Ecrypfts to LUKS on ext4 partition

Find if you have eCryptfs

Open a terminal by pressing Ctrl+Alt+T and enter:

df --type=ecryptfs

If you see an output like:

Filesystem                     1K-blocks Used      Available  Use%   Mounted on
/home/.ecryptfs/$USER/.Private 415321024 214784192 179416628   55%   /home/$USER

Then you have your home folder encrypted by eCryptfs.

Background

LUKS encryption and eCryptfs work differently.

First, eCryptfs encrypts the /home/$USER folder, the LUKS works at the partition level.

Second, the encrypted /home/$USER folder is unlocked when the $USER logs in. The LUKS partition encryption would ask for a passphrase every time you boot the computer. Once the /home partition is unlocked you will be able to login to your account with your login password as usual. That is, you will need to use two passwords. If your computer has other users, their "Home" folders will be encrypted as well. Thus all users of the computer must know the LUKS passphrase if they need to turn on the computer and use it in your absence. There is a way to save the passphrase in a file and let LUKS automatically unlock the partition at boot time, but that is not safe.

Third, your computer has only one partition / (plus the swap), as is the case with most Ubuntu installation. There is no easy way to LUKS encrypt this single partition installation of Ubuntu. If you want to keep the single partition setup, you may want to backup your data and reinstall Ubuntu. While installing, select the full disk encryption option.

Finally, BACKUP! BACKUP!! BACKUP!!! The steps described below are very very risky. It is likely that you will lose all the data, or your Ubuntu installation will become unbootable.

Step 1: Create a new partition for /home

Step 1.1: Boot from live CD/USB

Use the try Ubuntu without installing option.

Step 1.2: Identify the disks

Open Gparted. I prefer Gparted because it is visual and let me "see" the drives and partitions. Click on the top right drop down and see the list of drives. Go through the list and identify the drives you want to work with, by their size and partition structure. You want to identify the / partition in your internal hard drive you want to shrink.

enter image description here

Step 1.3: Shrink

Make sure you have selected the internal disk.

Select the / partition you want to shrink.

Drag the right edge of the partition leftward to resize/move to make room for the new /home partition. Create as much room as you want your new /home partition to be.

Press the "Apply" button in Gparted and wait.

If all goes well go to the next step. If you get an error, stop!

enter image description here

Step 1.4 Create New partition

Right click on the unallocated space you created and select new. You will see the "Create New Partition" window. Make sure the file system says "ext4" and you can keep the rest as is.

enter image description here

Press the "Apply" button in Gparted and wait.

If all goes well go to the next step. If you get an error, stop!

Step 1.5 Reboot computer to internal hard disk

Step 2: Encrypt the new partition

Step 2.1 Find the identifying information about the new partition

Open a terminal by pressing Ctrl+Alt+T and enter:

sudo blkid

You will be prompted for your password. When you type the password nothing will show on the terminal. This is normal.

Copy and paste the output in a text file. Note the UUID as well as the partition name like /dev/nvme0pX, where X is a number for the new partition.

Step 2.2 LUKS encrypt!

sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/nvme0pX

You will be prompted to enter a passphrase. This is passphrase will be needed every time you boot the computer to unlock the /home partition. Do not leave it blank.

The next two commands open the encrypted partition and format it to make it ready for data storage.

sudo cryptsetup luksOpen /dev/nvme0pX home
sudo mkfs.ext4 -m 0 /dev/mapper/home

Step 3 Temporarily mount and copy contents of /home

Create a new folder to make it the temporary mount point of the encrypted partition

sudo mkdir /newhome

Mount the encrypted partition to newhome

sudo mount /dev/mapper/home /newhome

Make sure your "Home" folder is accessible. If you have multiple users with encrypted home folders for each of them, make sure the "Home" folders are accessible.

Copy original home to newhome

sudo cp -a /home/* /newhome

Make sure all your files are copied to the newhome and you can see them.

Remove the bits of old encryption system copied in the newhome

sudo rm -rf /newhome/username/Private /newhome/username/.ecryptfs

where username is your username. If you have multiple users in this computer with encrypted "Home" folders, you will have to do this for all users.

Step 4: Setup your newhome as home

Edit the file /etc/crypttab

sudo nano /etc/crypttab

Add the line below making sure the UUID corresponds to /dev/nvme0pX:

home UUID=AAA-BBB-CCC-DDDD-EEEEEEEE none luks,timeout=30

Press Ctrl+X followd by Y and Enter to save and exit nano.

Edit /etc/fstab with nano

sudo nano /etc/fstab

and add the following line:

/dev/mapper/home  /home ext4 nodev,nosuid,noatime        0       2

Press Ctrl+X followd by Y and Enter to save and exit nano.

Do not reboot your computer yet!

Step 5: Remove the old encrypted home and old encryption program

sudo rm -rf /home/*
sudo apt remove ecryptfs-utils libecryptfs1

Note the old /home folder should remain and be empty as this will be used as the mountpoint of the encrypted partition.

Step 6: Reboot

You will be prompted for your home partition passphrase before you can login.

Hope this helps