Chiffrement des répertoires personnels

Updated 12 Mars 2019

You can encrypt user directories with eCryptfs for personal data protection. eCryptfs is a file system that runs on top of any other regular filesystem and transparently encrypts / decrypts the files. ECryptfs stores the cryptographic metadata in the headers of each file. Thus, you can easily transfer any file between systems. All this is kernel implemented, providing a good level of performance compared to FUSE encryption.

How it works

An encrypted user home folder contains only symbolic links to the directory with encrypted data. Encrypted user data is stored in /home/.ecryptfs and is sorted by user. The .Private subdirectory contains encrypted data, while .ecryptfs contains info on encryption.

When you log in to the session /home/.ecryptfs/[HTML_REMOVED]/. Private is mounted in the home directory. A key is used to do so, /home/.ecryptfs/<логин>/.ecryptfs/wrapped-passphrase, encrypted with a user password. Then the user account can be synchronized and configured if necessary. When you exit the session, the home directory is disconnected from .Private.

Encryption can also be enabled for domain users. Encrypted data will then by stored on a local machine, while the server hosts only non encrypted data. This ensures user data security after logging out.

Configuring an account to be encrypted

To enable encryption, Calculate Linux must be installed with the "Crypt user profiles" option turned on, or else, if the system is already running, you must enable the cl_home_crypt_set variable:

cl-core-variables --set main.cl_home_crypt_set=on

Encryption will be configured for new users only (those who have no home directory). To enable encryption for an existing user account, user ecryptfs-migrate-home.

ecryptfs-migrate-home -u [HTML_REMOVED]

For domain users, simply delete the local profile when the user is not logged in, and then re-log in as the user.

Note that the value of cl_home_crypt_set does not affect the configured user account, that is, if the account was configured for encryption and the system was installed without turning on encryption, the account will not be encrypted, and vice versa.

How to restore your data

If /home only contains the .ecryptfs directory with encrypted accounts, you should just create the same users with the same passwords, so that when you log in to the session, the user's home will use the existing encrypted account.