Ecrypfts to LUKS on ext4 partition
Find if you have eCryptfs
Open a terminal by pressing Ctrl+Alt+T and enter:
df --type=ecryptfs
If you see an output like:
Filesystem 1K-blocks Used Available Use% Mounted on
/home/.ecryptfs/$USER/.Private 415321024 214784192 179416628 55% /home/$USER
Then you have your home folder encrypted by eCryptfs.
Background
LUKS encryption and eCryptfs work differently.
First, eCryptfs encrypts the /home/$USER folder, the LUKS works at the partition level.
Second, the encrypted /home/$USER folder is unlocked when the $USER logs in. The LUKS partition encryption would ask for a passphrase every time you boot the computer. Once the /home partition is unlocked you will be able to login to your account with your login password as usual. That is, you will need to use two passwords. If your computer has other users, their "Home" folders will be encrypted as well. Thus all users of the computer must know the LUKS passphrase if they need to turn on the computer and use it in your absence. There is a way to save the passphrase in a file and let LUKS automatically unlock the partition at boot time, but that is not safe.
Third, your computer has only one partition / (plus the swap), as is the case with most Ubuntu installation. There is no easy way to LUKS encrypt this single partition installation of Ubuntu. If you want to keep the single partition setup, you may want to backup your data and reinstall Ubuntu. While installing, select the full disk encryption option.
Finally, BACKUP! BACKUP!! BACKUP!!! The steps described below are very very risky. It is likely that you will lose all the data, or your Ubuntu installation will become unbootable.
Step 1: Create a new partition for /home
Step 1.1: Boot from live CD/USB
Use the try Ubuntu without installing option.
Step 1.2: Identify the disks
Open Gparted. I prefer Gparted because it is visual and let me "see" the drives and partitions. Click on the top right drop down and see the list of drives. Go through the list and identify the drives you want to work with, by their size and partition structure. You want to identify the / partition in your internal hard drive you want to shrink.
Step 1.3: Shrink
Make sure you have selected the internal disk.
Select the / partition you want to shrink.
Drag the right edge of the partition leftward to resize/move to make room for the new /home partition. Create as much room as you want your new /home partition to be.
Press the "Apply" button in Gparted and wait.
If all goes well go to the next step. If you get an error, stop!
Step 1.4 Create New partition
Right click on the unallocated space you created and select new. You will see the "Create New Partition" window. Make sure the file system says "ext4" and you can keep the rest as is.
Press the "Apply" button in Gparted and wait.
If all goes well go to the next step. If you get an error, stop!
Step 1.5 Reboot computer to internal hard disk
Step 2: Encrypt the new partition
Step 2.1 Find the identifying information about the new partition
Open a terminal by pressing Ctrl+Alt+T and enter:
sudo blkid
You will be prompted for your password. When you type the password nothing will show on the terminal. This is normal.
Copy and paste the output in a text file. Note the UUID as well as the partition name like /dev/nvme0pX, where X is a number for the new partition.
Step 2.2 LUKS encrypt!
sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/nvme0pX
You will be prompted to enter a passphrase. This is passphrase will be needed every time you boot the computer to unlock the /home partition. Do not leave it blank.
The next two commands open the encrypted partition and format it to make it ready for data storage.
sudo cryptsetup luksOpen /dev/nvme0pX home
sudo mkfs.ext4 -m 0 /dev/mapper/home
Step 3 Temporarily mount and copy contents of /home
Create a new folder to make it the temporary mount point of the encrypted partition
sudo mkdir /newhome
Mount the encrypted partition to newhome
sudo mount /dev/mapper/home /newhome
Make sure your "Home" folder is accessible. If you have multiple users with encrypted home folders for each of them, make sure the "Home" folders are accessible.
Copy original home to newhome
sudo cp -a /home/* /newhome
Make sure all your files are copied to the newhome and you can see them.
Remove the bits of old encryption system copied in the newhome
sudo rm -rf /newhome/username/Private /newhome/username/.ecryptfs
where username is your username. If you have multiple users in this computer with encrypted "Home" folders, you will have to do this for all users.
Step 4: Setup your newhome as home
Edit the file /etc/crypttab
sudo nano /etc/crypttab
Add the line below making sure the UUID corresponds to /dev/nvme0pX:
home UUID=AAA-BBB-CCC-DDDD-EEEEEEEE none luks,timeout=30
Press Ctrl+X followd by Y and Enter to save and exit nano.
Edit /etc/fstab with nano
sudo nano /etc/fstab
and add the following line:
/dev/mapper/home /home ext4 nodev,nosuid,noatime 0 2
Press Ctrl+X followd by Y and Enter to save and exit nano.
Do not reboot your computer yet!
Step 5: Remove the old encrypted home and old encryption program
sudo rm -rf /home/*
sudo apt remove ecryptfs-utils libecryptfs1
Note the old /home folder should remain and be empty as this will be used as the mountpoint of the encrypted partition.
Step 6: Reboot
You will be prompted for your home partition passphrase before you can login.
Hope this helps