In a separate tutorial, we highlighted the process to deploy full disk encryption on Ubuntu Desktop 20.04 with LUKS encryption during installation. In practice, this is the recommended method to protect an Ubuntu device since it encrypts all disk partitions including the swap space and system partitions, thus achieving full disk encryption.
If you already have Ubuntu installed without any encryption, then full disk encryption with LUKS may not be an option; however, you could still encrypt the home directory and swap space without requiring a complete reinstallation of the operating system.
By default, the home directory is the directory where most of your personal files reside. This can include documents, spreadsheets, music, videos, images, and any other files you may download. Swap space is the space on the hard drive that is used as virtual memory. When a Linux system is running out of RAM, the inactive pages are pushed to the swap space; while access time is a tad slower than the RAM, in doing so the swap space supplements the device’s RAM when it is almost exhausted.
Ubuntu provides a command-line tool for encrypting both the home directory and the swap space. Why encrypt the swap space as well? As mentioned earlier, the OS periodically swaps out some memory pages to the swap area when the RAM is almost depleted. The information moved to the swap area may contain personal information such as username and passwords which would prove valuable to hackers. It is therefore essential to encrypt the swap space as well.
In this guide, we will explore post-installation encryption on Ubuntu 20.04. We will cover the encryption of both the home directory and swap space which is key in safeguarding personal and professional user data.
NOTE: Encryption is a process that could result in data loss on your machine. Please backup your /home folder prior to performing any of the steps below. Additionally, if you are using JumpCloud to manage the users on this machine, you may experience an unpleasant login loop if you reboot the machine prior to the user logging in with a new password.
Step 1: Install Encryption Packages
To begin, we will install the software packages that provide encryption on Linux: ecrypt-utils
and cryptsetup
. First, launch your terminal and execute the following command:
$ sudo apt install ecryptfs-utils cryptsetup
When prompted, press “Y” to proceed with the installation of the packages and other software dependencies.
Step 2: Create Another User and Assign Sudo Privileges
Encryption of your home directory requires the use of another privileged user. This is because some of the files in your home directory might be rendered inaccessible if you are performing the encryption while logged in with your own account.
For this reason, we will create a new privileged user to encrypt the home directory.
First, we will create a regular user using the following syntax:
$ sudo adduser username
For this guide, encryption_user
is the regular user we are going to create.
$ sudo adduser encryption_user
Be sure to fill out all the relevant details and press “Y” to save the information.
Next, assign root privileges to the newly created user by adding the user to the sudoers group.
$ sudo usermod -aG sudo encryption_user
Next, log out (DO NOT REBOOT!) and log in using the admin user account.
Step 3: Encrypt the Home Directory
Once logged in as the temporary privileged user, you can have a glance at the contents of the home directory that you are about to encrypt. Here, ~winnie
is the home directory of the user account called winnie
that we will encrypt shortly.
$ sudo ls -l ~winnie
To encrypt the home directory we will execute the command below. In this tutorial, the home directory is named winnie
.
$ sudo ecryptfs-migrate-home -u winnie
You will get similar output to what is shown below. When you are prompted for the passphrase, provide the user account’s login password and hit “ENTER”.
The encryption of the home directory will start. This takes a while depending on the size and disk usage of the home directory.
Upon successful completion of the file encryption, some instructions will be printed out on the terminal to guide you on the next steps to follow. We will follow these steps below to gracefully wind up the entire process.
Step 4: Confirm Encryption and Record Passphrase
Next, log out from the privileged user account and log back in (DO NOT REBOOT!) to your regular user account.
Once back in, a pop-up notification will display on the desktop giving you (or the user at their machine, if you are performing this process remotely) the next steps to take to record a passphrase that will be used to recover your home directory. IF a user is not present, the passphrase can be recorded via the terminal (see below).
Step 4A: Confirm Encryption Process Before Recording Passphrase
But before going any further, you need to confirm that you can read and write files on your home directory. To give this a try, we will create a simple hello.txt
text file.
$ cat > hello.txt
Type some dummy text and press Ctrl + D
to save the changes. To verify that you have successfully written the data, again, use the cat command as follows:
$ cat hello.txt
If you were able to write and read data, then the encryption process completed successfully. This also means that the passphrase was applied to decrypt the home directory when the user logged back in.
Step 4B: Record Passphrase
Now that you have confirmed read/write capabilities, you should print out or record the passphrase; to do this, head back to the pop-up window and press the “Run this action now” button; or, if you are running this tutorial remotely via a terminal, you will need to run the ecryptfs-unwrap-passphrase
command instead (see below).
When prompted for the passphrase, provide your login password and press “ENTER”.
Thereafter, you can reveal the recovery password using the command:
$ sudo ecryptfs-unwrap-passphrase
Copy the recovery passphrase and keep it somewhere safe.
Step 5: Encrypt the Swap Space
Finally, we will encrypt the swap space to prevent any leaks that might compromise sensitive user data. But first, verify if the swap space exists on your system as shown below.
$ swapon -s
The output confirms that indeed we have a swap partition marked as /dev/sda3
. You can further probe the space it occupies using the free
command. The output shows that it occupies 8G of space.
$ free -h
To encrypt the swap space, simply run the command:
$ sudo ecryptfs-setup-swap
Step 6: Clean up
At this point, both the home directory and the swap space have been encrypted. You can now remove the privileged user that you used to encrypt the home directory.
$ sudo deluser –remove-home encryption_user
Additionally, we will also remove the /home/winnie.MTL8xtIX
directory. This is a backup home folder that was created when we ran the initial migration command. You can find it by locating the directory that contains .MTL8
in the name.
$ sudo rm -Rf /home/winnie.MTL8xtIX
Conclusion
We have demonstrated the process of home directory and swap space encryption as provided by the ecrypt-utils
and cryptsetup
packages. While this offers a decent degree of protection for your personal files and documents, it’s no match for full disk encryption which encrypts all the partitions including system partitions during installation. If encryption is your only line of defense, consider implementing another security layer such as multi-factor authentication on Ubuntu.
Through the JumpCloud Directory Platform, you can easily implement disk encryption throughout your entire fleet. Through its remote device management capabilities, both Windows and macOS devices can achieve full disk encryption through standard, out-of-the-box policies, while Linux devices can be managed and monitored for encryption status and, using the Commands feature, deploy processes like the one featured in this tutorial to remote devices anywhere.
To see how this works, along with a number of other device security and management features, sign up for a free trial today.