I decided to encrypt the \/home directory on a notebook, post install, as I was going to take it out of the house. There's nothing too important on it, but I probably should look after my ssh keys at least! The laptop is a low end Dell, running Mint (based on Ubuntu). It has a slightly odd configuration in that I have the \/home partition mounted separately.<\/p>\n
OK, so the first thing I did was to copy the big files onto a separate, non-encrypted partition. I did this for two reasons. Firstly the encryption process creates a copy of your home directory which you can roll back to. This means in your \/home partition you need enough room for two copies of your home dir. I didn't. Secondly, the encryption process obviously encrypts each file as it goes. I thought by moving out the large files (Music and Videos directories basically), that this would speed up the encryption process.<\/p>\n
Having made room, you need to log out of the account that you wish to encrypt. In my case this was the only<\/strong> account on the machine, so I needed to reboot into recovery mode (effectively becoming root). From instructions on the internet, apparently I then needed to simply run:<\/p>\n However things, as they often are, weren't that simple. First of all I got a message about not being able to find my user directory. Checking mount, I found this was because it wasn't mounted, so a 'mount \/home' fixed that. Then a message about not being able to write to \/tmp. Then a message about mtab. Finally I put it all together. If you have separate partitions (including the \/tmp one), you need to run the commands in this order.<\/p>\n After whirring for a bit, it finished, but without the DIRE WARNING* that I was expecting about having to login as the user. I'd read this is absolutely vital as your files are encrypted with a temp key. I ran 'login username' from the command prompt. Nothing seemed to have happened. So I quit out of the root shell, selected Resume Normal Boot from the menu and when it rebooted logged in as normal. Everything looked OK, except I had to re-setup Dropbox. When I logged out, the \/home\/username directory was empty with a couple of placeholder files explaining what had happened. The encrypted files are in \/home\/.ecryptfs\/username\/.Private with obfuscated filenames. Sweet. The backup directory is in \/home\/username.U76ahOk7 and can be deleted when you're convinced its all OK.<\/p>\n It did seem a little slower when I logged in, so that's perhaps the price you pay for security. But its a low end notebook. Here are the results copying a file to encrypted and non-encrypted partitions. You can see its about a third of the speed.<\/p>\n * The DIRE WARNING alluded to above is as follows: 1. The file encryption appears to have completed successfully, however, 2. If <user> can log in and read and write their files, then the migration is complete, 3.\u00a0<user> should also run 'ecryptfs-unwrap-passphrase' and record 4. To ensure the integrity of all encrypted data on this system, you I decided to encrypt the \/home directory on a notebook, post install, as I was going to take it out of the house. There's nothing too important on it, but I probably should look after my ssh keys at least! The laptop is a low end Dell, running Mint (based on Ubuntu). It has a … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[1,4,5],"tags":[],"class_list":["post-306","post","type-post","status-publish","format-standard","hentry","category-it","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/comments?post=306"}],"version-history":[{"count":0,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/posts\/306\/revisions"}],"wp:attachment":[{"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/media?parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/categories?post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/play.datalude.com\/blog\/wp-json\/wp\/v2\/tags?post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/usr\/bin\/ecryptfs-migrate-home -u username<\/span><\/pre>\nmount -o remount,rw \/ # Remounts root filesystem so mtab can now be used\r\nmount --all # Mounts everything needed \/tmp, \/home etc\r\n\/usr\/bin\/ecryptfs-migrate-home -u username<\/span><\/pre>\nA note on filesystem speed.<\/h2>\n
me@notebook:~$ time dd if=\/dev\/zero of=\/non-encrypted-partition\/deleteme.dat bs=1024 count=500000\r\n500000+0 records in\r\n500000+0 records out\r\n512000000 bytes (512 MB) copied, 8.21647 s, 62.3 MB\/s\r\nreal\u00a0\u00a0 \u00a00m8.764s\r\nuser\u00a0\u00a0 \u00a00m0.633s\r\nsys\u00a0\u00a0 \u00a00m2.722s<\/pre>\n
me@notebook:~$ time dd if=\/dev\/zero of=\/encrypted-home-dir\/deleteme.dat bs=1024 count=500000\r\n500000+0 records in\r\n500000+0 records out\r\n512000000 bytes (512 MB) copied, 27.4076 s, 18.7 MB\/s\r\nreal\u00a0\u00a0 \u00a00m27.749s\r\nuser\u00a0\u00a0 \u00a00m0.709s\r\nsys\u00a0\u00a0 \u00a00m25.741s\r\n<\/pre>\n
\n
\nSome Important Notes!<\/p>\n
\n<user> MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
\nTO COMPLETE THE MIGRATION!!!<\/p>\n
\nand you should remove \/home\/<user>.xyzeyzy
\nOtherwise, restore \/home\/<user>.xyzeyzy back to \/home\/user.<\/p>\n
\ntheir randomly generated mount passphrase as soon as possible.<\/p>\n
\nshould also encrypted swap space with 'ecryptfs-setup-swap'.<\/p>\n","protected":false},"excerpt":{"rendered":"