Enable disk encryption after installation
If you want to enable encryption of your home folder you will need to install and use these packages: ecryptfs-utils
and cryptsetup
. Also you will need another user account with administrator (sudo) privileges. The full documentation is here:
- How to Encrypt Your Home Folder After Installing Ubuntu
If you want to enable full disk encryption after installation, the short answer for now is probably: no, you can't. Anyway, if you are interested about this, your question is duplicate of:
- Is there a way to do full disk encryption after the install?
- Full disk encryption
Follow up question: what are up and downsides of full disk vs. just /home?
Encryption in /home
is done using a user space filesystem called ecryptfs. It is very well done and tightly knitted into the default auth system so that you'll have zero usability drawbacks: when you enter your account (either from a remote shell or from the default login screen) your password is used to unwrap a secure key, which is then used to encrypt/decrypt your files in your home directory on the fly(The mounted filesystem will reside directly in /home/username
).
When you log out /home/username is unmounted and only the encrypted files remain visible in the system (usually in /home/.ecryptfs/username/.Private/
). They look like a bunch of scrabbled/random files since filenames are encrypted as well. The only information leak is: filesize, timestamps and number of files (with full disk encryption these are hidden as well).
If your system is to be shared between multiple users, this is a very nice feature to have even if you decide to add full disk encryption along with this: the safety of Full disk encryption is off when the machine is up and running while home (ecryptfs) encryption is On as long as you're logged out.
So, full disk encryption and home encryption are not necessarily mutually exclusive.
Here's a list of possible set-ups, depending on different security needs:
- FULL DISK ENCRYPTION ONLY: If you're the only one using your computer and your machine can handle the overhead of full disk encryption (all modern desktops can do that without the user noticing, netbooks and old laptops not so much) you can use full disk encryption and put home in the same partition as your OS(/).
- FULL DISK ENCRYPTION AND HOME ECRYPTFS ENCRYPTION: If you're worried about your private data being read while your pc is on or you share your computer with other users, then you could have home in a different partition from / and use ecryptfs along full disk encryption(that is encryption of / through LUKS)
-
HOME ECRYPTFS ENCRYPTION ONLY: If you're not too worried about someone tampering your system while you're away but you still like to keep your private data safe then skip the full disk encryption and just use ecryptfs (encryption of home). An added bonus of this scenario is that this is quite easy to set up even after you've installed Ubuntu, by just using
ecryptfs-migrate-home
. Also, this has been the default Ubuntu setup before it changed a few releases back, adding the possibility of full disk encryption. Since most modern desktops can handle full disk encryption without a sweat and it adds a thin layer of security against off-line code injection, full disk encryption was added into the installer. Notice though that for most users just encrypting their home with ecryptfs will be enough for their needs: keeping their friends and the common laptop thieves off their private data. Besides, if you've been singularly targeted by an organization with the right means, having full disk encryption or just home encryption will not make much of a difference unless you've also established a lot of other paranoid behaviors (like: keeping the kernel in a separate pen-drive which is always on you; constantly checking for hardware tampering/keyloggers and so on)
If I didn't enable disk encryption during installation, is there any way to enable it post facto?
Yes and it's going to be easier if you're currently using LVM and have enough space on your system to copy all of your unencrypted system files into an encrypted LUKS partition. I'm not going into the details at the moment because I don't know if you're using LVM and if you'd rather not just use ecrypfs for now and skip the hassle of full disk encryption until the next fresh installation.