Using ecryptfs to encrypt your home directory on Debian ======================================================= Adam Thompson 2020-03-08 10:23:21 I've recently been getting interested in encrypting sensitive user data on my Linux machines. I've been encrypting passwords etc for a long time, however it's only recently that I've got interested in encrypting the rest of my user data. There are a variety of ways to do this. However, being blind, I wanted a solution which didn't require entering a password or similar before the machine was booted. I also needed to migrate my existing files. Thus I decided to encrypt my home directory with Ecryptfs. This is an enterprise class cryptographic stacked filesystem. This means that it's widely used, well-tested and sits on top of an existing filesystem. It's also been available in the Linux kernel for a while. The actual process to set this up is very simple once you have the required software installed and providing you have enough free space (you can reclaim much of this space after the initial setup). Basically as root run: apt install cryptsetup ecryptfs-utils rsync ecryptfs-migrate-home -u Follow the instructions replacing with the user whos home directory you wish to encrypt (you'll need to enter that user's login passphrase). Then run, again as root: ecryptfs-setup-swap To encrypt your swap space. This means that any data swapped out of memory is also encrypted which is important to prevent sensitive data from being left on the disk in the clear. After this, including making sure that you've logged in as the user with the newly encrypted home directory (as per the instructions), you can reboot your system. If you log in as another user first, you should be able to verify that the newly encrypted home directory is *not* mounted (a directory will be present but it won't contain the home directory's contents). Once you log in as the user with the encrypted home you should see it mounted automatically. Of course, Ecryptfs can do far more than just encrypt home directories. One of the great things about cryptographic stacked filesystems like this is that you can set up encrypted directories where and when you need them. The only thing to keep in mind is that, when using encrypted file names with Ecryptfs (as the home directory setup above does), the 255 character name limit (limit for individual path components, *not* the total path) is reduced a bit (to 143 characters in testing). In practice, I only had one issue with this where a file name was *incredibly* long, and fixing it was a simple case of using a shorter (and honestly better) name for the file. As such I'd recommend running with encrypted file names as it's an extra layer of protection.