How to Encrypt /home on Ubuntu 18.04?

18.04 encryption home-directory

Update 2020-02

I'm running multiple encrypted homes with fscrypt. Install your system without encryption and use this guide to implement fscrypt on your home.

The API to fscrypt might change in the future, so make sure to back up your important files if you attempt to upgrade your system.

(This feature is not widely used on Desktop. Use at your own risk.)

Update 2018-11

TL:DR; You can try fscrypt in Ubuntu 18.10+ or Linux Mint 19.1+

Looks like this was finally fixed. Here's a pre-emptive guide: http://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html

I'm not quoting instructions here because it does require some hacks and you can end up losing your home data.

Warning: A warning from user @dpg: "BE CAREFUL:I followed instructions from that "pre-emptive guide" (did it under tty), and got infinite login loop."

Consider this guide for educational purposes only.

Next is my original answer:

Original Answer 2018-05

TL;DR: Use classic home encryption with Linux Mint 19 Tara.

fscrypt for home encryption is still broken.

How do I setup fscrypt to encrypt my /home directory and decrypt when I log in?

This is something a lot of us want. It appears the Ubuntu team couldn't get ecryptfs to work bug-free on Ubuntu 18.04, and couldn't fix the bugs in fscrypt for a home-encryption option in time for the scheduled Ubuntu 18.04 release either.

For fscrypt, is at least one critical bug that makes it unusable for home encryption at the moment:

  • fscrypt/issues/77

Furthermore, we'd need a transparent way of authenticating/unlocking before it's a realistic alternative to the "old" ecryptfs-type home encryption. This is tracked here:

  • fscrypt/issues/95

With these issues open, you can consider home encryption broken at this point. With that, my colleagues and I consider Ubuntu 18.04 18.04.1 unfinished at the moment, and hope that home-encryption will be brought back (using the new and much better fscrypt method) in Ubuntu 18.04.1 18.04.2.

Until such time, we're sticking with Ubuntu 16.04. We have switched all our machines to Linux Mint 19 Tara with the classic home encryption using ecryptfs. Read the "known issues" section in the Release Notes for Linux Mint 19 Tara about the ecryptfs limitations, and see if this is acceptable to you:

(...) please be aware that in Mint 19 and newer releases, your encrypted home directory is no longer unmounted on logout.

If you have tried fscrypt and found it to be broken for your usage, you can vote "this bug affects me too" at the following launchpad bug:

  • ubuntu/fscrypt/+bug/1768340

Note that fscrypt/ext4-crypt (future "encrypt home") is the fastest option, and ecryptfs (old "encrypt home") is the slowest option. LUKS ("encrypt entire drive") is in the middle.

For this reason, entire disk encryption is 'conveniently' recommended. Because if you have very big projects with many small files, use revision management a lot, make big compiles, etcetera, you'll find that the overkill of encrypting your entire drive is actually worth it compared to the slowness of the old ecryptfs-type home encryption.

In the end, encrypting the entire drive has multiple drawbacks:

  • Guest account
  • Family laptop with private accounts
  • Using PREY-like anti-theft software

It's puzzling that Canonical decided that "we don't need this anymore" on their LTS version, which has come to be known as their more "serious" distribution.


From Panther's answer here Full disk encryption encrypts everything including /home while encrypting only a specific dir such as /home is only encypted when you not logged in.

To encrypting an existing users home dir:

  • First logout of that account and log into an admin account.

  • Install the encryption utilities for the job:

    sudo apt install ecryptfs-utils cryptsetup

    from that launchpad bug ecryptfs-utils is now in the universe repo.

  • Migrate the home folder of that user:

    sudo ecryptfs-migrate-home -u <user>

    followed by user password of that account

  • Logout and login into the encrypted users account before a reboot to complete the encryption process.

  • Inside the account print and record the recovery passphrase:

    ecryptfs-unwrap-passphrase

You can now reboot and login. Once you are satisfied you can delete the backup home folder.

Also, if you want to create a new user with encrypted home dir:

sudo adduser --encrypt-home <user>

For more info: man ecryptfs-migrate-home, man ecryptfs-setup-private.

Related

How do I modify my PATH so that the changes are available in every Terminal session
Why are scripts in /etc/profile.d/ being ignored (system-wide bash aliases)?
How to make my own Dropbox / Ubuntu One server at home?
How to add display resolution for an LCD in Ubuntu 12.04? xrandr problem
Easiest way to setup Ubuntu as a VPN server
Dual boot but only Windows boots
BIOS/UEFI Template Image for Booting ISO Files
Creating additional Virtual Host Ubuntu Server
Dell Inspiron 7347 - Inactive cursor with my touchpad on UBUNTU 14.04
Make an Ubuntu bootable USB drive for a PC using Mac?
Anbox snap installation fails
How to access Advanced Options in GRUB?