Debian User Forums

Hi

I Have recently done my first home encryptation, and taking a look at several solutions,
i got to the conclusion that the most easy and practical method for linux-home encryptation is to use ecryptfs, especially if we dont have a partition home.

The enterprise cryptographic filesystem for Linux
http://ecryptfs.org

eCryptfs is widely used, as the basis for Ubuntu's Encrypted Home Directory, natively within Google's ChromeOS, and transparently embedded in several network attached storage (NAS) devices.

Here, some howto's:
https://fixmynix.com/encrypt-files-and- ... ian-linux/
https://www.fussylogic.co.uk/blog/?p=272
http://xmodulo.com/encrypt-files-direct ... linux.html
https://www.howtoforge.com/tutorial/how ... on-debian/

The Steps and troubles i got into:
1- Encrypting/Migrating the user-home:
--> sudo ecryptfs-migrate-home -u user
ecryptfs. requested a x2'5 of free space to be able to proceed with the encryptation.
I solved this problem creating an empty home user folder, encrypting it, and then moving the uncrypting home to the encrypted mounted home point. As easy as this:
--> sudo rsync -aAXv /home/myuser.unecrypted /home/myuser (encrypted mount point)

Conclusions:
- The App method encryptation feels robust and practical for a regular user, and its very easy to deploy.
- I recommend it for people who travels with its computer very often.

It's so easy to encrypt your home directory,

Steps to encryt your home folder:

sudo apt-get install ecryptfs-utils
cd /home && sudo mv myuser myuser.uncrypted
mkdir myurser && chown myuser:myuser myuser
ecryptfs-migrate-home -u myuser
logout/login (It will auto-mount encrypted home): /home/myuser --(linked)--> /home/.ecryptfs/myuser/.Private
Move all your data to encrypted home:
sudo rsync -aAXv /home/myuser.uncrypted/ /home/myuser/
sudo rm -rf /home/myuser.uncrypted/

done!!, easy peace

If anyone was to follow that, it would fail. Any chance you could check your spelling before posting bester?

i removed encrytation, it was a fail in my old computer (1Gh CPU) , I cant watch hd movies without lagging

I was going to ask if they'd be a potential performance hit. You've answered my question.

Why not just encrypt a few folders that have sensitive data? There's no need to encrypt everything.

phenest wrote:I was going to ask if they'd be a potential performance hit. You've answered my question.

Why not just encrypt a few folders that have sensitive data? There's no need to encrypt everything.

cos you dont want to take care about what folders you need to protect, If you lost your computer, you dont want anyone to get acces to your accounts, .config/ files usually store that kind of files . I have also a password manager container somewhere in my home .., the good thing, its i dont travel with my laptop.

Hi, I have a somewhat similar question. I want to install Debian on a laptop with just one HDD. Planning to create these partitions:
- sda1 ext2 boot 1GB
- sda2 ext4 root 4GB
- sda3 swap 4GB
- sda4 ext4 home

But since it's a laptop and it could be potentially stolen, maybe it's reasonable to encrypt root, swap and home. My question is: can I create one encrypted volume and create all other partitions (root, swap and home), or should I create 3 separate encrypted partitions (would I then be asked to enter a passphase 3 times?).

mef wrote:Hi, I have a somewhat similar question. I want to install Debian on a laptop with just one HDD. Planning to create these partitions:
- sda1 ext2 boot 1GB
- sda2 ext4 root 4GB
- sda3 swap 4GB
- sda4 ext4 home

But since it's a laptop and it could be potentially stolen, maybe it's reasonable to encrypt root, swap and home. My question is: can I create one encrypted volume and create all other partitions (root, swap and home), or should I create 3 separate encrypted partitions (would I then be asked to enter a passphase 3 times?).

If you want full disk encryption, I feel it would be best to look into LUKS which encrypts the entire drive.

There are other solutions though.

But wouldn't I need the boot partition to not be encrypted? Otherwise the system won't load.

mef wrote:But wouldn't I need the boot partition to not be encrypted? Otherwise the system won't load.

Yes you are correct. You can setup an encrypted partition, then create LVM Volume Groups through the installer and leave /boot unencrypted.

I was going to write up a quick summary on how to do it, but it seems that after a bit of research on this forum I have found someone that has already explained it.

kce wrote: * This is all done under manual partitioning
* Make your /boot partition
* Make "physical volume for encryption" logical partition.
* Configure encrypted volumes (I prefer AES256)
* Select the encrypted volume, and choose to use it as a "physical volume for lvm"
* Configure LVM
* Add your desired volume group and logical volumes (all of which will be encrypted)
* Select the newly made logical volumes, and choose to use them as "ext4" and make them mountable as /, swap, etc.

http://forums.debian.net/viewtopic.php?t=46874#p267749

Ardouos wrote:I was going to write up a quick summary on how to do it, but it seems that after a bit of research on this forum I have found someone that has already explained it.

kce wrote: * This is all done under manual partitioning
* Make your /boot partition
* Make "physical volume for encryption" logical partition.
* Configure encrypted volumes (I prefer AES256)
* Select the encrypted volume, and choose to use it as a "physical volume for lvm"
* Configure LVM
* Add your desired volume group and logical volumes (all of which will be encrypted)
* Select the newly made logical volumes, and choose to use them as "ext4" and make them mountable as /, swap, etc.

http://forums.debian.net/viewtopic.php?t=46874#p267749

Ive tested recentlly LVM with dm-crypt and still got some downgrade performance in comparison with ecryptfs, furthermore, it might be some difficult to mantain a full system encryption. I didnt feel confortable with it, so i uninstalled it. I think dm-crypt its ok for a home+swat partition encrypted, not a full system one. I willl use it, when i get a new computer.

bester69 wrote: Ive tested recentlly LVM with dm-crypt and still got some downgrade performance in comparison with ecryptfs

Like any software, it has it's drawbacks. One of the issues with FDE is your system may take a performance hit, especially when it is an old machine like yours.