Is there a way to encrypt a folder, which is not in Home
(/home/user/
) but even in a different partition, so only my user can access/read contained files?
Alternatively, I would like to understand if it is possible to turn a complete ext4
partition into an encrypted volume, which would be mounted at user login.
If possible, I would like to make the change without reinstalling Ubuntu.
My PC has (mount
output):
/dev/sda1 on / type ext4 (rw,errors=remount-ro)
/dev/sda3 on /home type ext4 (rw)
/dev/sda4 on /home/igor/Personale type ext4 (rw)
sda4
is the partition containing folders I would like to protect.
Best Answer
eCryptfs would be a good choice (Ubuntu encrypted home directory uses ecryptfs) if you want to encrypt /dev/sda4 which is mounted as /home/igor/Personale type ext4
You don't have to re-install anyway. ecryptfs is flexible (you can encrypt folders or partitions) and easy to use, it is layered on top of the current file system - ext4 in your case. Basically you have a partition/block device, create file system and mount it, then use ecryptfs to encrypt it.
In your case, it's /dev/sda4, to encrypt it NOTE: although this process retains existing data I strongly recommend backing up to a different partition or external HDD. Because later on we need to copy it back to get data encrypted (existing data won't get encrypted).
Steps:
install ecryptfs-utils package 1st
mount the destination directory as ecryptfs (suppose /dev/sda4 already mounted on /home/igor/Personale)
NOTE: You will be prompted for pass phrase, cipher, key bytes, plaintext passthrough (y/n), filename encryption (y/n).
Done. Existing data won't be encrypted anyway, you can delete existing data and copy if from backup (that's why I recommended backing up, a data swap is needed to activate encryption on existing files). Use rsync for backup/restore:
BTW: you can see the encrypted partition use findmnt or mount, e.g /home/terry/topsecret on /home/terry/topsecret type ecryptfs (rw,ecryptfs_sig=633937dbcf1fef34,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)