Saturday, May 18, 2024
HomeHow toHow to Encrypt Your Home Folder in Ubuntu 24.04

How to Encrypt Your Home Folder in Ubuntu 24.04

This is a step by step beginner’s guide shows how to encrypt your home directory in Ubuntu 24.04 LTS.

As you may know, the new installer in Ubuntu 24.04 only supports encrypting the entire disk. If you want to dual boot Ubuntu with another OS in single disk, there’s no option so far to encrypt only the Ubuntu file-system partition.

In the case, you may choose to encrypt your home folder to keep personal data and files safe.

There’s NO visible difference after encrypted your home directory. You can login just like before, read and write files, run apps and play games. Because, it’s automatically decrypted using your password.

But, if you lost your computer/laptop, then no one can access your files in the home folder, without the login password or the encryption passphrase. Accessing from another operating system will show something like the screenshot below shows you:

Encrypted home is not accessible from other machine or OS

Step 1: Install the encryption tool

Ubuntu installer used to have an option to encrypt home folder, which uses eCryptfs for encryption. However, this option is no longer available in Ubuntu 24.04 installer.

To install the tool, press Ctrl+Alt+T to open up a terminal window and run command:

sudo apt install ecryptfs-utils cryptsetup

Run sudo apt update to refresh package cache if the package not found.

Step 2: Create a temporary admin account

You need to log out the user account, whose home folder you want to encrypt. And, use another admin account to do the encryption process.

To create a temporary admin account in Ubuntu Desktop, do:

  1. Open “Settings” from top-right system status menu (aka Quick Settings).
  2. In “Settings”, navigate to System -> Users
  3. Next, click Unlock -> Add User …
  4. Finally, insert a username, enable “Administrator” option, and set password.

For Ubuntu Server, simply run the command below to add user. In the process, it will ask to set a password for the new account, and configure some user information (it’s OK to hit Enter for all).

sudo adduser temp_user

Then, grant sudo permission to the account by running command.

sudo usermod -aG sudo temp_user

Step 3: Encrypt home folder

Now, log out the user account whose home folder you want to encrypt. Then, login with the new admin account (temp_user in the case).

NOTE: The command below will make a backup of the home folder! Just in case, it’s BETTER to manually do an additional backup of your important data.

1. After logged in with the temporary admin account, press Ctrl+Alt+T to open terminal, and run command:

sudo ecryptfs-migrate-home -u THE_USER_NAME

Replace the THE_USER_NAME in command with the username whose home folder you want to encrypt.

The command will first asks for typing the current temporary user’s password for permission running this command, then asks for target user’s password.

2. When done, you should get the following terminal screen with some notices. They include:

  • MUST login the encrypted user to finish the process before reboot!
  • Restore the backup file “/home/username.xxxxxx” if something goes wrong.
  • The command to get the auto-generated passphrase.
  • Command to also encrypt the swap area.

Step 4: Log back the encrypted user to generate passphrase

If everything goes well, log out and temporary admin account, and log back with the user account whose home is encrypted.

1. After login, it will pop-up a dialog as the screenshot below shows you (there may be a few seconds delay according to your device).

Just click on “Run this action now” button, then type your password (the password for login) and hit Enter in the pop-up terminal window. It will generate a random passphrase for recover purpose, in case your system refuse to boot or broken in future.

2. To get the auto-generated passphrase, just run command:

ecryptfs-unwrap-passphrase

Then copy and keep the output passphrase in safe place!

Step 5: Encrypt the Swap Area

To ensure the integrity of all encrypted data, you should also encrypt the swap area.

NOTE: This step will break the hibernate and suspend feature!

1. First, open up a terminal window (Ctrl+Alt+T) and run command to check if you have a swap area:

swapon -s

If there’s no swap partition or swap file in use, you can just skip this step.

2. Then, run command to encrypt the swap:

sudo ecryptfs-setup-swap

The command output “swapon: cannot open /dev/mapper/cryptswap1: No such file or directory“.

However, it works after a system reboot. Just run swapon -s to verify. The encrypted swap will look like /dev/dm-0.

Step 6: Clean Up

If everything’s done successfully, you can now remove the temporary admin user, and delete the auto-generated backup folder.

To delete the temporary account, either open “Settings”, navigate to System -> Users, click “Unlock”, select the temporary user account and finally click “Remove User” button to remove it.

Or, run the commands below in terminal instead:

sudo userdel --remove temp_user

To delete the auto-generated backup, use command:

sudo rm -rf /home/ji.jjf1M2qF

Replace ji.jjf1M2qF in command accordingly. Go Files -> Other Locations -> Ubuntu -> home to check the backup folder name.

Summary

In this tutorial, I’ve shown you how to encrypt the home directory in Ubuntu 24.04 LTS.

In short, user just needs to install the ecryptfs utility, run the encryption command using another admin account, and login back to generate the passphrase in pop-up dialog for recover purpose. And, run one more command to encrypt the swap file or partition.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here


Most Popular