Linux – How to encrypt Linux (Debian 8) post-installation and what are the consequences

disk-encryptionencryptionlinux

I have certain folders in my Linux partition which I need to make sure no one can access unless the log in with my login password (or root one).

I know that during installation I can encrypt with LUKS and I can encrypt certain folders with encfs / Truecrypt.

However the encryption password is independent from current user and root password and unless I store it (which I guess it'd make it useless), I'd have to insert password manually each time.
Also, if any program on startup is accessing certain files (e.g. Timeshift for boot backups) will fail.

Therefore I'm looking for a solution which allows me to encrypt the whole system (or only certain folders) post OS-installation which is dependent on user or root password and which

doesn't impact any application which has the permission to access those folders (at any time after login)
doesn't make impossible or nearly impossible to recover the system should it fail (I read that even GRUB has issue if the partition is encrypted)

Best Answer

You will need to use a different user than the account that you are setting up encryption for (this is primarily the 'root' user but could be any user who has access to 'sudo'). Do the following:

Install these packages: "apt-get install ecryptfs-utils cryptsetup"
Run the following using either root or a user with root privileges: * "ecryptfs-migrate-home -u PutTheUserNameWhoYouAreEncryptingTheirHomeDirHere"
Lastly encrypt the swap by running: "ecryptfs-setup-swap"

Good luck :)

Related Solutions

Best way to make encrypted backups while preserving permissions to a windows file system

You can use EncFS on top of NFS

encfs /encrypted_place_at_nfs /mnt/place_to_access_it_unencrypted

Linux – How to set up an encrypted directory to be mounted only during samba access

I'm seeing a sketch of a solution using Samba "logon scripts" - client-side code that runs after a samba login - but a complete solution needs to complete the sketch with details. Also related are "preexec scripts" - server-side code that runs during a samba login.

Referencing the smb.conf man page

logon script (G)

This parameter specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.

The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
/usr/local/samba/netlogon/STARTUP.BAT
The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add NET USE U: \SERVER\UTILS for commonly used utilities, or
NET USE Q: \\SERVER\ISO9001_QA
for example.

Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be breached.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

and also

preexec (S)

This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:
preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

In your case, though, you really want logon scripts (unencrypted form is mounted on the client), so a solution sketch might involve:

ensure that each computer has a EncFS equivalent installed
write a logon script (.bat format) that calls encfs on the client and prompts the user for logon. The encfs command thus mounts the unencrypted form locally, with the remote store remaining encrypted.
configure smb.conf so that the relevant users run the logon script. e.g. something like

logon script = runencfs.bat
For bonus points, your logon script might automate / prompt installation of Encfs (from the samba share) and only run the mount if it's installed!

Client-side scripts, though, are bound to give you headaches because of the cmd language, ensuring installation of encfs, and working around windows gotchas, like Windows 8.1 and up not running the logon scripts till five minutes later unless otherwise configured.

Best Answer

Related Solutions

Best way to make encrypted backups while preserving permissions to a windows file system

Linux – How to set up an encrypted directory to be mounted only during samba access

Related Question