Encrypt user home with eCryptfs

Sun, Apr 11, 2021 02:00 CEST

Tags: Privacy, Security, Automation

We encrypt a user home directory with eCryptfs. The consequence is that the contents of this directory are only accessible if at least one of the following is true:

  • You know the user’s password.
  • The user is logged in* AND you have read permission to the user’s directory (if you are root for instance).

* or has processes surviving logout (for instance lingering services).

This may increase privacy, depending on how the system is used.

If the user home is not encrypted, it would suffice to be root (without the user necessarily being logged in). Note that being root on another system and mounting the partition hosting the user’s home suffices.

First, configure auto-mounting via PAM (once per system)


Add and lines to /etc/pam.d/system-auth so that it looks as follows:


auth       required                preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]          try_first_pass nullok
-auth      [success=1 default=ignore]
auth       [default=die]           authfail
auth       [success=1 default=ignore]    service = systemd-user quiet
auth       required                unwrap
auth       optional          
auth       required          
auth       required                authsucc
# If you drop the above call to the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]
account    required          
account    optional          
account    required          

password   optional          
-password  [success=1 default=ignore]
password   required                    try_first_pass nullok shadow
password   optional          

session    required          
session    required          
session    [success=1 default=ignore]    service = systemd-user quiet
session    optional                unwrap
session    optional          

According to the wiki, lines are a workaround. Maybe these will be useless in the future.

On the wiki, there are additional instructions on how to make auto-mounting work with su -l login.

Second, encrypt user home (once per user)


Make sure the user is logged out and owns no processes. The best way to achieve this is to log the user out, log into a console as the root user, and check that ps -U username returns no output. You also need to ensure that you have rsync, lsof, and which installed.

The package providing ecryptfs-migrate-home can be found via pacman -F ecryptfs-migrate-home.

modprobe ecryptfs
ecryptfs-migrate-home -u username

The user username MUST login before the next reboot for the migration to be complete. An unencrypted backup of /home/username can be found at /home/username.random_characters and SHOULD be deleted once the migration is confirmed to be complete.