Encrypting home directories
Updated 12 March 2019
You can encrypt user directories with eCryptfs for personal data protection. eCryptfs is a file system that runs on top of any other regular filesystem and transparently encrypts / decrypts the files. ECryptfs stores the cryptographic metadata in the headers of each file. Thus, you can easily transfer any file between systems. All this is kernel implemented, providing a good level of performance compared to FUSE encryption.
How it works
An encrypted user home folder contains only symbolic links to the directory with encrypted data. Encrypted user data is stored in and is sorted by user. The subdirectory contains encrypted data, while contains info on encryption.
When you log in to the session /home/.ecryptfs/[HTML_REMOVED]/. Private is mounted in the home directory. A key is used to do so, /home/.ecryptfs/<логин>/.ecryptfs/wrapped-passphrase, encrypted with a user password. Then the user account can be synchronized and configured if necessary. When you exit the session, the home directory is disconnected from .Private.
Encryption can also be enabled for domain users. Encrypted data will then by stored on a local machine, while the server hosts only non encrypted data. This ensures user data security after logging out.
Configuring an account to be encrypted
To enable encryption, Calculate Linux must be installed with the "Crypt user profiles" option turned on, or else, if the system is already running, you must enable the variable:
cl-core-variables --set main.cl_home_crypt_set=on
Encryption will be configured for new users only (those who have no home directory). To enable encryption for an existing user account, user
ecryptfs-migrate-home -u [HTML_REMOVED]
For domain users, simply delete the local profile when the user is not logged in, and then re-log in as the user.
Note that the value of does not affect the configured user account, that is, if the account was configured for encryption and the system was installed without turning on encryption, the account will not be encrypted, and vice versa.
How to restore your data
If only contains the directory with encrypted accounts, you should just create the same users with the same passwords, so that when you log in to the session, the user's home will use the existing encrypted account.