Hello I recently setup my daily driver laptop to dual-boot with OpenSUSE. During the install I chose to not encrypt my drive based on some google searches that made me think btrfs snapshots might not work with encryption or that there might be some issues with GRUB2 and broken installs.
I would like some kind of encryption. Mainly I would like my /home/user folder to be encrypted, and if I can’t do that the /home/user/Documents folder specifically would be a suitable alternative. I did not setup a swap partition, I may add a swap-file later but right now I’m not sure I need one (I have 32gb RAM).
I’ve been doing research, including trying to find info on this forum and I think I have what I need to do. I’m not just doing it because there’s a lot of old info on here and I want to make sure I have the current way of doing things before I go and potentially bork a system up that I’m really enjoying. I already installed ecryptfs-utils.
Copy contents of /home/myuser to a backup location.
cp -rp /home/myuser /tmp/myuserbackup
– is this correct use of cp command to recursively copy and preserve owner / permissions? Should I add any other options?
– i’m putting in /tmp/myuserbackup because I’m worried if I go to an external drive it’ll lose owner / permissions
reboot and do not log in to SDDM / KDE. Instead switch to a terminal (CTRL-ALT-F1 correct?)
login as root
run ecryptfs-migrate-home -u myuser
enjoy my users /home drive being encrypted and seamless integration with the OS?
So is that it? I don’t know what questions I may get asked, how the encryption will work (will it be tied to my login, or will I need to enter a second passphrase? I hope no second passphrase). I also read somewhere that it may make my old /home/myuser folder something like /home/myuser. and keep the unencrypted copy. If that’s the case, is it safe to just delete /home/myuser. once I’ve confirmed the encryption is working as planned or are there links / etc. I need to worry about?
If you are familiar with using these tools can you help review my action plan and see if it’s sound? I know I could probably reinstall but man I just got everything setup just right!
I currently use “ecryptfs”, but for a “Private” subdirectory instead of the entire home directory. In the past, I have used it with an encrypted home directory, but I set that up manually instead of using “ecryptfs-migrate-home”.
What you describe seems about right.
Yes, the encryption is tied to your login password. It is best to not use auto-login. When you login with a password, that provides the password for handling the encryption.
You might only need to encrypt a Private subdirectory. It’s easier to do that, because the subdirectory will start out empty. You can then recursively copy “Documents” to “Private”. When you are satisified that this is done appropriately,
rm -rf Documents ### remove the unencrypted version
ln -s Private/Documents .
The software will follow the symbolic link to access the encrypted “Documents”. You can do the same with other sensitive data.
Well I got scared and wanted to try having a ~/private folder. So I found in the KDE Launcher an app called “Setup Your Encrypted Private Directory”. I clicked and it opened a command window. It asked for my user passphrase, and I entered it. Then it asked to make an encryption passphrase or click enter to make one for me. I clicked enter. It didn’t tell me what it is so I assume that means the OS is handling it?
Anyway, it made a ~/Private folder with a README.txt and a link something like “Click here to mount private.desktop”. I executed it and those two files disappeared. I assume the ~/Private encrypted folder is now mounted? I’m not really sure what’s going on behind the scenes and I can’t seem to find documentation for this feature online.
Anyway I’m trying to figure out how to work with this, and test it. so I tried ecryptfs-umount-private and it says :
fopen: No such file or directory Cannot chdir into mountpoint.
I confirmed the ~/Private directory does exists. In all fairness it may have been there before? Am I even looking in the right spot? Well I decided to try and mount it from the CLI and issued a ecryptfs-mount-private and it says ERROR: Encrypted private directory is not setup properly
What did I do wrong? How do I undo it, and how do I do it properly?
Thanks!
EDIT: I was poking around and I also see a ~/.Private folder too with a ECRYPTFS_… file in it if that helps
No experience doing it so, but better use rsync. Take some time to dig up the correct parameters and save the in some script. From now on that is also you backup script
I would instead but from a USB stick and do the required changes from there.
Do you have a separate home partition/drive?
I do think btrfs does not make too much sense for a home partition.
I’ve rebooted and everything seems to work. I logged in from the terminal as root and when I went to /home/myuser/Private I saw some “Access-your-encrypted-data” and “README.txt” links to /usr… So, from the terminal I was unable to access the data.
I then logged into SDDM using my user account and sure enough the data was there in ~/Private (and corresponding ENCRYPT-gibberish files in the ~/.Private folder. SOOO - I think it works.
ONE POTENTIALLY PROBLEMATIC ISSUE?
I wanted to type this post to add for anyone else looking for answers so they could see what I did and that it worked. I forgot the name the files so while I was logged into SDDM I went to a terminal (CTRL-ALT-F1) and repeated the root login. When I went to /home/myuser/Private I was able to view my encrypted data. Is this normal behavior? When a user is logged in the files get decrypted so root can view them? I am in control of this hardware so not a big issue for me, but this would make me think twice about trusting encryption as a “regular” user.
ANYWAY - for the record the steps I went through get you encrypted files. But, once you’re logged in they are decrypted for anyone (root? hacker?) who could get access. Maybe there’s no way around it.
If you are using eCryptfs - yes, it is. It is by design and documented in eCryptfs FAQ.
You may consider looking at native kernel filesystem encryption (fscrypt). It requires filesystem support though, I believe today only ext4 supports it among the general purpose filesystems. My understanding is that with fscrypt key is stored in per-user kernel keyring and so should not be accessible to another users, although as usual root may be an exception.
