Encryption is a process of transforming data into an unreadable form that can only be accessed by authorized parties. Encryption can protect your personal and sensitive information from unauthorized access, theft, or tampering. One of the ways to encrypt your data on Ubuntu is to encrypt your home directory, which is where your personal files and settings are stored.
This gist will describe how to encrypt your home directory on Ubuntu 22.04 after installation. This method is useful if you have already installed Ubuntu without encryption and want to add it later. It will also work on other versions of Ubuntu that use the ecryptfs-utils package for encryption.
Please make sure you have created a backup of your system/files before proceeding with the encryption process. This process may involve significant changes to your system, and having a backup ensures that you can restore your data in case of any unexpected issues during the encryption.
Before we start, we need to install some packages that are required for encryption. Open a terminal and run the following command:
$ sudo apt install ecryptfs-utils cryptsetup
This will install the ecryptfs-utils package, which provides tools for managing encrypted file systems, and the cryptsetup package, which provides tools for setting up encrypted devices.
Next, we need to create a new user account that will be used to perform the encryption process. This is because we cannot encrypt the home directory of the user that is currently logged in. We will also grant this user sudo privileges so that they can run commands as root.
To create a new user account, run the following command:
$ sudo adduser backup_user
You will be prompted to enter a password and some optional information for the new user. After that, run the following command to add the new user to the sudo group:
$ sudo usermod -aG sudo backup_user
Now that we have created a new user account, we need to log out of our current session and log in as the new user. To log out, click on the power icon on the top right corner of the screen and select Log Out. Do NOT reboot when logging out. This is very important because rebooting will cause problems with the encryption process.
After logging out, select the new user from the login screen and enter their password. You should now be logged in as the new user.
We are now ready to encrypt the home folder of our original user account. To do this, we will use a command called ecryptfs-migrate-home, which will migrate the existing home folder to an encrypted one.
First, we need to confirm the username of our original user account. Run the following command, replacing your_original_account_username with your actual username:
$ sudo ls -l ~your_original_account_username
This should display the contents of the home directory of the original user account. If you see an error message or an empty directory, make sure you have entered the correct username.
Next, run the following command to start the encryption process:
$ sudo ecryptfs-migrate-home -u your_original_account_username
This will create a temporary folder with a random name in /home and copy all the files from the original home folder to it. Then, it will mount an encrypted file system over the original home folder and move all the files back to it. Finally, it will unmount and delete the temporary folder.
The encryption process may take some time depending on how much data you have in your home folder. During this time, do not interrupt or close the terminal window.
Once done, you will see some important notes displayed on the screen. These notes contain information about how to access your encrypted data and how to recover it in case of emergency. Capture a photograph of these notes and keep them in a safe place.
After encrypting the home folder, we need to log out of our current session and log back in as our original user. To log out, click on the power icon on the top right corner of the screen and select Log Out. Make sure to NOT restart the machine. This is really important because restarting will cause problems with accessing your encrypted data.
After logging out, select your original user from the login screen and enter their password. You should now be logged in as your original user with an encrypted home folder.
To confirm that your home folder is encrypted, you can try to create a text file with some content in it and see if you can access it normally. For example, run the following commands in a terminal:
$ echo "Hello, world!" > ~/test.txt
$ cat ~/test.txt
You should see the output "Hello, world!" on the screen. This means that you have access to write and read data in your home folder.
One of the most important things to do after encrypting your home folder is to record your encryption passphrase. This is a secret key that is used to unlock your encrypted data. Without it, you will not be able to access your data if you forget your password or if your system fails.
To view your encryption passphrase, run the following command in a terminal:
$ sudo ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
You will be asked to enter your login password. After that, you will see a long string of characters on the screen. This is your encryption passphrase. Remember to save it in a safe location such as a USB drive, a cloud storage service, or a piece of paper.
If you have a swap partition set up on your system, it can also be encrypted using the ecryptfs-setup-swap command. Swap is a space on your disk that is used to store temporary data when your system runs out of memory. Encrypting swap can prevent someone from recovering sensitive data from it.
To encrypt swap, run the following command in a terminal:
$ sudo ecryptfs-setup-swap
This will disable the existing swap partition, create an encrypted swap file, and enable it. You may need to reboot your system for the changes to take effect.
With the home folder and swap space successfully encrypted, we can remove the user and extra files we created for the encryption process.
To remove the user account we created earlier, run the following command:
$ sudo deluser --remove-home backup_user
This will delete the user and their home folder from the system.
Next, delete the temporary folder that was created when we originally ran the migration command. The folder location should be displayed after the encryption process. For example, it may look something like this:
/home/your_original_account_username.sikwr0Wp
To delete this folder, run the following command, replacing the folder name with yours:
$ sudo rm -Rf /home/your_original_account_username.sikwr0Wp
This will delete the folder and all its contents.
Congratulations!
You have successfully encrypted your home directory on Ubuntu 22.04. You can now enjoy the benefits of having more privacy and security for your personal data. Remember to keep your encryption passphrase safe and backup your data regularly.
I hope you found this blog post helpful and informative. If you have any questions or feedback,