Setting an existing user to have an encrypted home directory using encfs

When I installed openSUSE on my main computer, I forgot to encrypt it. I don’t want to re-install so I figured I would use encfs to encrypt my home directory as it’s better than nothing. I’ve found a setting in YAST’s to encrypt my home directory but don’t know what the directory size in MB is for. Can I set it 0 to use the entire partition?

Not sure about that question but warning setting directory for encryption will erase any data, back up set encrypt then copy data back

To encrypt or modify encrypted home directories of already existing users, you need to know the user’s current login password. By default, all existing user data is copied to the new encrypted home directory, but it is not deleted from the unencrypted directory.

From the openSUSE documentation. That said, I’d still take a backup before messing around with things like this, even though I have an auto backup every few hours as I’ve been bitten before. All the documentation I’m reading is just confusing me more rotfl!

That didn’t go too well.

Logged myself out and logged into a VT as root. Set up my users encrypted directory and rebooted. While I could log in to a terminal, I could no longer log in to a graphical session. I poked around a bit but ultimately removed the encryption. I could log in again and my data was intact.

I just found this SuSE blog entry. Would it work on Tumbleweed?

Well it much easier and over all more secure to do it at install using a encrypted LVM partition to hold the partitions.

For an encrypted home partition, you need to backup the entire partition. Then unmount “/home”, and setup encryption from the command line while logged in as root (at the command line). Alternatively, set it up from live media.

It is usually easier to do that during install.

For an encrypted home directory: The SUSE way is to allocate a large file as an encrypted container, and then mount the home directory from there. That’s why you need to give a directory size. You have to pre-allocate the space to the container.

The ubuntu way is to use “ecryptfs”. That’s what I would recommend for you. It is still possible with opensuse.

If you want to try that, then install “ecryptfs”. It might be called “ecryptfs-utils” or some similar name. By itself, that does not change anything. But it provides commands to setup what you want.

After installing, you will have a command “ecryptfs-migrate-home” which does what you want. There is a man page.

Before you try that, but after installing ecryptfs, run as root:

# pam-config -a --ecryptfs

That will make sure that you have the pam support to automatically unlock the encrypted directory during login.

And it might be a good idea to also do:

# modprobe ecryptfs

Otherwise the setup sometimes doesn’t work.

As an alternative, there is a command “ecryptfs-setup-private”. That creates an encrypted subdirectory “Private” inside your home directory. That’s what I am currently using. It is less disruptive, but it won’t encrypt everything. I use some symbolic links so that what I want encrypted is really inside “Private” though it has the appearance of being elsewhere.

I’m not sure if you need to do an “ecryptfs-setup-private” before using “ecryptfs-migrate-home”. The documentation is not clear on that.

In any case, I have used an encrypted home partition. I have used an “ecryptefs” private directory. I have used and “ecryptfs” encrypted home directory. They all work pretty well. I experimented with a SUSE style encrypted home directory, but did not much like it.

Well, that was easy. Thank you. I also encrypted the swap space with ecryptfs-setup-swap as I don’t hibernate computers. Along with /tmp mounted as tmpfs and needing a particular ssd card to boot that going to be good enough.

As a note for anyone else, you’ll find much more information when you realise it’s ECryptfs and not ENCryptfs.

Yes, encrypted swap is also a good idea with “ecryptfs” (or, also, without “ecryptfs”). I always use encrypted swap.

I’m glad you have it working.

Thank you for this help.
Still yet one problem : when the user logs out the directory is not unmounted and the directory is then accessible by root.

This is a known problem, caused by “systemd” (the way that “systemd” uses PAM). It has been reported upstream to the systemd people, but they refuse to own it.

If it is really important, then:

After logout from your desktop, login at the command line (maybe use CTRL-ALT-F1 for a command line).

cd /    ### so you are not in the encrypted directory
 ### repeat that ecryptfs-umount-private command until it unmounts

Where can i vote for this bug ?

Is it possible to put these commands in some directory like the one they had in .kde4/shutdown/ for the commands to run at shutdown ?

It is Bug 72759 at

Is it possible to put these commands in some directory like the one they had in .kde4/shutdown/ for the commands to run at shutdown ?

The equivalent for Plasma 5, is ~/.config/plasma-workspace/shutdown

I’m not sure whether it will work. Maybe I should try. I’m only using an “ecryptfs” private directory, so it might work for me. But if it is your home directory, then your shutdown script is in that directory tree which probably blocks the unmounting.

Ok, i won’t risk to have problems with such command.
Maybe there is a script to put somewhere with xdm at logout, but it’s quite uneasy to guess where it could be.