GNU/Linux Desktop Survival Guide by Graham Williams
Desktop Survival Project Home Preface Advocacy History Distributions Installing GNU/Linux Basic Survival Wajig Applications AI, Machine Learning, Data Science Android - GNU/Linux Devices Audio Backup Booting CD Chinese ChRoot Clock Command Line Databases DIA Directories Disks EcoSysL Emacs Email Evolution Files File Systems Firewalls Floppy Disks FreedomBox Glade GNOME Graphics, Images, Photos Hardware Initialisations on Booting Installation Examples Internet IOT Java KDE Kernels Keyboard Konqueror KVM Switch LATEX Log System Login Magellan MATE Mathematics Memory Modems Mounting Devices MS/Windows Music MySQL Nautilus Networks Nextcloud Network File System NFS NT File System Oracle Packages Partitions Passwords PDF Power Management PPP Presentations Printing Python R Remote Desktops Rsync Samba Scanning Science Screens Security Spreadsheet SSH Swap Teradata Data Warehouse Themes TV Unity USB Version Control Video Virtualization Voice over IP WebCam WordPress Web Sites Word Processing and Printing X XML Troubleshooting Index

CLICK HERE TO VISIT THE UPDATED SURVIVAL GUIDE

Home Encryption

See Section 5.12 for information about setting up encrypted user accounts.

20190121 On installation, depending on distribution, Ubuntu will ask if you want to encrypt your home files when you set up user accounts. This will protect data sitting at rest when you are not logged onto the computer, protecting it against exposure or theft. It protexts most user data but some data will live in /tmp or other non /home locations whilst some sensitive data may live in the swap partition.

Full disk encryption is a common alternative, protecting the whole disk at rest. The disk is then decrypted at boot time and remains decrypted whilst the system is active.

When adding new users their home folder can be encrypted:

$ sudo adduser --encrypt-home <user>

For a pre-existing user ecryptfs-migrate-home can be used. This needs to be run from another user account. If there is a single existing user (kayon) then create a second user account (sudo adduser tmp) and from that second user's login, encrypt the first user's home (and vice-versa for the second user's home if that account will be longer living).

tmp@host$ wajig install ecryptfs-utils cryptsetup
tmp@host$ sudo ecryptfs-migrate-home -u kayon

Log out of tmp and log into kayon. Then print and record the recovery passphrase for future recovery if required.

kayon@host$ ecryptfs-unwrap-passphrase
Passphrase: <password>

Now reboot, login as the second user (tmp), and try using sudo to list the first user's home:

tmp@host$ sudo ls /home/kayon
Access-Your-Private-Data.desktop  README.txt

Consider also encrypting the swap partition. Hibernate will be affected by this, though suspend will be okay.

$ sudo ecryptfs-setup-swap