How to encrypt your home folder after installing Ubuntu
Applies to: Ubuntu 14.x, 16.x
Ubuntu offers to encrypt your home folder during installation. If you decline the encryption and
change your mind later, you don’t have to reinstall Ubuntu. You can activate the encryption with
a few terminal commands.
Ubuntu uses eCryptfs for encryption. When you log in, your home directory is automatically
decrypted with your password. While there is a performance penalty to encryption, it can keep
private data confidential, particularly on laptops that may be stolen.
Getting Started
Before doing any of this, you should ensure you have a backup of your home directory and
important files. The migration command will create a backup on your computer, but it’s
important to have an additional backup – just in case.
First, install the encryption utilities:
sudo apt-get install ecryptfs-utils cryptsetup
You’ll have to encrypt your home directory while you’re not logged in. This means that you’ll
need another user account with administrator (sudo) privileges – you can create one from
Ubuntu’s User Accounts window. To open it, click your name on the panel and select User
Accounts.
Create a new user account and make it an administrator.
Set a password by clicking the password box. The account is disabled until you apply a
password.
After creating the user account, log out of your desktop.
Migrating Your Home Folder
Select your new, temporary user account on the login screen and log in with it.
Run the following command to encrypt your home directory, replacing user with the name of
your user account: sudo ecryptfs-migrate-home -u user
You’ll have to provide your user account’s password. After you do, your home directory will be
encrypted and you’ll be presented with some important notes. In summary, the notes say:
1. You must log in as the other user account immediately – before a reboot!
2. A copy of your original home directory was made. You can restore the backup directory
if you lose access to your files.
3. You should generate and record a recovery phrase.
4. You should encrypt your swap partition, too.
Log out and log back in as your original user account. Do not reboot your system before logging
back in!