Encrypting home directories

Updated 12 March 2019

Для организации защиты персональных данных вы можете зашифровать директории пользвоателя при помощи eCryptfs. eCryptfs is a file system that runs on top of any other regular filesystem and transparently encrypts / decrypts the files. Криптографические метаданные eCryptfs хранит в заголовках каждого файла. Таким образом, можно без проблем переносить любой файл между различными системами. All this is kernel implemented, providing a good level of performance compared to FUSE encryption.

How it works

An encrypted user home folder contains only symbolic links to the directory with encrypted data. Encrypted user data is stored in /home/.ecryptfs and is sorted by user. The .Private subdirectory contains encrypted data, while .ecryptfs contains info on encryption.

When you log in to the session /home/.ecryptfs/[HTML_REMOVED]/. Private is mounted in the home directory. A key is used to do so, /home/.ecryptfs/<логин>/.ecryptfs/wrapped-passphrase, encrypted with a user password. Then the user account can be synchronized and configured if necessary. When you exit the session, the home directory is disconnected from .Private.

Encryption can also be enabled for domain users. Encrypted data will then by stored on a local machine, while the server hosts only non encrypted data. Благодаря этому обеспечивается безопасность данных в пользовательском профиле после выхода из сеанса.

Configuring an account to be encrypted

To enable encryption, Calculate Linux must be installed with the "Crypt user profiles" option turned on, or else, if the system is already running, you must enable the cl_home_crypt_set variable:

cl-core-variables --set main.cl_home_crypt_set=on

Encryption will be configured for new users only (those who have no home directory). To enable encryption for an existing user account, user ecryptfs-migrate-home.

ecryptfs-migrate-home -u [HTML_REMOVED]

Для доменных пользователей будет достаточно удалить локальный профиль, когда он не в сеансе, и после этого войти в сеанс.

Note that the value of cl_home_crypt_set does not affect the configured user account, that is, if the account was configured for encryption and the system was installed without turning on encryption, the account will not be encrypted, and vice versa.

How to restore your data

If /home only contains the .ecryptfs directory with encrypted accounts, you should just create the same users with the same passwords, so that when you log in to the session, the user's home will use the existing encrypted account.