Linux FScrypt

Initial setup

First define the device in question, usually something like /dev/sda1

export DEVICE=/dev/sda1

To setup a filesystem to support encryption, first check that your block size is equal to your page size by comparing the outputs of getconf PAGE_SIZE and tune2fs -l /dev/device | grep 'Block size'. If these are not the same, DO NOT ENABLE ENCRYPTION.

getconf PAGE_SIZE
4096
sudo tune2fs -l $DEVICE | grep 'Block size'
Block size:               4096

As the values are the same we can proceed. Now enable encryption on the EXT4 device:

tune2fs -O encrypt $DEVICE

Now we need to install some fscrypt

sudo apt-get install fscrypt libpam-fscrypt

Set up PAM

Create the file /usr/share/pam-configs/keyinit-fix (need sudo rights) and fill with the following

Name: keyinit fix
Default: yes
Priority: 0
Session-Type: Additional
Session:
	optional	pam_keyinit.so force revoke

Next re-configure pam to use fscrypt

sudo pam-auth-update

Now log out of the session and in again to load the new pam files.

Encrypt a local folder

Start the initial setup:

sudo fscrypt setup
Replace "/etc/fscrypt.conf"? [y/N] y
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".

The setup encryption on the root partition

sudo fscrypt setup /

Finally encrypt a test folder

mkdir encrypted
fscrypt encrypt encrypted # Select 1 - Your login passphrase (pam_passphrase)

Logout and login to see that the folder gets decrypted without having to type a password. It is transparent to the yourself, but other user will see files with random names and encrypted content.

Encrypt the home partitition

Do this as in a TTY terminal (i.e. CTRL-ALT 1) as root or another user as your system might act strange if your are graphically logged in while doing this.

sudo su -
export USERNAME=user1
mv /home/$USERNAME /home/$USERNAME.bak
mkdir /home/$USERNAME
chown $USERNAME:$USERNAME /home/$USERNAME
fscrypt encrypt /home/$USERNAME --user=$USERNAME
rsync -avH --info=progress2 --info=name0 /home/$USERNAME.bak/ /home/$USERNAME/
rm -rf /home/$USERNAME.bak

The strange options for the rsync is just to provide a more easy readable progress when there are several hundred thousand files.