ECryptfs: Difference between revisions
imported>Fadenb m Syntaxhighlight |
imported>Nobodyinperson Remove hint on ecryptfs-helper (pulls in insecure Python2 and is not needed for home directory migration) and update home migration instructions |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
[http://ecryptfs.org/ eCryptfs] is a cryptographic filesystem encrypting each file individually. To install <code>ecryptfs</code> add the following to <code>environment.systemPackages</code>: | [http://ecryptfs.org/ eCryptfs] is a cryptographic filesystem encrypting each file individually. To install <code>ecryptfs</code> add the following to <code>environment.systemPackages</code>: | ||
<syntaxhighlight lang="nix">{ | <syntaxhighlight lang="nix">{ pkgs, ... }: { | ||
environment.systemPackages = [ | environment.systemPackages = with pkgs; [ | ||
ecryptfs | ecryptfs | ||
]; | ]; | ||
}</syntaxhighlight> | }</syntaxhighlight> | ||
<code>man ecryptfs- | <code>man ecryptfs-migrate-home</code> describes how to encrypt your home folder. The TL;DR is that you need to: log out, log in as root, <code>modprobe ecryptfs</code> if needed, kill all processes that still access the home folder you want to migrate (check with <code>lsof /home/YOURUSERNAME</code>), wait for it to finish, then run <code>ecryptfs-migrate-home -u YOURUSERNAME</code>, then log in as your migrated user before rebooting. | ||
To automatically mount your private folder on login with <code>PAM</code>, add this to your <code>config</code>: | To automatically mount your private folder on login with <code>PAM</code>, add this to your <code>config</code>: | ||
Line 15: | Line 13: | ||
<syntaxhighlight lang="nix">{ | <syntaxhighlight lang="nix">{ | ||
security.pam.enableEcryptfs = true; | security.pam.enableEcryptfs = true; | ||
}</syntaxhighlight> | |||
Don't forget to also load the <code>ecryptfs</code> kernel module on boot as well in this case: | |||
<syntaxhighlight lang="nix">{ | |||
boot.kernelModules = ["ecryptfs"]; | |||
}</syntaxhighlight> | }</syntaxhighlight> |
Latest revision as of 16:12, 31 July 2023
eCryptfs is a cryptographic filesystem encrypting each file individually. To install ecryptfs
add the following to environment.systemPackages
:
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
ecryptfs
];
}
man ecryptfs-migrate-home
describes how to encrypt your home folder. The TL;DR is that you need to: log out, log in as root, modprobe ecryptfs
if needed, kill all processes that still access the home folder you want to migrate (check with lsof /home/YOURUSERNAME
), wait for it to finish, then run ecryptfs-migrate-home -u YOURUSERNAME
, then log in as your migrated user before rebooting.
To automatically mount your private folder on login with PAM
, add this to your config
:
{
security.pam.enableEcryptfs = true;
}
Don't forget to also load the ecryptfs
kernel module on boot as well in this case:
{
boot.kernelModules = ["ecryptfs"];
}