This example provides steps for encrypting an existing home directory
Install eCryptfs
apt-get install ecryptfs-utils
Backup existing Home directory
cp -pfr /home/[username]/ /tmp/
Mount /home/[username] with the file system type ecryptfs
mount -t ecryptfs /home/[username] /home/[username]
Select cipher: aes
Select key bytes: 16
Enable plaintext passthrough (y/n) [n]: <-- ENTER
Enable filename encryption (y/n) [n]: <-- ENTER
Would you like to proceed with the mount (yes/no)? : <-- yes
Would you like to append sig...to avoid this warning in the future (yes/no)? : <-- yes
Take a look at the output of
mount
and you should see that /home/[username]/ is now encrypted
/home/[username] on /home/[username] type
ecryptfs(rw,ecryptfs_sig=bd28c38da9fc938b,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
Restore Home backup to the now encrypted directory /home/[username]/, then delete the backup
cp -pfr /tmp/[username]/ /home/
rm -fr /tmp/[username]/
Testing
Copy a file to /home/[username] and read it
cp /etc/hosts /home/[username]
cat /home/[username]/hosts
Now, unmount /home/[username] and try to read the same file
umount /home/[username]
cat /home/[username]/hosts
Automatically Mount An Encrypted Partition At Boot Time
Plug in a USB key and find its device name
fdisk -l
For this example, the device name is /dev/sda1 and it uses FAT32
Mount the USB key to /mnt/usb
mkdir /mnt/usb
mount /dev/sda1 /mnt/usb
Look at /root/.ecryptfs/sig-cache.txt and copy the output
cat /root/.ecryptfs/sig-cache.txt
Create a signature file using the key from the output above
nano /root/.ecryptfsrc
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=<insert the sig-cache.txt key here>
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
Create the passphrase file on the USB key
nano /mnt/usb/passwd_file.txt
passphrase_passwd=your_passphrase
Add the following two lines to /etc/fstab
nano /etc/fstab
/dev/sda1 /mnt/usb vfat ro 0 0
/home/[username] /home/[username] ecryptfs defaults 0 0
Reboot
If everything goes fine, your encrypted partition should automatically be mounted after the reboot. However, it is possible that your system cannot mount your USB key during boot, which means your encrypted partition cannot be mounted either. If this happens, edit /etc/rc.local (this script is executed at the end of the boot process)
nano /etc/rc.local
Add this line before the exit 0 at the end of the file
/bin/mount -a
This will (re-)mount all partitions (including your USB key and the encrypted partition) at the end of the boot process.