your personal photos, this might not be all that relevant to you. If, on the other hand, you have state secrets or legally protected data, then it might. You can also set them to automatically mount at boot up, if using a key file. However, that is not recommended, since the key file would need to be stored somewhere less secure than where FSE stores the user profile key.

Both offer the ability to use file compression. You can also hide file names, although, not always the case when using compressed archives, depending on certain compression algorithm used.

Personally, I use container encryption for files which will not be moved, and encrypted archives for files which will be moved or stored in the cloud, since it's a smaller file size.

Encrypting a Home directory is still possible with container encryption. Maybe store your encryption key on a YubiKey?

Anyways, I just wanted to offer you all some alternatives which weren't getting a mention by the other posters. Feel free to agree, or disagree with anything I've said.

RaidPinata
  • 386
  • 2
  • 14
Mr. Cypherpunk
  • 39
  • 9
    Hi. I have some comments about your "babysitter" example: - firstly, in many places people may expect the average babysitter to be a teenager by default, which makes it a bit of a disturbing analogy to drop in to a thread like this. Secondly, I just want to affirm that there are much better use cases for encryption than hiding a guilty secret. – mwfearnley Jul 28 '18 at 16:56
  • Containers are a fixed size, filesystem encryption (fscrypt, eCryptfs, EncFS, etc) only take up as much space as the files, and can grow & shrink accordingly. QED. PS you seem unaware that eCryptfs can encrypt only a single directory in home, decrypted only at whim. – Xen2050 Sep 14 '18 at 02:27
  • 3
    Honestly, this answer is useful, but the content is offensive. Simply due to associating encryption with criminal activity, as if there isnt enough of that in the media. Encryption is for protection from criminal activity. I cant upvote due to this. Ill delete this comment once an edit occurs. – Todd Dec 15 '18 at 20:31
  • 2
    Note that if you cannot trust root (uid:0), then you cannot use system for any encryption (be it FSE, container or archive). All encryption systems are vulnerable if you open the encryption and walk away from the system without locking it safe. Also, if you don't encrypt your whole filesystem, you have to understand that potentially all applications that touch the secret files will potentially make unencrypted copies outside your secure partition. – Mikko Rantalainen Jan 10 '19 at 05:39
0

If you, like I was, are doing a fresh installation of Ubuntu 18.04 over Ubuntu 16.04 and you have previously encrypted your /home, you will see that you are unable to login after the installation. All you need to do is to install the ecryptfs related packages: sudo apt install ecryptfs-utils cryptsetup, reboot and login.

To install those packages you can either login in a spare tty once budgie has loaded (Cntrl + Alt + F1) or enter in the linux recovery mode and install it from there.

Akronix
  • 1,223
  • 2
  • 17
  • 29