====== Encrypt Your /home Directory ====== In case you're worried about your documents privacy, it is possible to encrypt your /home/<user> directory using the [[https://packages.debian.org/jessie/misc/ecryptfs-utils|ecryptfs-utils package]]. Please note that **it does make recovery more difficult** should the occasion arise! Here are the steps to follow:\\ <color darkred>**MAKE SURE YOU HAVE ENOUGH SPACE AVAILABLE ON YOUR HARD DRIVE AS THE USER'S HOME DIRECTORY WILL BE DUPLICATED DURING THE OPERATION!**</color> === Install ecryptfs-utils Package === Note that this package should already be installed under LMDE 2. <code> > sudo apt-get install ecryptfs-utils </code> If installation was needed, you'll have to restart your computer. You need to logout of the user account for which you want the home directory encrypted, then login to a console as root using **ctrl+alt+F1** to **F6**, then issue the following commands: === Encrypt your user's home and swap === <code> > ecryptfs-migrate-home -u <username> </code> The **/home/<user>** directory is now encrypted, log back in as this user to make sure all is OK. In case of problem you'll find a copy of the original, unencrypted, directory in /home/<user>.rndmtxt When you are certain that all is ok with the encrypted home, you can destroy this /home/<user>.rndmtxt === Multiple swap spaces === If you have multiple swap partitions, you might NOT want to have them all encrypted. For example, if you are running a secured environment from a USB Key but have the swap space of your internal hard disk also used. To figure out what your current swap partitions are, run the //**lsblk**// command (root privilege is needed to read the uuid): <code> > lsblk -o +UUID | grep SWAP ├─sda2 8:2 0 2G 0 part [SWAP] 07ca33fa-f4d2-4f94-ab0e-9b63d603555b ├─sdb1 8:17 1 955M 0 part [SWAP] ee8ff167-0a59-46a7-8025-ed75cd88747d </code> We'll deactivate the swap we don't want to be encrypted, then encrypt our swap: <code> > swapoff -U 07ca33fa-f4d2-4f94-ab0e-9b63d603555b > ecryptfs-setup-swap > reboot </code> ==== Preserve Your Encryption Passphrase ==== Would you ever be faced with the necessity to recover your encrypted partition from a rescue system (like [[http://www.sysresccd.org|SystemRescueCD]]), the only possibility you'll have to gain access to it from another system is to have your **Encryption Passphrase** available. It is thus **STRONGLY RECOMMENDED** that you note this passphrase somewhere safe, where you'll be able to access it in case your current system is locked. This means **do not store it inside your encrypted directory** as you won't be able to access it when needed. <code> > ecryptfs-unwrap-passphrase Passphrase: 854xxxxxxxxxxxxxxxxxxxxxxxxxxxca </code> === Recovering from a rescue system === Make sure the partition containing your encrypted directory is mounted before issuing the following command to search your mounted file systems for encrypted private directories. The command will mount the encrypted directory in your /tmp directory: <code> > sudo ecryptfs-recover-private [sudo] password for <user>: INFO: Searching for encrypted private directories (this might take a while)... INFO: Found [/home/.ecryptfs/<user>/.Private]. Try to recover this directory? [Y/n]: Y INFO: Found your wrapped-passphrase Do you know your LOGIN passphrase? [Y/n] Y INFO: Enter your LOGIN passphrase... Passphrase: INFO: Success! Private data mounted read-only at [/tmp/encryptfs.rndmtxt]. </code> You might need to be root to access the files. ===== Mount TrueCrypt Volumes (using cryptsetup) ===== Mount a volume <code> > sudo cryptsetup open --type tcrypt /var/run/media/username/volume_name encrypted_volume > sudo mount /dev/mapper/encrypted_volume /mnt </code> Unmount volume: <code> > sudo umount /mnt > sudo cyrptsetup close encrypted_volume </code>