Encrypt Home Folder on Linux

Warning

Please backup all your data before encrypting anything. I recommend Déjà Dup when backing up Linux.

ecryptfs backs up your data before encrypting it on your local system. In case anything is missing, it will create a local copy of your data. However, I highly recommend you back up your data in the event that it does not create a local copy of your home folder.

Encrypting your home folder will require free space that is 2.5 times bigger than the home folder you want to encrypt because ecryptfs will create a backup. For example, if your home folder is 10 GB, have at least 25 GB left over.

Throughout this guide, replace yourusername with the name of the user folder you want to encrypt.

How to Encrypt

Log out of your user's account. Press Ctrl + Alt + F1. If this doesn't combination doesn't work, replace F1 with keys from F2 to F6. This will bring up the TTY.

Switch to root.

sudo -s

Install ecryptfs-utils. For Debian/Ubuntu:

sudo apt install ecryptfs-utils

Adjust above command to your distro's package manager. You can use this guide if you're stuck.

Next, encrypt your user account. Replace yourusername with your username:

sudo ecryptfs-migrate-home –u yourusername

You can encrypt multiple user accounts by running the above command several times.

After, enter a passphrase to encrypt your new home folder:

ecryptfs-add-passphrase

Ensure you remember your passphrase. It's best to store it in a password manager. I recommend setting it to the same as your login password.

Reboot your system. Verify you can login to your user account. Check that everything is working.

Remove your local backup (typically stored as yourusername.random_letters). For instance, ecrypt-fs will store a local backup of user in user.iLvpQs.

sudo rm -r yourusername.random_letters

Verify Home Folder is Encrypted

Enter this command:

mount | grep yourusername

If you see something along the lines of .ecryptfs and yourusername, your home folder is encrypted.

You can also check ~/.Private for ecryptfs.