How to encrypt your home folder after installing Ubuntu
Applies to: Ubuntu 14.x, 16.x
Ubuntu offers to encrypt your home folder during installation. If you decline the encryption and
change your mind later, you don’t have to reinstall Ubuntu. You can activate the encryption with
a few terminal commands.
Ubuntu uses eCryptfs for encryption. When you log in, your home directory is automatically
decrypted with your password. While there is a performance penalty to encryption, it can keep
private data confidential, particularly on laptops that may be stolen.
Getting Started
Before doing any of this, you should ensure you have a backup of your home directory and
important files. The migration command will create a backup on your computer, but it’s
important to have an additional backup – just in case.
First, install the encryption utilities:
sudo apt-get install ecryptfs-utils cryptsetup
You’ll have to encrypt your home directory while you’re not logged in. This means that you’ll
need another user account with administrator (sudo) privileges – you can create one from
Ubuntu’s User Accounts window. To open it, click your name on the panel and select User
Accounts.
Create a new user account and make it an administrator.
Set a password by clicking the password box. The account is disabled until you apply a
password.
After creating the user account, log out of your desktop.
Migrating Your Home Folder
Select your new, temporary user account on the login screen and log in with it.
Run the following command to encrypt your home directory, replacing user with the name of
your user account: sudo ecryptfs-migrate-home -u user
You’ll have to provide your user account’s password. After you do, your home directory will be
encrypted and you’ll be presented with some important notes. In summary, the notes say:
1. You must log in as the other user account immediately – before a reboot!
2. A copy of your original home directory was made. You can restore the backup directory
if you lose access to your files.
3. You should generate and record a recovery phrase.
4. You should encrypt your swap partition, too.
Log out and log back in as your original user account. Do not reboot your system before logging
back in!
After you log in, click the Run this action now button to create a recovery passphrase. Keep this
passphrase somewhere safe – you’ll need it if you have to manually recover your files in the
future.
You can run the ecryptfs-unwrap-passphrase command to view this passphrase at any time.
Encrypting the Swap Partition
When you set up an encrypted home directory while installing Ubuntu, your swap partition is
also encrypted. After setting up home directory encryption, you’ll also want to set up swap
encryption. To do so, run the following command in a terminal: sudo ecryptfs-setup-swap
Note that an encrypted swap won’t work properly with Ubuntu’s hibernate feature – which is
disabled by default, anyway.
Clean Up
After restarting your system once or twice and verifying everything works properly, you can
clean everything up. In addition to deleting the user account, you can remove the backup home
folder located in your system’s /home directory.
You’ll have to remove the backup directory from a terminal with a command like the following
one. Be very careful when using this command – you could accidentally delete your real home
folder or another important system directory if you type the directory name wrong: sudo rm -rf /home/user.random