HOWTO Encrypt Your Home Directory Using EncFS

From Gentoo Linux Wiki

This text describes an easy method to encrypt your home directory using EncFS.

Lets assume you are user john with home directory /home/john using bash as shell and console login.

• Login as root

• Emerge sys-fs/fuse, sys-fs/encfs to be able to create an encrypted directory and app-misc/secure-delete or app-misc/srm for safe deletion of our unencrypted files.

emerge -av fuse encfs secure-delete

If fuse refuses to build because "your kernel is too new", goto /usr/src/linux, type

make menuconfig

and check for the following setting:

File systems  --->
<M> Filesystem in Userspace support

If it doesn't exist, save and enter

make && make modules_install

• Make sure that FUSE is working. Try

modprobe fuse

• Create a directory where the crypted data will be stored and a temporal mount point for it.

mkdir /home/john-crypt /home/john-mnt
chown john /home/john-crypt /home/john-mnt
chgroup john /home/john-crypt /home/john-mnt

• Login as user john.

• Create a new crypted directory in /home/john-crypt and mount it to /home/john-mnt:

encfs /home/john-crypt /home/john-mnt

You are asked for expert mode (x) or a predefined paranoia mode (p). p should be enough for now. Then you will be asked for the password/passphrase. Use a safe and long passphrase. Good news is, that you can change the password with encfsctl if you want to do so. Other cryptosystems don't have the possibility to change the password.

• Copy all files from your unencrypted home directory to the new crypted directory and securely delete the remaining unencrypted files. This may take some time, secure deletion is IO itensive.

cp -R /home/john/.[a-zA-Z0-9]* /home/john-mnt
cp -R /home/john/* /home/john-mnt
srm -r /home/john/.[a-zA-Z0-9]* /home/john/*

• Append this line to the file /home/john-mnt/.bash_logout (create it if it does not exist).

cd / && fusermount -u /home/john

• Unmount the crypted directory.

fusermount -u /home/john-mnt

• Login as root.

• Remove the temporal mount point.

rmdir /home/john-mnt

• Login as john.

• Create .bash_profile in /home/john

encfs /home/john-crypt /home/john -- -o nonempty && cd /home/john
[[ -f ~/.bashrc ]] && . ~/.bashrc

Done! When john now logs in, he gets an additional password prompt and his crypted home directory is mounted automatically. When he logs out, it will be unmounted.