Disappointed to see that the 18.04 installer no longer offers the option to encrypt the home directory. According to this bug report referenced in the installer, the recommended method for encryption these days is full-disk with LUKS, or fscrypt for directories. Full-disk encryption seems a bit overkill for my needs, and all the bugs and caveats mentioned on the Wiki don't make it a very attractive option. All I really want is to protect my home directory from someone accessing my documents, photos, etc. if my laptop were to get stolen, making fscrypt the option for me.
The fscrypt GitHub page has some examples on how to set it up, but I can't find any documentation aimed at encrypting the home directory on Ubuntu. The old ecryptfs tool is still available, but after setting it up Ubuntu would sometimes freeze at the login screen.
So my question is: How do I setup fscrypt to encrypt my /home directory and decrypt when I log in? I also liked how ecryptfs allowed decrypting the folder manually (eg. from disk images).
(A similar question was posted here and was unfortunately closed for being an "off-topic" bug report. To clarify, this is not a bug report. The fact that the encrypt home directory option was removed from the installer was intentional. All I'm asking here is how to setup fscrypt.)
Update 2020-02
I'm running multiple encrypted homes with
fscrypt. Install your system without encryption and use this guide to implementfscrypton your home.The API to
fscryptmight change in the future, so make sure to back up your important files if you attempt to upgrade your system.(This feature is not widely used on Desktop. Use at your own risk.)
Update 2018-11
TL:DR; You can try
fscryptin Ubuntu 18.10+ or Linux Mint 19.1+Looks like this was finally fixed. Here's a pre-emptive guide: http://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html
I'm not quoting instructions here because it does require some hacks and you can end up losing your home data.
Next is my original answer:
Original Answer 2018-05
TL;DR: Use classic home encryption with Linux Mint 19 Tara.
fscryptfor home encryption is still broken.This is something a lot of us want. It appears the Ubuntu team couldn't get
ecryptfsto work bug-free on Ubuntu 18.04, and couldn't fix the bugs infscryptfor a home-encryption option in time for the scheduled Ubuntu 18.04 release either.For
fscrypt, is at least one critical bug that makes it unusable for home encryption at the moment:Furthermore, we'd need a transparent way of authenticating/unlocking before it's a realistic alternative to the "old" ecryptfs-type home encryption. This is tracked here:
With these issues open, you can consider home encryption broken at this point. With that, my colleagues and I consider Ubuntu
18.0418.04.1 unfinished at the moment, and hope that home-encryption will be brought back (using the new and much betterfscryptmethod) in Ubuntu18.04.118.04.2.Until such time, we're sticking with Ubuntu 16.04.We have switched all our machines to Linux Mint 19 Tara with the classic home encryption usingecryptfs. Read the "known issues" section in the Release Notes for Linux Mint 19 Tara about theecryptfslimitations, and see if this is acceptable to you:If you have tried
fscryptand found it to be broken for your usage, you can vote "this bug affects me too" at the following launchpad bug:Note that
fscrypt/ext4-crypt(future "encrypt home") is the fastest option, andecryptfs(old "encrypt home") is the slowest option.LUKS("encrypt entire drive") is in the middle.For this reason, entire disk encryption is 'conveniently' recommended. Because if you have very big projects with many small files, use revision management a lot, make big compiles, etcetera, you'll find that the overkill of encrypting your entire drive is actually worth it compared to the slowness of the old ecryptfs-type home encryption.
In the end, encrypting the entire drive has multiple drawbacks:
It's puzzling that Canonical decided that "we don't need this anymore" on their LTS version, which has come to be known as their more "serious" distribution.
From Panther's answer here Full disk encryption encrypts everything including /home while encrypting only a specific dir such as /home is only encypted when you not logged in.
To encrypting an existing users home dir:
Install the encryption utilities for the job:
from that launchpad bug ecryptfs-utils is now in the universe repo.
Migrate the home folder of that user:
followed by user password of that account
Logout and login into the encrypted users account before a reboot to complete the encryption process.
Inside the account print and record the recovery passphrase:
You can now reboot and login. Once you are satisfied you can delete the backup home folder.
Also, if you want to create a new user with encrypted home dir:
For more info:
man ecryptfs-migrate-home,man ecryptfs-setup-private.Personally, I would almost never recommend using File System Encryption (FSE) to anyone, for most use cases. There are several reasons, not the least of which is the fact of existing, and more effective alternatives. You all talk like there are only two options, either FSE or FDE (Full Disk Encryption). However, that is simply not the case. In fact, there are two other options which would both benefit the OP far greater, those being File Container Encryption and Encrypted Archives.
File container encryption is what software like Veracrypt, and the now defunct Truecrypt are written for. Container encryption is built into most file compression archive software like Winzip and 7zip, as an option when creating such an archive.
The two both have many advantages over FSE, the most obvious being that you don't need to leave them mounted while you're not working with your encrypted files. That prevents anyone from being able to access who is able to override the protections of the user profile key, and screen lock. Also, you might do something stupid, like step away from your computer, but forget to lock the screen, or allow someone to use the computer, and hoping they won't peek at your hidden directories. Also, you can easily move large amounts of files at a time, without needing to encrypt them another way, since the containers are portable.
One advantage that Veracrypt containers are so useful is the fact that they can be mounted as a drive, and that allows you to format them with a separate file system, preferably a non-journaling file system, like EXT2 or FAT32. Journaling files system could potentially leak information to an attacker. However, if all you're doing is hiding your personal photos, this might not be all that relevant to you. If, on the other hand, you have state secrets or legally protected data, then it might. You can also set them to automatically mount at boot up, if using a key file. However, that is not recommended, since the key file would need to be stored somewhere less secure than where FSE stores the user profile key.
Both offer the ability to use file compression. You can also hide file names, although, not always the case when using compressed archives, depending on certain compression algorithm used.
Personally, I use container encryption for files which will not be moved, and encrypted archives for files which will be moved or stored in the cloud, since it's a smaller file size.
Encrypting a Home directory is still possible with container encryption. Maybe store your encryption key on a YubiKey?
Anyways, I just wanted to offer you all some alternatives which weren't getting a mention by the other posters. Feel free to agree, or disagree with anything I've said.
If you, like I was, are doing a fresh installation of Ubuntu 18.04 over Ubuntu 16.04 and you have previously encrypted your
/home, you will see that you are unable to login after the installation. All you need to do is to install the ecryptfs related packages:sudo apt install ecryptfs-utils cryptsetup, reboot and login.To install those packages you can either login in a spare tty once budgie has loaded (Cntrl + Alt + F1) or enter in the linux recovery mode and install it from there.