(i) Please refer to EncryptedFilesystems for further documentation.

There are two ways to encrypt files and directories within your home directory. You can either place files in an encrypted "Private" directory, or you can encrypt your entire Home directory.

Encrypted Private

Ubuntu allows you to encrypt a "Private" directory within your home directory. This provides strong cryptographic protection of your most sensitive data, such as your documents and keys. This directory is automatically mounted on login, and unmounted on logout. When the directory is unmounted, an attacker only has access to your encrypted data (AES256), and not the files or directories stored within.

The encrypted data is in $HOME/.Private, and when mounted, the decrypted data is in $HOME/Private. Some important configuration information is stored in $HOME/.ecryptfs.

During the installation process, there is a question in the installation for configuring the Encrypted Private directory. If you want to setup your Encrypted Private directory later, just run ecryptfs-setup-private.

Encrypted Home

Ubuntu makes it possible to set up Home directory encryption using the Desktop CD. On the User Setup screen, after choosing a username and a password, the user can choose one of:

Users wanting an Encrypted Home directory should choose the 3rd option.

If the administrator wants to add a new user with an encrypted home directory after the initial installation, use: sudo adduser --encrypt-home. This requires the ecryptfs-utils package.

If the user wants to migrate from a non-encrypted home directory to an Encrypted Home directory, follow the instructions here:

or here:

In the Ubuntu 9.04 setup, the user's encrypted data is located in $HOME/.Private, but is only available when $HOME is not mounted. The user's configuration data is in /var/lib/ecryptfs/$USER.

In the Ubuntu 9.10 setup, the user's encrypted data is located in /home/.ecryptfs/$USER/.Private, and the user's configuration data is located in /home/.ecryptfs/$USER/.ecryptfs. As such, all of the user's pertinent data is self-contained in /home.

Caveats

There are a few minor caveats that one must keep in mind about these encrypted configurations.

When you are not logged into your system, data in your home directory is not accessible in plain text. This, of course, is by design. This is what keeps an attacker from gaining access to your files. However, this means that:

Also, it is strongly recommended that you encrypt your swap space. Users installing from Ubuntu 9.10 and selecting the Encrypted Home option will automatically have encrypted swap space. Other users can run sudo ecryptfs-setup-swap. This is critically important, because your home directory data will appear as cleartext in memory, as the kernel reads your encrypted data. If the kernel swaps this data to disk, it could potentially leak your decrypted data back to disk, totally defeating your Encrypted Home. Encrypted Swap solves this problem. However:

<!--please update with relevant info! -->

EncryptedHome (last edited 2014-11-24 01:11:48 by cable-207-138-195-94)