Post Installation Encryption

Normally, if you want to have encrypted data (a.k.a. an encrypted home folder), you specify this when you install or when you create a new user.

But what happens if you decide only afterwards that you want to encrypt your data?

Here is how to do so. This will encrypt a single user; if you wish to encrypt several users, you need to repeat the how-to for each one.

Disclaimers & Warnings

  • These instructions have only been tested on Ubuntu 12.04. Do not assume they will work on other distributions.
  • Enabling encryption will disable hibernation but you can re-enable it afterwards by following the instructions given in Enable Hibernation with Encryption on this wiki.

  • You may want to print this page in case it doesn't work, so you can recover (Test New Login and Finalize, below).

Preparation

  1. Check your wallpaper. Due to an existing bug, you will be unable to log in with encrypted folders if your wallpaper is in an encrypted area. So, either:

    1. Change your wallpaper to one of the standard ones; or

    2. Move your wallpaper to /usr/share/backgrounds and then set your wallpaper to it over there.

  2. This procedure is safe as it creates an encrypted copy of your folder, which means you need sufficient space on your drive to duplicate everything you have! If you don't, you need to back up your big data (e.g. movies); delete that data; run through this how-to; and restore your deleted data. (Having said that, I always recommend a full backup anyway in case of unexpected problems.)

  3. This process uses the Terminal and the Recovery Mode. If you don't know how to use them, please find out before proceeding.

  4. Install ecryptfs-utils. You may use Ubuntu Software Center or, if you prefer, your favourite package manager, or enter the command:

    sudo apt-get install ecryptfs-utils

Encrypt The Folder

This tutorial will use the name zaphod for the user name. Please replace it with your user name.

  1. Reboot into Recovery Mode.
  2. Drop to root shell prompt.
  3. Fix existing 12.04 bugs as follows:

    mount --options remount,rw /
    mount --all
  4. Encrypt your folder. It prompts you for your password, runs, then gives you some warnings. I'll talk about the warnings in the next step.

    ecryptfs-migrate-home --user zaphod
  5. In the warnings, note the name of the temporary folder that is shown on your screen. It will look something like /home/zaphod.ChPzzxqD. The last 8 characters will be random; we will call these eight characters your random characters.

  6. Ignore the rest of the warnings.
  7. Reboot with the following command (it may take several seconds to get going; be patient).

    reboot now

Test New Login And Finalize

  • Log in normally. Check that everything seems to work properly. Did it work?

Yes, it worked:

  1. Open a terminal and enter the following command. Replace zaphod and the random characters with yours (as noted in Encrypt The Folder above, step 5).

        sudo rm -R /home/zaphod.ChPzzxqD
  2. Restore any data, if you deleted some to make space (Preparation above, step 2).

  3. Set up encrypted swap space, as follows. Note: This needs to be done only once; if you already have an encrypted user, you can skip this step.

        sudo ecryptfs-setup-swap
  4. Reboot.

No, it didn't work:

  1. Repeat Encrypt The Folder above, steps 1-3.

  2. Check that your random-name folder really is there with the following command; you should not see an error (ensure you replace zaphod and the random characters):

        ls -l /home/zaphod.ChPzzxqD
  3. Type the following commands. Ensure you replace zaphod and the random characters.

        cd /home
        rm -R  zaphod  .ecryptfs/zaphod
        mv  zaphod.ChPzzxqD  zaphod
  4. Reboot.

        reboot now
  5. Restore any data, if you deleted some to make space (Preparation above, step 2).


Originally posted The Ubuntu Forums (ubuntuforums.org)

PostInstallationEncryption (last edited 2012-07-21 17:40:14 by paddy-landau)