🔐 Guide: Encryption in Ubuntu with `ecryptfs-utils` and `cryptsetup`

Serhii Shypylov

3 min read

📌 Introduction

Protecting sensitive business data is critical for small and medium businesses (SMBs). Ubuntu offers robust encryption tools to secure your files and drives:

  • eCryptfs: Encrypts home directories or specific folders, perfect for client data or personal files.
  • cryptsetup (LUKS): Secures entire disks or partitions, ideal for laptops or external drives.

This guide provides step-by-step instructions to set up and manage encryption, ensuring your SMB’s data stays safe with minimal effort.

1. Installing Required Packages

Start by installing the necessary tools to enable encryption on Ubuntu.

sudo apt update
sudo apt install ecryptfs-utils cryptsetup -y

This installs ecryptfs-utils for folder encryption and cryptsetup for disk encryption.

2. eCryptfs: Encrypting Folders and Home Directories

2.1. Encrypting a New User’s Home Directory

Create a new user with an encrypted home directory.

sudo adduser --encrypt-home username

The home directory will be encrypted automatically, decrypting only when the user logs in.

2.2. Encrypting an Existing User’s Home Directory

Migrate an existing user’s home directory to use encryption.

sudo ecryptfs-migrate-home -u username

⚠️ After migration, log out and back in as the user to ensure files are accessible. Files decrypt automatically upon login.

2.3. Encrypting a Specific Folder

Secure individual folders for sensitive data like client records.

  1. Create a folder:
    mkdir ~/Private
  2. Set up encryption:
    ecryptfs-setup-private
  3. Mount/unmount the encrypted folder:
    ecryptfs-mount-private
ecryptfs-umount-private

3. cryptsetup: Encrypting Disks and Partitions

3.1. Check Available Devices

Identify the disk or partition to encrypt.

lsblk

3.2. Encrypt a Partition (⚠️ This Erases All Data!)

Encrypt a partition using LUKS.

sudo cryptsetup luksFormat /dev/sdX

Replace /dev/sdX with your target partition (e.g., /dev/sdb1).

3.3. Open the Encrypted Partition

Unlock the encrypted partition for use.

sudo cryptsetup open /dev/sdX secure_data

The partition is now accessible at /dev/mapper/secure_data.

3.4. Create a Filesystem

Format the unlocked partition with a filesystem.

sudo mkfs.ext4 /dev/mapper/secure_data

3.5. Mount the Encrypted Partition

Mount the partition to access its contents.

sudo mkdir /mnt/secure
sudo mount /dev/mapper/secure_data /mnt/secure

3.6. Close the Partition

When done, unmount and lock the partition.

sudo umount /mnt/secure
sudo cryptsetup close secure_data

4. Automating Encrypted Partition Mounting (cryptsetup)

4.1. Get the Device UUID

Find the UUID of the encrypted partition.

sudo blkid /dev/sdX

4.2. Update /etc/crypttab

Add an entry to automatically unlock the partition at boot.

secure_data UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX none luks

Replace UUID with the actual value from blkid.

4.3. Update /etc/fstab

Add a mount point for automatic mounting.

/dev/mapper/secure_data  /mnt/secure  ext4  defaults  0  2

5. Managing Keys and Passwords (cryptsetup)

  • Add a new password:
    sudo cryptsetup luksAddKey /dev/sdX
  • Remove a password:
    sudo cryptsetup luksRemoveKey /dev/sdX
  • Check LUKS header:
    sudo cryptsetup luksDump /dev/sdX

6. Decrypting Data on Another System

Transferring encrypted data to another Ubuntu system? Follow these steps to access it.

6.1. eCryptfs: Accessing Encrypted Folders

  1. Backup keys: Copy the ~/.ecryptfs directory and encryption passphrase to the new system.
  2. Install eCryptfs:
    sudo apt install ecryptfs-utils
  3. Recover the folder:
    sudo ecryptfs-recover-private /path/to/encrypted/folder
  4. Enter the passphrase when prompted to mount and access the files.

6.2. cryptsetup: Accessing Encrypted Disks

  1. Install cryptsetup:
    sudo apt install cryptsetup
  2. Open the LUKS partition:
    sudo cryptsetup open /dev/sdX secure_data
  3. Mount the partition:
    sudo mount /dev/mapper/secure_data /mnt/secure
  4. Use the original passphrase to unlock the partition.

⚠️ Always back up encryption keys and passphrases securely before transferring.

⚠️ Key Tips for SMBs

  • Backup everything: Save encryption keys and passphrases to avoid data loss.
  • No password, no access: Forgotten passphrases mean unrecoverable data.
  • Use eCryptfs for folders: Ideal for securing specific files or home directories.
  • Use cryptsetup for drives: Perfect for full-disk encryption on portable devices.
  • Integrate with Docker: Deploy in a containerized environment using Docker Compose for scalability (see blog.1it.pro for setup guides).

✅ Verification

  • eCryptfs: Log out and back in; files should decrypt automatically.
  • cryptsetup: Mount the partition and verify file access in /mnt/secure.

🚀 Secure Your Business Today

Encryption is a game-changer for SMBs, protecting sensitive data while keeping operations efficient. Implement these tools to boost security, build client trust, and stay compliant. For more IT insights, visit blog.1it.pro or explore 1it.pro for expert tech solutions. Need help? Contact admin@1it.pro to get started!

🚀 Explore more guides on our blog 👉 blog.1it.pro
📧 Contact us: admin@1it.pro for expert IT guidance.
🌐 Explore more: Visit 1it.pro for top-tier IT solutions.

GitHub
Home
UA EN RU

Зв'язатися з нами

Telegram Email