ECryptfs: Difference between revisions

From NixOS Wiki
imported>Makefu
import from nixos-users
 
imported>Nobodyinperson
Remove hint on ecryptfs-helper (pulls in insecure Python2 and is not needed for home directory migration) and update home migration instructions
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://ecryptfs.org/ eCryptfs] is a cryptographic filesystem encrypting each file individually. To install <code>ecryptfs</code> add the following to <code>environment.systemPackages</code>:
[http://ecryptfs.org/ eCryptfs] is a cryptographic filesystem encrypting each file individually. To install <code>ecryptfs</code> add the following to <code>environment.systemPackages</code>:


<pre class="nix">{
<syntaxhighlight lang="nix">{ pkgs, ... }: {
   environment.systemPackages = [
   environment.systemPackages = with pkgs; [
     ecryptfs
     ecryptfs
    ecryptfs-helper
   ];
   ];
}</pre>
}</syntaxhighlight>
<code>ecryptfs-helper</code> contains utilities to facilitate e.g. encrypting your home folder, mounting it as user, and data recovery.


<code>man ecryptfs-setup-private</code> describes how to encrypt your home folder.
<code>man ecryptfs-migrate-home</code> describes how to encrypt your home folder. The TL;DR is that you need to: log out, log in as root, <code>modprobe ecryptfs</code> if needed, kill all processes that still access the home folder you want to migrate (check with <code>lsof /home/YOURUSERNAME</code>), wait for it to finish, then run <code>ecryptfs-migrate-home -u YOURUSERNAME</code>, then log in as your migrated user before rebooting.


To automatically mount your private folder on login with <code>PAM</code>, add this to your <code>config</code>:
To automatically mount your private folder on login with <code>PAM</code>, add this to your <code>config</code>:


<pre class="nix">{
<syntaxhighlight lang="nix">{
   security.pam.enableEcryptfs = true;
   security.pam.enableEcryptfs = true;
}</pre>
}</syntaxhighlight>
 
Don't forget to also load the <code>ecryptfs</code> kernel module on boot as well in this case:
 
<syntaxhighlight lang="nix">{
  boot.kernelModules = ["ecryptfs"];
}</syntaxhighlight>

Latest revision as of 16:12, 31 July 2023

eCryptfs is a cryptographic filesystem encrypting each file individually. To install ecryptfs add the following to environment.systemPackages:

{ pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    ecryptfs
  ];
}

man ecryptfs-migrate-home describes how to encrypt your home folder. The TL;DR is that you need to: log out, log in as root, modprobe ecryptfs if needed, kill all processes that still access the home folder you want to migrate (check with lsof /home/YOURUSERNAME), wait for it to finish, then run ecryptfs-migrate-home -u YOURUSERNAME, then log in as your migrated user before rebooting.

To automatically mount your private folder on login with PAM, add this to your config:

{
  security.pam.enableEcryptfs = true;
}

Don't forget to also load the ecryptfs kernel module on boot as well in this case:

{
  boot.kernelModules = ["ecryptfs"];
}