How to set up home dir encryption?

Asked by aspa

I'm having problems setting up encrypted home directories using EncFS on Ubuntu 9.04.
I've tried following the notes found in https://help.ubuntu.com/community/FolderEncryption but there are a few issues I haven't been able to solve. The following configuration tasks have been done:

- installed encfs and libpam-encfs packages
- configured /etc/pam.d/common-auth
- created a user and set up an encrypted home directory

Logging in to the system with the user with the encrypted home dir works but the screen doesn't unlock once it gets locked. When the password is entered in the dialog I see a message saying "Checking ..." and then there's a very long pause until the dialog asks the password again. Another issue is that I can't get Update Manager to work. Update manager asks the admin password but after that nothing happens.

Has anyone successfully configured encrypted home directories with EncFS on Jaunty?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
marcobra (Marco Braida)
Solved:
Last query:
Last reply:
Revision history for this message
Derek White (d-man97) said :
#1

Personally, I'd just encrypt either the entire drive (using the alternate CD and LVM) or just the ~/Private directory using ecryptfs-setup-private (from the ecryptfs-utils package). Is there a reason you need ALL ~/. directories encrypted? If you just want some of them (e.g. ~/.shh or ~/.gnupg), then just set-up the ~/Private directory, move the folders there, and create symbolic links for them.

See: https://help.ubuntu.com/community/EncryptedPrivateDirectory

That page also explains a few caveats that encrypting causes with the system. Maybe they can explain why your having the problems you detailed.

Revision history for this message
aspa (marko-asplund) said :
#2

For performance as well as usability reasons I'd like to encrypt the user's home directory and not the whole volume (e.g. using LVM). I use the machine at work and we've a policy requiring that all the work related files must be encrypted. To avoid compromising that policy by mistakenly placing files in the wrong directory I'd like to encrypt the contents of the entire home directory.

I used the be a Mac OS X user previously and I'm really missing a feature called FileVault from Mac OS X. It allows each user to encrypt their home directory with a single click without having to worry about it after that.

Since people are increasingly using laptops nowadays I think transparent file system encryption is something that Ubuntu should really provide to users.

Can I make a feature request for this somewhere?

Revision history for this message
Best marcobra (Marco Braida) (marcobra) said :
#3
Revision history for this message
Steve (stupendoussteve-deactivatedaccount) said :
#4

If you install from the Alternate CD and choose expert mode you can
turn on home directory encryption during the install process.

Revision history for this message
aspa (marko-asplund) said :
#5

Thanks for the pointers guys.
IMHO, since Ubuntu (Jaunty) currently has at least three different ways of encrypting (LVM, eCryptFS, EncFS) user file system data makes things very confusing for the users. The Wiki instructions don't make things much easier (FolderEncryption uses EncFS and EncryptedPrivateDirectory uses eCryptFS, some Wiki pages describe how to use LVM encryption others TrueCrypt).

It seems that the simplest way to get the home directory encrypted in Jaunty is to create the user account using 'adduser --encrypt-home {myusername}'.
When I log out and check the users home directory as root all the data seems to be encrypted.
Is this correct?

One problem I noticed though is that when I try to run Update Manager I get the following error:

"Failed to run /usr/sbin/synaptic '--hide-main-window' '--non-interactive' '--parent-window-id' '23068709' '--update-at-startup' as user root.

The underlying authorization mechanism (sudo) does not allow you to run this program. Contact the system administrator."

This doesn't seem to be a fully supported feature currently.

Are there any plans to make file system encryption available also for the non-technical Ubuntu user?

Revision history for this message
aspa (marko-asplund) said :
#6

It seems that the problem with Update Manager was due to me having forgotten to grant sudo permissions to the user after recreating the account.

Revision history for this message
aspa (marko-asplund) said :
#7

Thanks marcobra (Marco Braida), that solved my question.