As an Ubuntu desktop user, I learned to appreciate adduser‘s –encrpyt-home option. It adds a new user with an encrypted home directory in a second. On Debian, adduser is lacking the –encrypt-home option and we require a few steps to add a user with an ecryptfs-encrypted home directory. Our roadmap here is to add a user with unencrypted home directory and then encrypt the home directory afterwards.
- Install the ecryptfs utility scripts and their dependencies,
sudo aptitude install ecryptfs-utils
- Add a new user with unencrypted home directory,
sudo adduser NEW_USER
- Encrypt the home directory by migrating it from unencrypted to encrypted
sudo ecryptfs-migrate-home -u NEW_USER
For some background information on this script, see this blog post.
- Absolutely mandatory, login to the new user account now to have ecryptfs’ key encrypted with the new user’s password and written to disk,
sudo login NEW_USER
- When logged as NEW_USER, unwrap ecryptfs’ key and store it at a safe place. This will give you access to your encrypted home directory without the need to login (e.g. by mounting it).
- Remove the unencrypted copy of the user’s home directory. The last lines of output of ecryptfs-migrate-home give you the path, along with other useful information you should read through.
Please note that ecryptfs-migrate-home places the encrypted version of NEW_USER’s home directory in /home/.ecryptfs/NEW_USER, no matter what partition or directory the user’s home directory is located in. As this directory is hardcoded into the ecryptfs-setup-private script (that is called by ecryptfs-migrate-home), the easiest way is to temporarily edit change the path by
sudo vi /usr/bin/ecryptfs-setup-private
and modification of the line near the top