Encrypting home directories

You can encrypt the home directory with eCryptfs to protect your or your network users' personal data. eCryptfs is a file system that runs on top of any other regular filesystem and transparently encrypts / decrypts the files. eCryptfs stores cryptographic data in the headers of each file. Therefore, you can easily copy any file between different systems. All this is kernel implemented, providing a good level of performance compared to FUSE encryption.

How it works

An encrypted user home folder contains only symbolic links to the directory with encrypted data. Encrypted user data is stored in /home/.ecryptfs and is sorted by user. The .Private subdirectory contains encrypted data, while .ecryptfs contains info on encryption.

When you log in to the session /home/.ecryptfs/[HTML_REMOVED]/. Private is mounted in the home directory. A key is used to do so, /home/.ecryptfs/<логин>/.ecryptfs/wrapped-passphrase, encrypted with a user password. Then the user account can be synchronized and configured if necessary. When you exit the session, the home directory is disconnected from .Private.

Encryption can also be enabled for domain users. Encrypted data will then by stored on a local machine, while the server hosts only non encrypted data. This ensures the security of the user data after logging out of the session.

Configuring an account to be encrypted

To enable encryption, Calculate Linux must be installed with the "Crypt user profiles" option turned on, or else, if the system is already running, you must enable the cl_home_crypt_set variable:

cl-core-variables --set main.cl_home_crypt_set=on

Encryption will be configured for new users only (those who have no home directory). To enable encryption for an existing user account, user ecryptfs-migrate-home.

ecryptfs-migrate-home -u [HTML_REMOVED]

For domain users, you have just to delete the local account when it is out-e-, and then reenter the session.

Note that the value of cl_home_crypt_set does not affect the configured user account, that is, if the account was configured for encryption and the system was installed without turning on encryption, the account will not be encrypted, and vice versa.

How to restore your data

If /home only contains the .ecryptfs directory with encrypted accounts, you should just create the same users with the same passwords, so that when you log in to the session, the user's home will use the existing encrypted account.