I use the following two encryption programs: truecrypt
and openssl
; the first allows you to create any size of encrypted container, and the second allows you to encrypt individual files; folders must be tarred before encrypting, as the target to be encrypted must be one single chunk of data.
Truecrypt
is an excellent program, but is not available in the repositories, so you must go to truecrypt.org to download the program; you want the 'standard' version, and it is available in 32 or 64bit. After downloading, open the terminal and cd to the containing folder and enter tar -zxvf <truecrypt download file>
, and then chmod +x <truecrypt setup file>
, and then sudo ./<truecrypt setup file>
. (You need to use sudo as it will install to the system folders.)
Then follow the onscreen prompts and truecrypt
will be installed. After that it is best to run it as normal user
when you want to create a volume, but with gksudo
when you want to mount a volume. (If you create a volume as gksudo
, root will own it, and so you would have to chown it for your user to regain ownership.)
When creating a volume in truecrypt
, there are a lot of options, and even whole usb flash drives, external hard drives, internal hard disk partitions, and more can be encrypted. Even though a long discussion of these aspects of the program is not relevant to this answer, there are several other important things to note. In particular, it can be useful to format the truecrypt
volume's filesystem in FAT32. The volume will then be easy to open if the file is transferred to a Windows system, as a volume created with the FAT32 option will be able to be opened by the Windows truecrypt
executable.
The volume truecrypt
creates is in a sense similar to that created with virtualbox; i.e. a virtual disk with its own filesystem. There is good documentation on the site that explains in great detail how to use the program. Also, after installation the pdf guide should be in /usr/share/truecrypt/doc/TrueCrypt User Guide.pdf
.
I also use openssl
(installed as default) to encrypt various files and tarred archives. I use the same commands as given in this section of the Unix toolbox, but I repeat them here for completeness, credit to Colin Barschel. The first command encrypts
; the second decrypts
in both the files and the folder examples:
For files:
Encrypt:
openssl aes-128-cbc -salt -in file -out file.aes
Decrypt:
openssl aes-128-cbc -d -salt -in file.aes -out file
For tarred folders:
Encrypt:
tar -cf - directory | openssl aes-128-cbc -salt -out directory.tar.aes
Decrypt:
openssl aes-128-cbc -d -salt -in directory.tar.aes | tar -x -f -
You are being offered 2 layers of Encryption.
The first is LUKS. With LUKS your entire installation (except /boot) will be encrypted, including your home directory.
The second is ecrptfs and is used to encrypt your home directory.
In general there is no need to use the two together, but, you could if for example you have multiple users and you wish to keep data encrypted between users or from root access.
When you use LUKS, when you boot, the data in your /home will be decrypted and as long as the system is running, the data can be read by root and other users.
https://wiki.ubuntu.com/SecurityTeam/Policies#Permissive_Home_Directory_Access
If you so desire , you can restrict access to the data in your home directory by adjusting the permissions or by encrypting your home directory as well.
If you encrypt your home directory, your personal data will remain encrypted when the system boots and will only be decrypted when you log in.
HTH
Best Answer
Nothing gets encrypted unless you tell the installation to do so. The most common scenario (which i strongly recommend) is to use LVM/LUKS and encrypt everything except /boot. If for some reason you do not want to do that, you can still encrypt your home folder by using the option you mentioned. Both options work great no matter if you re using EFI/GPT or MBR.