Encrypt home/user directory with eCryptfs (manjaro 17)

You want to share your linux laptop with others providing a secure multi-user environment? Well, eCryptfs is your friend.

Home Encryption

Assuming, you have manjaro installed and you want to add a new user, whose home data should be encrypted with ecryptfs.

  • You can add a user in the manjaro settings or on the good ole’ console.
  • Command to encrypt the home directory:
root$ ecryptfs-migrate-home -u <THE_USER>
  • Probably it will fail due to open processes reported by lsof.
  • So, logout and stop the window manager (use different terminal, e.g. CTRL+SHIFT+F2) root$ systemctl stop lightdm
    • on other systems X might respawn. Try kill -19 <PID_OF_X>
  • again encrypt the users directory root$ ecryptfs-migrate-home -u <THE_USER>
  • Follow the instructions given by the output.
    • Login as the user.
    • Use ecryptfs-mount-private to mount the encrypted home of the user.
    • Check if you can read/write files.
    • You can unmount with umount /home/<THE_USER> as long as there are not processes attached
  • To enable auto mount feature, follow instructions by the arch wiki section.
    • Automatic unmounting does not really work, see the warning in the aforementioned section. It just will be unmounted when shutting down/rebooting.

System Encryption

The whole system can also be encrypted, with LUKS using LVM. The password to boot linux must be known to the users, of course. Popular distros support LVM/LUKS right from the installation process. A friend of mine compiled a detailed behind-the-scenes/tutorial to show an advanced setup, where it first boots into encrypted grub, which then boots into your encrypted system.

# 1. format table (e.g. /dev/sda with MBR):
Partition   Size       Code  Name
sda1        1M         EF02  BIOS boot partition
sda2        >=200M     8300  Linux Filesystem (/boot)
sda3        Rest       8E00  Linux LVM (system lvm)

# 2. encrypt LVM and open LVM:
cryptsetup luksFormat --type luks2 -s 512 -h sha512 -i 3000 --use-random /dev/sda3
cryptsetup open /dev/sda3 lvm

# 3. LVM partitioning example (using btrfs for better data security):
pvcreate /dev/mapper/lvm
vgcreate archi /dev/mapper/lvm
lvcreate -L 4G archi -n swap
lvcreate -L 10G archi -n root
lvcreate -L 4G archi -n LaTeX

mkfs.btrfs /dev/mapper/archi-root
mkfs.btrfs /dev/mapper/archi-LaTeX
mkswap /dev/mapper/archi-swap

# 4. Boot-Partition preparation:
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 cryptboot
mkfs.ext4 /dev/mapper/cryptboot

# 5. mount directories
mount /dev/achi/root /mnt
mount /dev/mapper/cryptboot /mnt/boot
swapon /dev/archi/swap

# 6. install arch linux
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc
arch-chroot /mnt
#  do not forget to mount boot/efi, if you use UEFI
#  mount /dev/sdxx /boot/efi
#   ...diverse locale-Einstellungen wie im Standard ArchLinux-Installguide
#   ...installieren zusätzlicher Pakete, z.B. grub, intel-ucode, btrfs-progs,... 

# 7. make initramfs
# edit /etc/mkinitcpio.conf
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 usr resume filesystems fsck)
mkinitcpio -p linux # preset name: check /etc/mkinitcpio.d/ for image preset name

# 8. install GRUB
# edit /etc/default/grub
GRUB_CMDLINE_LINUX=" ... cryptdevice=UUID=<UUID of /dev/sda3>:archi rd.lvm.lv=archi/root rd.lvm.lv=archi/swap rd.lvm.lv=archi/user ..."
grub-mkconfig -o /boot/grub/grub.cfg
# -> warnings "Failed to connect to lvmetad..." can be ignored
grub-install --target=i386-pc --recheck /dev/sda (put GRUB-Binaries into /dev/sda1)

# 9. automatic mounting of Boot-Partition at boot
# create keyfile (dd bs=512 count=4 if=/dev/random of=/etc/boot.crkey;chmod 400 /etc/boot.crkey)
cryptsetup luksAddKey /dev/sda2 /etc/boot.crkey
# edit /etc/crypttab
cryptboot     UUID=<UUID of /dev/sda2>  /etc/boot.crkey