Linux: Encrypt home directory with gocryptfsSun, Jul 11, 2021
I recently installed Ubuntu 21.04 on a Raspberry Pi 4. Getting my user data or full disk encryption was top of my list of things to setup. After a bit of reading I decided to go with encrypting just my home directory since my disk is an SD card and the device is lower powered I decided to avoid the overhead of encrypting the entire disk.
These were the steps I took, which were cobbled together from instructions in a few places.
sudo apt install libpam-mount gocryptfs
Edit the fuse config to allow other users access to mounts. Open
/etc/fuse.confand uncommon the line with
Edit the libpam-mount config, instructing it to mount the encrypted home directory at login. Add the following tag before the last xml tag of
yourusernamewith your username on the computer.
<volume user="yourusername" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other" path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
Backup your current home directory contents.
cd /home sudo tar cvf $USER.tar $USER
Create a directory to hold the encrypted files.
sudo mkdir $USER.cipher sudo chown $USER:$USER $USER.cipher
Initialize the enrypted files.
gocryptfs -init $USER.cipher
Clear the home directory.
rm -fr /home/$USER/* /home/$USER/.*
Add a file that will indicate if the encrypted file system isn’t mounted.
Mount the encrypted home directory.
gocryptfs $USER.cipher $USER
Copy the home directory into the mounted encrypted home directory.
tar xvf $USER.tar --strip-components=1 -C $USER
Add a file that will indicate if the encrypted file system is mounted.
Reboot the system, check that after login the GOCRYPTFS_MOUNTED file is in the home directory.
Delete the backup.
Note: This flow will also work on Raspbian OS, however you’ll need to disable autologin because gocryptfs will only be triggered to mount the encrypted home directory if the user performs the login.