4

I have certain folders in my Linux partition which I need to make sure no one can access unless the log in with my login password (or root one).

I know that during installation I can encrypt with LUKS and I can encrypt certain folders with encfs / Truecrypt.

However the encryption password is independent from current user and root password and unless I store it (which I guess it'd make it useless), I'd have to insert password manually each time. Also, if any program on startup is accessing certain files (e.g. Timeshift for boot backups) will fail.

Therefore I'm looking for a solution which allows me to encrypt the whole system (or only certain folders) post OS-installation which is dependent on user or root password and which

  • doesn't impact any application which has the permission to access those folders (at any time after login)
  • doesn't make impossible or nearly impossible to recover the system should it fail (I read that even GRUB has issue if the partition is encrypted)
Gilles 'SO- stop being evil'
  • 829,060
dragonmnl
  • 2,239
  • That's the disadvantage of encrypting: it's only realy safe if you do it while installing and if it fails, it's sometimes hard to recover. You can reinstall Debian with full-disk encryption, or you can make an encrypted folder with eCryptfs. This allows you to map a certain encrypted directory to a plaintext directory. However, this isn't encrypted by default with your root password. You will need to manually unlock the drive (if you do it at boot, the key has to be stored somewhere, so vulnerable) Whatever you do, you will have to enter your password. – redfast00 Dec 21 '15 at 16:18
  • @redfast00 Have you actually used eCryptfs lately? It encrypts the user's whole home folder, or just a single folder also automatically if desired, using just the user login passphrase that's typed in once at login (as usual). Backups are extra important with encryption, but with just a few encrypted folders it wouldn't bother the rest of the system or grub – Xen2050 Dec 21 '15 at 16:49

1 Answers1

4

You will need to use a different user than the account that you are setting up encryption for (this is primarily the 'root' user but could be any user who has access to 'sudo'). Do the following:

  • Install these packages: "apt-get install ecryptfs-utils cryptsetup"
  • Run the following using either root or a user with root privileges: * "ecryptfs-migrate-home -u PutTheUserNameWhoYouAreEncryptingTheirHomeDirHere"
  • Lastly encrypt the swap by running: "ecryptfs-setup-swap"

Good luck :)

Nathaniel Suchy
  • 56
  • thank you and sorry for the late answer. Is this supposed to encrypt only home directory or I can use it to encrypt other directories (which are not home's subdirectories)? – dragonmnl Dec 28 '15 at 14:44
  • @dragonmnl The tool and instructions I gave you encrypt the user's home directory and all files and folders inside of it recursively. To answer your question. There are ways to encrypt the other directories but the method I gave you isn't one of them and will not do so. – Nathaniel Suchy Dec 29 '15 at 17:37