Tag Archives: wheezy

Add user with ecryptfs encrypted home directory on Debian Wheezy

As an Ubuntu desktop user, I learned to appreciate adduser‘s –encrpyt-home option. It adds a new user with an encrypted home directory in a second. On Debian, adduser is lacking the –encrypt-home option and we require a few steps to add a user with an ecryptfs-encrypted home directory. Our roadmap here is to add a user with unencrypted home directory and then encrypt the home directory afterwards.

  • Install the ecryptfs utility scripts and their dependencies,
sudo aptitude install ecryptfs-utils
  • Add a new user with unencrypted home directory,
sudo adduser NEW_USER
  • Encrypt the home directory by migrating it from unencrypted to encrypted
sudo ecryptfs-migrate-home -u NEW_USER

For some background information on this script, see this blog post.

  • Absolutely mandatory, login to the new user account now to have ecryptfs’ key encrypted with the new user’s password and written to disk,
sudo login NEW_USER
  • When logged as NEW_USER, unwrap ecryptfs’ key and store it at a safe place. This will give you access to your encrypted home directory without the need to login (e.g. by mounting it).
ecryptfs-unwrap-passphrase
  • Remove the unencrypted copy of the user’s home directory. The last lines of output of ecryptfs-migrate-home give you the path, along with other useful information you should read through.

Please note that ecryptfs-migrate-home places the encrypted version of NEW_USER’s home directory in /home/.ecryptfs/NEW_USER, no matter what partition or directory the user’s home directory is located in. As this directory is hardcoded into the ecryptfs-setup-private script (that is called by ecryptfs-migrate-home), the easiest way is to temporarily edit change the path by

sudo vi /usr/bin/ecryptfs-setup-private

and modification of the line near the top

ECRYPTFS_DIR="/home/.ecryptfs"