Ubuntu offers to encrypt your home folder during installation. If you decline the encryption and change your mind later, you don’t have to reinstall Ubuntu. You can activate the encryption with a few terminal commands.
Ubuntu uses eCryptfs for encryption. When you log in, your home directory is automatically decrypted with your password. While there is a performance penalty to encryption, it can keep private data confidential, particularly on laptops that may be stolen.
Before doing any of this, you should ensure you have a backup of your home directory and important files. The migration command will create a backup on your computer, but it’s important to have an additional backup – just in case.
First, install the encryption utilities:
sudo apt-get install ecryptfs-utils cryptsetup
You’ll have to encrypt your home directory while you’re not logged in. This means that you’ll need another user account with administrator (sudo) privileges – you can create one from Ubuntu’s User Accounts window. To open it, click your name on the panel and select User Accounts.
Create a new user account and make it an administrator.
Set a password by clicking the password box. The account is disabled until you apply a password.
After creating the user account, log out of your desktop.
Migrating Your Home Folder
Select your new, temporary user account on the login screen and log in with it.
Run the following command to encrypt your home directory, replacing user with the name of your user account:
sudo ecryptfs-migrate-home -u user
You’ll have to provide your user account’s password. After you do, your home directory will be encrypted and you’ll be presented with some important notes. In summary, the notes say:
- You must log in as the other user account immediately – before a reboot!
- A copy of your original home directory was made. You can restore the backup directory if you lose access to your files.
- You should generate and record a recovery phrase.
- You should encrypt your swap partition, too.
Log out and log back in as your original user account. Do not reboot your system before logging back in!
After you log in, click the Run this action now button to create a recovery passphrase. Keep this passphrase somewhere safe – you’ll need it if you have to manually recover your files in the future.
You can run the ecryptfs-unwrap-passphrase command to view this passphrase at any time.
Encrypting the Swap Partition
When you set up an encrypted home directory while installing Ubuntu, your swap partition is also encrypted. After setting up home directory encryption, you’ll also want to set up swap encryption. To do so, run the following command in a terminal:
Note that an encrypted swap won’t work properly with Ubuntu’s hibernate feature – which is disabled by default, anyway.
After restarting your system once or twice and verifying everything works properly, you can clean everything up. In addition to deleting the user account, you can remove the backup home folder located in your system’s /home directory.
You’ll have to remove the backup directory from a terminal with a command like the following one. Be very careful when using this command – you could accidentally delete your real home folder or another important system directory if you type the directory name wrong:
sudo rm -rf /home/user.random
Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.
- Published 06/8/12