Encrypt user home with eCryptfs
Sun, Apr 11, 2021 02:00 CEST
Tags: Privacy, Security, Automation
We encrypt a user home directory with eCryptfs. The consequence is that the contents of this directory are only accessible if at least one of the following is true:
- You know the user’s password.
- The user is logged in* AND you have read permission to the user’s directory (if you are root for instance).
* or has processes surviving logout (for instance lingering services).
This may increase privacy, depending on how the system is used.
If the user home is not encrypted, it would suffice to be root (without the user necessarily being logged in). Note that being root on another system and mounting the partition hosting the user’s home suffices.
First, configure auto-mounting via PAM (once per system)
pam_ecryptfs.so lines to
so that it looks as follows:
#%PAM-1.0 auth required pam_faillock.so preauth # Optionally use requisite above if you do not want to prompt for the password # on locked accounts. auth [success=2 default=ignore] pam_unix.so try_first_pass nullok -auth [success=1 default=ignore] pam_systemd_home.so auth [default=die] pam_faillock.so authfail auth [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet auth required pam_ecryptfs.so unwrap auth optional pam_permit.so auth required pam_env.so auth required pam_faillock.so authsucc # If you drop the above call to pam_faillock.so the lock will be done also # on non-consecutive authentication failures. -account [success=1 default=ignore] pam_systemd_home.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password optional pam_ecryptfs.so -password [success=1 default=ignore] pam_systemd_home.so password required pam_unix.so try_first_pass nullok shadow password optional pam_permit.so session required pam_limits.so session required pam_unix.so session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet session optional pam_ecryptfs.so unwrap session optional pam_permit.so
According to the wiki,
pam_succeed_if.solines are a workaround. Maybe these will be useless in the future.
On the wiki, there are additional instructions on how to make auto-mounting
su -l login.
Second, encrypt user home (once per user)
Make sure the user is logged out and owns no processes. The best way to achieve this is to log the user out, log into a console as the root user, and check that
ps -U usernamereturns no output. You also need to ensure that you have
The package providing
ecryptfs-migrate-homecan be found via
pacman -F ecryptfs-migrate-home.
modprobe ecryptfs ecryptfs-migrate-home -u username
username MUST login before the next reboot for the migration to be
complete. An unencrypted backup of
/home/username can be found at
/home/username.random_characters and SHOULD be deleted once the migration is
confirmed to be complete.