NOTE: I no longer rely on this procedure, as I've become more concerned about data corruption than privacy risks. But I also now only travel with a machine that has been privacy hardened and scrubbed of most private data, relying on secure cloud storage (Proton Drive) to retrieve any sensitive materials I may need.
Open source fscrypt provides native encryption for ext4 filesystems on Linux. With it you can encrpyt folders within a disk partition, including user folders. It cannot encrypt files in place, so data must be backed up before proceeding.
The process described below has only been tested on Ubuntu 22.04 LTS Desktop after install and user home creation. All device filesysystems are ext4. The /home directory is mounted on its own dedicated partition (e.g., "/dev/sda3"). I'm doing this to secure the personal data on a laptop from common theives, not state actors or anyone who can get access to the machine while it's running. Your Mileage May Vary. Because.
The best and most up to date documentation available is in the fscrypt README. An older article about doing this on Ubuntu 18.04 (now seriously outdated by the aforementioned doc) helped clarify some things for me.
Here's my recipe (do this as root or another admin in a new virtual console [e.g., CTRL-ALT-F3] if running a GUI desktop like Gnome). Use this as a guide while carefully following the fscrypt documentation (pay particular attention to its instructions on verifying the changes made in each step are working).
-
Enable the target ext4 device for encryption (e.g., the one where /home is mounted, "/dev/sda3").
$ sudo tune2fs -O encrypt /dev/sda3
-
Install fscrypt.
$ sudo apt install fscrypt libpam-fscrypt
-
Create the main fscrypt config file, /etc/fscrypt.conf:
$ sudo fscrypt setup
Answer "N" to make /.fscript writable only by root.
-
Setup fscrypt for the target mountpoint.
$ sudo fscrypt setup /home
Answer "y" to make /home/.fscrypt writable to all.
-
Backup the existing home directory (I rename to free up the original name for later).
$ sudo mv /home/myuser /home/myuser.bak
-
Create a new home directory (with the original name) for encryption.
$ sudo mkdir /home/myuser $ sudo chown myuser:myuser /home/myuser $ sudo chmod go-rwx /home/myuser
-
Encrypt the new directory.
$ sudo fscrypt encrypt /home/myuser --user=myuser
Select "1 - Your login passphrase (pam passphrase)".
-
Copy contents of backup directory into new directory.
$ sudo rsync -avH /home/myuser.bak/ /home/myuser
-
Verify that everything copied over and then login as the user. Speicfically, reboot and log in as root or another admin and try to list the ecrypted directory contents. Then try logging in as the user using the Gnome or other login prompt. Finally, after another reboot, try logging in over ssh. After each user login, the directory should be "open" and unencrypted, allowing it to be listed. See the fscrypt documentation on how to force "close" it.
-
Copy recovery passphrase from fscrypt_recovery_readme.txt in root of home directory of the new folder and record somewhere safe (like Bitwarden).
-
If all goes well, remove the backup directory (e.g. "myuser.bak"). For that I prefer secure-delete (which could take a really long time: use
-rflor-rfllto go faster but less securely), see the secure delete toolkit doc for details).
$ sudo srm -rf /home/myuser.bakGoogle. "fscrypt". GitHub, https://github.com/google/fscrypt.
Troels Liebe Bentsen. "fscrypt setup on Ubuntu 18.10". Troels Liebe Bentsen, 22 Oct 2018, https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html.
Installing fscrypt to root ("/") and then encrypting a specific folder under that was the use case in Troel's original article (link above). When running fscrypt setup on "/" you may have to answer "Y" to make the /.fscrypt directory world-writable so users can create new policies and protectors for their homes. See the official doc (link above).